Every images of the multi-arch container should be signed

[alaviss]

socket-proxy/.github/workflows/docker-image-release.yaml

Line 49 in 8f15c07

run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY docker.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }}@${{ steps.build-and-push.outputs.digest }}

For podman to be able to verify containers using the cosign key, every images referenced in the multi-arch manifest must be signed. This can be done by adding --recursive to the cosign command.

Ref: containers/podman#21209

[wollomatic]

Hi @alaviss,

thanks for the suggestion. I have updated the develop branch, so you can test it with this image: wollomatic/socket-proxy:testing-c61068985d92ac073d2f0915abca4d6dd8e029fd

I think it should work as expected. We get a lot of signatures now...

[alaviss]

I can verify that it is working now, thanks for the quick fix

[wollomatic]

Great, thanks!