i build my image via gh-wf (on amd64 gh-runner) with docker-maven-plugin for multiple architectures simultaneously resulting in a multiarch-image being pushed to docker hub.
when i use the following setup, i get the amd64 image/manifest signed, but the arm64 image/manifest is somehow "lost" on docker hub.
when i use the following setup, it completes somehow successful, but when pulling the image (arm64!!) and performing a docker trust inspect it tells me it's not signed.
Run notary key list -d ~/.docker/trust/
ROLE GUN KEY ID LOCATION
---- --- ------ --------
*** /home/runner/.docker/trust/private
signer 3ce76*** /home/runner/.docker/trust/private
Run jq --version > /dev/null || curl -sS https://webinstall.dev/jq | bash
Run set -eu;
Image-ref: docker.io/pineit/at.pineit.pitdata-fhir
Image-tag: 1.8.0-SNAPSHOT
Repo-name: myorg/myimagename
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1609 100 1609 0 0 18839 0 --:--:-- --:--:-- --:--:-- 18929
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1609 100 1609 0 0 17509 0 --:--:-- --:--:-- --:--:-- 17681
Manifest SHA-256: 8c88e34ec***
Manifest-inspect BYTES: 1609
Roles: targets/***
Sign 8c88e34ec*** with the notary
Addition of target "1.8.0-SNAPSHOT" by sha256 hash to repository "docker.io/myorg/myimagename" staged for next publish.
Auto-publishing changes to docker.io/myorg/myimagename
Successfully published changes for repository docker.io/myorg/myimagename
Done !
NAME DIGEST SIZE (BYTES) ROLE
---- ------ ------------ ----
1.8.0-SNAPSHOT 8c88e34ec*** 1609 targets/***
Run docker trust inspect --pretty "docker.io/myorg/myimagename:1.8.0-SNAPSHOT"
Signatures for docker.io/myorg/myimagename:1.8.0-SNAPSHOT
SIGNED TAG DIGEST SIGNERS
1.8.0-SNAPSHOT 0e5a13c3fee0ef*** (Repo Admin)
List of signers and their keys for docker.io/myorg/myimagename:1.8.0-SNAPSHOT
SIGNER KEYS
*** 3ce76fd8235e
Administrative keys for docker.io/myorg/myimagename:1.8.0-SNAPSHOT
Repository Key: f246a66***
Root Key: e6261f8***
Run rm -v ~/.docker/trust/private/***.key
removed '/home/runner/.docker/trust/private/***.key'
Run rm -rvf ~/.docker/trust/private
removed '/home/runner/.docker/trust/private/3ce76fd***.key'
removed directory '/home/runner/.docker/trust/private'
Hi,
i build my image via gh-wf (on amd64 gh-runner) with docker-maven-plugin for multiple architectures simultaneously resulting in a multiarch-image being pushed to docker hub.
when i use the following setup, i get the amd64 image/manifest signed, but the arm64 image/manifest is somehow "lost" on docker hub.
when i use the following setup, it completes somehow successful, but when pulling the image (arm64!!) and performing a
docker trust inspect
it tells me it's not signed.This is the output form the second setup:
do you have any suggestions what i do/get wrong?
thanks in advance AndiY