Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to sign multi arch images #2

Open
arauchberger opened this issue Oct 14, 2024 · 1 comment
Open

how to sign multi arch images #2

arauchberger opened this issue Oct 14, 2024 · 1 comment

Comments

@arauchberger
Copy link

Hi,

i build my image via gh-wf (on amd64 gh-runner) with docker-maven-plugin for multiple architectures simultaneously resulting in a multiarch-image being pushed to docker hub.

when i use the following setup, i get the amd64 image/manifest signed, but the arm64 image/manifest is somehow "lost" on docker hub.

- name: sign&push image
  uses: sudo-bot/action-docker-sign@latest
  with:
      image-ref: "docker.io/myorg/myimagename:1.8.0-SNAPSHOT"
      private-key-id: "${{ secrets.DOCKER_SIGN_PRIVATE_KEY_ID }}"
      private-key-name: "mykeyname"
      private-key: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY }}
      private-key-passphrase: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY_PASSPHRASE }}

when i use the following setup, it completes somehow successful, but when pulling the image (arm64!!) and performing a docker trust inspect it tells me it's not signed.

- name: sign&push image manifest
  uses: sudo-bot/action-docker-sign@latest
  with:
      image-ref: "docker.io/myorg/myimagename:1.8.0-SNAPSHOT"
      sign-manifest: true
      notary-auth: "${{ secrets.DOCKER_HUB_USERNAME }}:${{ secrets.DOCKER_HUB_TOKEN }}"
      private-key-id: "${{ secrets.DOCKER_SIGN_PRIVATE_KEY_ID }}"
      private-key-name: "mykeyname"
      private-key: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY }}
      private-key-passphrase: ${{ secrets.DOCKER_SIGN_PRIVATE_KEY_PASSPHRASE }}

This is the output form the second setup:

Run notary key list -d ~/.docker/trust/

ROLE      GUN    KEY ID                                                              LOCATION
----      ---    ------                                                              --------
                 ***                                            /home/runner/.docker/trust/private
signer           3ce76***    /home/runner/.docker/trust/private

Run jq --version > /dev/null || curl -sS https://webinstall.dev/jq | bash
Run set -eu;
Image-ref: docker.io/pineit/at.pineit.pitdata-fhir
Image-tag: 1.8.0-SNAPSHOT
Repo-name: myorg/myimagename
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1609  100  1609    0     0  18839      0 --:--:-- --:--:-- --:--:-- 18929
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1609  100  1609    0     0  17509      0 --:--:-- --:--:-- --:--:-- 17681
Manifest SHA-256: 8c88e34ec***
Manifest-inspect BYTES: 1609
Roles: targets/***
Sign 8c88e34ec*** with the notary
Addition of target "1.8.0-SNAPSHOT" by sha256 hash to repository "docker.io/myorg/myimagename" staged for next publish.
Auto-publishing changes to docker.io/myorg/myimagename
Successfully published changes for repository docker.io/myorg/myimagename
Done !
NAME              DIGEST                                                              SIZE (BYTES)    ROLE
----              ------                                                              ------------    ----
1.8.0-SNAPSHOT    8c88e34ec***                                                1609            targets/***
Run docker trust inspect --pretty "docker.io/myorg/myimagename:1.8.0-SNAPSHOT"

Signatures for docker.io/myorg/myimagename:1.8.0-SNAPSHOT

SIGNED TAG       DIGEST                                                             SIGNERS
1.8.0-SNAPSHOT   0e5a13c3fee0ef***                                     (Repo Admin)

List of signers and their keys for docker.io/myorg/myimagename:1.8.0-SNAPSHOT

SIGNER                     KEYS
***   3ce76fd8235e

Administrative keys for docker.io/myorg/myimagename:1.8.0-SNAPSHOT

  Repository Key:	f246a66***
  Root Key:	e6261f8***
Run rm -v ~/.docker/trust/private/***.key
removed '/home/runner/.docker/trust/private/***.key'
Run rm -rvf ~/.docker/trust/private
removed '/home/runner/.docker/trust/private/3ce76fd***.key'
removed directory '/home/runner/.docker/trust/private'

do you have any suggestions what i do/get wrong?

thanks in advance
AndiY
@williamdes
Copy link
Member

Hello !

Can you check with this image that my signing currently works ?
https://hub.docker.com/r/botsudo/nut-upsd/tags

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@williamdes @arauchberger