cosign dockerfile verify
problem with multistage dockerfile
#3425
Labels
question
Further information is requested
Question
Hello everyone, I've spent a while Googling and hunting after docs and other issues to no avail, so I thought I'd ask here. Apologies in advance if I've missed something.
I've got the following multistage docker file for building a Rust project, using
cargo-chef
to cache dependencies. The details of this hopefully shouldn't matter but here's the whole file anyway.In my GitHub actions I would like to verify the signatures of all of the stages before I build
Dockerfile
, whichcosign dockerfile verify
looks to be the tool for.When I run the following command I get messages about
error during command execution: GET https://index.docker.io/v2/library/chainguard-rust-chef/manifests/latest
- suggesting thatcosign
is trying to look up my multistageFROM
in the docker registry, which seems wrong since it shouldn't exist. You can see the warning at the bottom of this snippet.Is there anything I can do to ignore the
chainguard-rust-chef
parts of the Dockerfile? The--base-image-only
flag doesn't make any sense since if a malicious actor managed to publish a newcgr.dev/chainguard/rust
image then they could possibly use that to insert an exploit into my built binary.This is the output of
cosign version
Thank you!
The text was updated successfully, but these errors were encountered: