Problem
Related: #1376
Container image signing is implemented in the pipeline's Sign stage, which runs after the Post_Build stage. However, manifest lists (multi-arch image indexes) are not created until the Publish stage - which runs after the Sign stage. This means manifest lists are never signed.
The signing infrastructure already supports manifest lists - SignImagesCommand signs all digests returned by GetAllDigests(), which includes manifest list digests when they exist in image-info.json. The problem is that at sign time, manifest list digests have not been populated yet because the publishManifest command hasn't run.
Current Pipeline Flow
- Build - creates platform images, produces per-job image-info fragments
- Post_Build - merges image-info fragments into a single file
- Sign - signs all digests in image-info (platform images only - no manifest list digests exist yet)
- Test - tests images
- Publish - copies images, creates manifest lists here (too late to sign)
Proposed Solution
Move manifest list creation from the Publish stage to the Post_Build stage so that manifest list digests exist in image-info.json before the Sign stage runs. See #2002 for details.
Problem
Related: #1376
Container image signing is implemented in the pipeline's Sign stage, which runs after the Post_Build stage. However, manifest lists (multi-arch image indexes) are not created until the Publish stage - which runs after the Sign stage. This means manifest lists are never signed.
The signing infrastructure already supports manifest lists -
SignImagesCommandsigns all digests returned byGetAllDigests(), which includes manifest list digests when they exist inimage-info.json. The problem is that at sign time, manifest list digests have not been populated yet because thepublishManifestcommand hasn't run.Current Pipeline Flow
Proposed Solution
Move manifest list creation from the Publish stage to the Post_Build stage so that manifest list digests exist in
image-info.jsonbefore the Sign stage runs. See #2002 for details.