Open itsibitzi opened 9 months ago
@hectorj2f @cpanato Any suggestions?
Initially it seems it cannot replace the label chainguard-rust-chef
by the cgr.dev/chain guard/rust
image. It wrongly attempts to fetch it from docker hub where it doesn't exist. I need to check whether this is a bug 🔍.
Thanks for the responses so far!
Did you manage to see if it was a bug? In the mean time I can simply verify the signatures for each separate image independently, but that could become error prone if a new layer is added without a corresponding check in our CI.
Question
Hello everyone, I've spent a while Googling and hunting after docs and other issues to no avail, so I thought I'd ask here. Apologies in advance if I've missed something.
I've got the following multistage docker file for building a Rust project, using
cargo-chef
to cache dependencies. The details of this hopefully shouldn't matter but here's the whole file anyway.In my GitHub actions I would like to verify the signatures of all of the stages before I build
Dockerfile
, whichcosign dockerfile verify
looks to be the tool for.When I run the following command I get messages about
error during command execution: GET https://index.docker.io/v2/library/chainguard-rust-chef/manifests/latest
- suggesting thatcosign
is trying to look up my multistageFROM
in the docker registry, which seems wrong since it shouldn't exist. You can see the warning at the bottom of this snippet.Is there anything I can do to ignore the
chainguard-rust-chef
parts of the Dockerfile? The--base-image-only
flag doesn't make any sense since if a malicious actor managed to publish a newcgr.dev/chainguard/rust
image then they could possibly use that to insert an exploit into my built binary.This is the output of
cosign version
Thank you!