how to sign multi arch images

[arauchberger]

Hi,

i build my image via gh-wf (on amd64 gh-runner) with docker-maven-plugin for multiple architectures simultaneously resulting in a multiarch-image being pushed to docker hub.

when i use the following setup, i get the amd64 image/manifest signed, but the arm64 image/manifest is somehow "lost" on docker hub.

- name: sign&push image
  uses: sudo-bot/action-docker-sign@latest
  with:
      image-ref: "docker.io/myorg/myimagename:1.8.0-SNAPSHOT"
      private-key-id: "${{ secrets.DOCKER_SIGN_PRIVATE_KEY_ID }}"
      private-key-name: "mykeyname"
      private-key: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY }}
      private-key-passphrase: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY_PASSPHRASE }}

when i use the following setup, it completes somehow successful, but when pulling the image (arm64!!) and performing a docker trust inspect it tells me it's not signed.

- name: sign&push image manifest
  uses: sudo-bot/action-docker-sign@latest
  with:
      image-ref: "docker.io/myorg/myimagename:1.8.0-SNAPSHOT"
      sign-manifest: true
      notary-auth: "${{ secrets.DOCKER_HUB_USERNAME }}:${{ secrets.DOCKER_HUB_TOKEN }}"
      private-key-id: "${{ secrets.DOCKER_SIGN_PRIVATE_KEY_ID }}"
      private-key-name: "mykeyname"
      private-key: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY }}
      private-key-passphrase: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY_PASSPHRASE }}

This is the output form the second setup:

Run notary key list -d ~/.docker/trust/

ROLE      GUN    KEY ID                                                              LOCATION
----      ---    ------                                                              --------
                 ***                                            /home/runner/.docker/trust/private
signer           3ce76***    /home/runner/.docker/trust/private

Run jq --version > /dev/null || curl -sS https://webinstall.dev/jq | bash
Run set -eu;
Image-ref: docker.io/pineit/at.pineit.pitdata-fhir
Image-tag: 1.8.0-SNAPSHOT
Repo-name: myorg/myimagename
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1609  100  1609    0     0  18839      0 --:--:-- --:--:-- --:--:-- 18929
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1609  100  1609    0     0  17509      0 --:--:-- --:--:-- --:--:-- 17681
Manifest SHA-256: 8c88e34ec***
Manifest-inspect BYTES: 1609
Roles: targets/***
Sign 8c88e34ec*** with the notary
Addition of target "1.8.0-SNAPSHOT" by sha256 hash to repository "docker.io/myorg/myimagename" staged for next publish.
Auto-publishing changes to docker.io/myorg/myimagename
Successfully published changes for repository docker.io/myorg/myimagename
Done !
NAME              DIGEST                                                              SIZE (BYTES)    ROLE
----              ------                                                              ------------    ----
1.8.0-SNAPSHOT    8c88e34ec***                                                1609            targets/***
Run docker trust inspect --pretty "docker.io/myorg/myimagename:1.8.0-SNAPSHOT"

Signatures for docker.io/myorg/myimagename:1.8.0-SNAPSHOT

SIGNED TAG       DIGEST                                                             SIGNERS
1.8.0-SNAPSHOT   0e5a13c3fee0ef***                                     (Repo Admin)

List of signers and their keys for docker.io/myorg/myimagename:1.8.0-SNAPSHOT

SIGNER                     KEYS
***   3ce76fd8235e

Administrative keys for docker.io/myorg/myimagename:1.8.0-SNAPSHOT

  Repository Key:   f246a66***
  Root Key: e6261f8***
Run rm -v ~/.docker/trust/private/***.key
removed '/home/runner/.docker/trust/private/***.key'
Run rm -rvf ~/.docker/trust/private
removed '/home/runner/.docker/trust/private/3ce76fd***.key'
removed directory '/home/runner/.docker/trust/private'

do you have any suggestions what i do/get wrong?

thanks in advance AndiY

[williamdes]

Hello !

Can you check with this image that my signing currently works ? https://hub.docker.com/r/botsudo/nut-upsd/tags