Content trust sign with buildx

docker / buildx

Docker CLI plugin for extended build capabilities with BuildKit

Apache License 2.0

3.5k stars 471 forks source link

Content trust sign with buildx #313

Open sabretus opened 4 years ago

sabretus commented 4 years ago

Hello,

Is there any way to sign a multi architectural image built by buildx?

The build is running like this:

docker buildx build --platform linux/amd64,linux/arm64 -t ${IMAGE}:${VERSION} --push .

To sign the image I am doing a regular "docker push" or "docker trust sign" but it signs and pushes only a local arch image and then overrides the manifest list previously pushed with buildx.

Somehow official hub.docker.com repo have signed multi-arch images, so how?

williamdes commented 3 years ago

Hi @tonistiigi Would you please give us your point of view on this issue ?

williamdes commented 3 years ago

For anyone finding this issue, the solution to sign a manifest is to use the notary command line. See: https://github.com/sudo-bot/action-docker-sign#sign-multi-platform-manifests Ref: https://github.com/sudo-bot/action-docker-sign/commit/ee2b979529b2c856280252bcbf9d5aab0e3d2c65

So, you will need to use buildx to push tags like {platform}-latestOrWhatYouWant and then make a manifest and sign it

roman-vynar commented 3 years ago

Notary is so much user unfriendly, abandoned and overcomplicated solution that after being using it since 2017 with both Docker Hub and a private registry we decided to stop using it.

hardillb commented 1 year ago

Has anything moved forward with this?

Having a first class way to build and sign multi-platform releases in a single command would be a REALLY great way to increase adoption of Docker Content Trust

JC5 commented 1 year ago

Using the notary scripts is way too fragile and complicated for me to use. I would expect something like docker trust sign to work for multi-arch containers out of the box. The multi-arch experience is already mostly transparent for most of (my) users, most barely notice there are 5 variants of the same container.

I would really like to be able to sign all 5 as well.

leonheldattoradex commented 5 months ago

Hello, this was opened in 2020 and since then I can't find any information on it. Was this feature ever implemented?

williamdes commented 3 months ago

Hello, this was opened in 2020 and since then I can't find any information on it. Was this feature ever implemented?

You will find more than you can ever need on https://github.com/sudo-bot/action-docker-sign