Content trust sign with buildx

[sabretus]

Hello,

Is there any way to sign a multi architectural image built by buildx?

The build is running like this:

docker buildx build --platform linux/amd64,linux/arm64 -t ${IMAGE}:${VERSION} --push .

To sign the image I am doing a regular "docker push" or "docker trust sign" but it signs and pushes only a local arch image and then overrides the manifest list previously pushed with buildx.

Somehow official hub.docker.com repo have signed multi-arch images, so how?

[williamdes]

Hi @tonistiigi
Would you please give us your point of view on this issue ?

[williamdes]

For anyone finding this issue, the solution to sign a manifest is to use the notary command line.
See: https://github.com/sudo-bot/action-docker-sign#sign-multi-platform-manifests
Ref: sudo-bot/action-docker-sign@ee2b979

So, you will need to use buildx to push tags like {platform}-latestOrWhatYouWant and then make a manifest and sign it

[roman-vynar]

Notary is so much user unfriendly, abandoned and overcomplicated solution that after being using it since 2017 with both Docker Hub and a private registry we decided to stop using it.

[hardillb]

Has anything moved forward with this?

Having a first class way to build and sign multi-platform releases in a single command would be a REALLY great way to increase adoption of Docker Content Trust

[JC5]

Using the notary scripts is way too fragile and complicated for me to use. I would expect something like docker trust sign to work for multi-arch containers out of the box. The multi-arch experience is already mostly transparent for most of (my) users, most barely notice there are 5 variants of the same container.

I would really like to be able to sign all 5 as well.

[leonheldattoradex]

Hello, this was opened in 2020 and since then I can't find any information on it.
Was this feature ever implemented?

[williamdes]

Hello, this was opened in 2020 and since then I can't find any information on it. Was this feature ever implemented?

You will find more than you can ever need on https://github.com/sudo-bot/action-docker-sign

[heruan]

Is signing multi-arch images still so complicated? Our CI/CD workflows build and push for multiple arch, with a single tag. From there, how can we sign both images that share the same tag?

I would expect docker trust sign my-image:my-tag to work, but it REMOVES one of the two architectures from Docker Hub, unprompted 😱

[MalteMagnussen]

Would be great to be able to use HCL with docker buildx bake to cosign the images.