The new docker tag and docker push calls were creating new manifests for
the images with mismatched digest values. Those new manifests were of
the application/vnd.docker.distribution.manifest.v2+json type, while
our AWS-specific image verification code was expecting
application/vnd.oci.image.manifest.v1+json and the sha256 digests in
the manifest for the newly tagged images, because of this change, would
no longer match.
The new docker tag and docker push calls were creating new manifests for the images with mismatched digest values. Those new manifests were of the
application/vnd.docker.distribution.manifest.v2+jsontype, while our AWS-specific image verification code was expectingapplication/vnd.oci.image.manifest.v1+jsonand the sha256 digests in the manifest for the newly tagged images, because of this change, would no longer match.So, we attempts to fix both problems by using
craneto exactly copy the docker image from one tag to another. See https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md for more information on crane.