-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use Docker Content Trust to sign manifest with build-push-action #381
Comments
Documentation suggests you can enable DCT using an env var: https://docs.docker.com/engine/security/trust/#client-enforcement-with-docker-content-trust I find references to using DCT in this post: https://www.cloudnative.quest/posts/security/2022-01-01/improve-supply-chain-security-with-github-actions-and-open-source-tools/ Can't say for sure if it works. |
@sagikazarmark The useful part of article is the bit about cosign, the env var is all about pulling the base containers to build your containers from. |
I may have misunderstood your question then. I thought you were referring to pulling and verifying images. Apologies for the noise. |
Hi,
I've managed to set up this action to do a multi arch build and push to the public docker repository and now I'd like to sign a tag for those containers so they can be used with Docker Content Trust..
This issue implies that I need to use the notary cli app to sign the manifest, but I'm not sure that the hash output by this action is the right value to pass to the command.
Assuming I've understood correctly if I mouse over the tag name on the hub.docker.io page it shows the sha256 hash of the manifest. This doesn't appear to match the output from the action (it is the hash of one of the arch builds but it doesn't appear to consistently match up with the one used for the manifest).
Could you please add some definitive docs to explain how to use this action with Docker Content Trust.
Thanks.
The text was updated successfully, but these errors were encountered: