'docker trust sign' does not work with manifest lists #910

rn · 2018-02-28T11:29:09Z

I created/pushed a new manifest list (using some LinuxKit images/repo for which signing is already set up:

$ docker manifest create linuxkit/auditd:test-sign \
    linuxkit/auditd:6ea41e1a0c3c0396703aa888f23e5dafcc4fd2bd-arm64 \
    linuxkit/auditd:6ea41e1a0c3c0396703aa888f23e5dafcc4fd2bd-amd64
$ docker manifest push linuxkit/auditd:test-sign

The manifest is available and inspectable.

The, I attempt to sign the manifest list:

$ docker trust sign linuxkit/auditd:test-sign
Error: No such image: linuxkit/auditd:test-sign

The text was updated successfully, but these errors were encountered:

dnephin · 2018-02-28T21:39:54Z

cc @n4ss do you know who can look into this?

eiais · 2018-03-06T03:42:36Z

This doesn't work for two reasons.

checkLocalImageExistence only returns local Images and doesn't check if a manifest is local. If that was modified to be checkLocalExistence for images and manifests it would break in sign.go on line 93 which calls image.TrustedPush.

If a manifest was signed first with notary then multisigning would work with trust sign.
AFAIK there isn't an equivalent to image.TrustedPush for manifests

rn mentioned this issue Feb 28, 2018

Convert manifest signing to use docker manifest and docker trust sign linuxkit/linuxkit#2936

Open

dnephin added kind/enhancement area/trust labels Mar 6, 2018

ijc mentioned this issue Sep 11, 2018

Drop experimental tag for manifest commands #1355

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

'docker trust sign' does not work with manifest lists #910

'docker trust sign' does not work with manifest lists #910

rn commented Feb 28, 2018

dnephin commented Feb 28, 2018

eiais commented Mar 6, 2018

'docker trust sign' does not work with manifest lists #910

'docker trust sign' does not work with manifest lists #910

Comments

rn commented Feb 28, 2018

dnephin commented Feb 28, 2018

eiais commented Mar 6, 2018