How to use Docker Content Trust to sign manifest with build-push-action

[hardillb]

Hi,

I've managed to set up this action to do a multi arch build and push to the public docker repository and now I'd like to sign a tag for those containers so they can be used with Docker Content Trust..

This issue implies that I need to use the notary cli app to sign the manifest, but I'm not sure that the hash output by this action is the right value to pass to the command.

Assuming I've understood correctly if I mouse over the tag name on the hub.docker.io page it shows the sha256 hash of the manifest. This doesn't appear to match the output from the action (it is the hash of one of the arch builds but it doesn't appear to consistently match up with the one used for the manifest).

Could you please add some definitive docs to explain how to use this action with Docker Content Trust.

Thanks.

[sagikazarmark]

Documentation suggests you can enable DCT using an env var: https://docs.docker.com/engine/security/trust/#client-enforcement-with-docker-content-trust

I find references to using DCT in this post: https://www.cloudnative.quest/posts/security/2022-01-01/improve-supply-chain-security-with-github-actions-and-open-source-tools/

Can't say for sure if it works.

[hardillb]

@sagikazarmark The useful part of article is the bit about cosign, the env var is all about pulling the base containers to build your containers from.

[sagikazarmark]

I may have misunderstood your question then. I thought you were referring to pulling and verifying images. Apologies for the noise.