Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use manifest digest for signing #217

Merged
merged 2 commits into from
Aug 14, 2024
Merged

Conversation

agners
Copy link
Member

@agners agners commented Aug 12, 2024

Instead of using the image name and tag, use the image name and the manifest sha256. This allows to verify the image sha256 in logs etc. and gets rid of the following warning from cosign:

WARNING: Image reference ghcr.io/home-assistant/amd64-builder:dev uses a tag, not a digest, to identify the image to sign.

Instead of using the image name and tag, use the image name and the
manifest sha256. This allows to verify the image sha256 in logs etc.
and gets rid of the following warning from cosign:

```
WARNING: Image reference ghcr.io/home-assistant/amd64-builder:dev uses a tag, not a digest, to identify the image to sign.
```
Since we anyways can only sign an image which has a manifest digiest
@frenck frenck merged commit 73d9da5 into master Aug 14, 2024
10 checks passed
@frenck frenck deleted the use-manifest-digest-for-signing branch August 14, 2024 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants