Attestations w/ Provenance fail to build #373
Description
Orb version
9.3.7
What happened
I have the following build configuration
- aws-ecr/build_image:
account_id: ${AWS_ECR_REGISTRY_ID}
dockerfile: << parameters.dockerfile >>
extra_build_args: --attest type=provenance,mode=min --sbom=true << parameters.extra_build_args >>
platform: << parameters.platform >>
region: us-east-1
repo: << parameters.repo >>
Without --attest type=provenance,mode=min --sbom=true it works fine. With it, I get the following build error:
+ docker buildx ls
+ grep -q DLC_builder
+ docker buildx create --name DLC_builder --use
DLC_builder
+ echo 'Context is set to DLC_builder'
Context is set to DLC_builder
+ set +x
+ docker buildx build -f ./Dockerfile -t 1234567890.dkr.ecr.us-east-1.amazonaws.com/prober-db:4b6fac62c7bb08adc9b8ebe7a70575d0a05b4525-amd --platform linux/amd64 --progress plain --attest type=provenance,mode=min --sbom=false --load .
#0 building with "DLC_builder" instance using docker-container driver
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:buildx-stable-1
#1 pulling image moby/buildkit:buildx-stable-1 1.8s done
#1 creating container buildx_buildkit_dlc_builder0
#1 creating container buildx_buildkit_dlc_builder0 0.6s done
#1 DONE 2.4s
ERROR: docker exporter does not currently support exporting manifest lists
Exited with code exit status 1
Expected behavior
If I run the buildx command locally, it builds and adds the attestations as requested.
$ docker buildx build -f ./Dockerfile -t 1234567890.dkr.ecr.us-east-1.amazonaws.com/prober-db:4b6fac62c7bb08adc9b8ebe7a70575d0a05b4525-amd --platform linux/amd64 --progress plain --attest type=provenance,mode=min --sbom=true --no-cache --load .
#0 building with "desktop-linux" instance using docker driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 320B done
#1 DONE 0.0s
#2 resolve image config for docker-image://docker.io/docker/dockerfile:1
#2 DONE 0.4s
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 320B done
#1 DONE 0.0s
#3 docker-image://docker.io/docker/dockerfile:1@sha256:93bfd3b68c109427185cd78b4779fc82b484b0b7618e36d0f104d4d801e66d25
#3 resolve docker.io/docker/dockerfile:1@sha256:93bfd3b68c109427185cd78b4779fc82b484b0b7618e36d0f104d4d801e66d25 done
#3 CACHED
#4 [internal] load build definition from Dockerfile
#4 DONE 0.0s
#5 [auth] docker/buildkit-syft-scanner:pull token for registry-1.docker.io
#5 DONE 0.0s
#6 resolve image config for docker-image://docker.io/docker/buildkit-syft-scanner:stable-1
#6 DONE 0.2s
#7 [internal] load metadata for docker.io/library/golang:1.23-alpine
#7 DONE 0.1s
#8 [internal] load .dockerignore
#8 transferring context: 73B done
#8 DONE 0.0s
#9 [1/6] FROM docker.io/library/golang:1.23-alpine@sha256:47d337594bd9e667d35514b241569f95fb6d95727c24b19468813d596d5ae596
#9 resolve docker.io/library/golang:1.23-alpine@sha256:47d337594bd9e667d35514b241569f95fb6d95727c24b19468813d596d5ae596 done
#9 DONE 0.0s
#10 [2/6] WORKDIR /go/src/app
#10 CACHED
#11 [internal] load build context
#11 transferring context: 637B done
#11 DONE 0.0s
#12 [3/6] COPY go.mod go.sum ./
#12 DONE 0.0s
#13 docker-image://docker.io/docker/buildkit-syft-scanner:stable-1
#13 resolve docker.io/docker/buildkit-syft-scanner:stable-1 0.1s done
#13 DONE 0.1s
#14 [4/6] RUN go mod download
#14 ...
#13 docker-image://docker.io/docker/buildkit-syft-scanner:stable-1
#13 CACHED
#14 [4/6] RUN go mod download
#14 DONE 2.7s
#15 [5/6] COPY . ./
#15 DONE 0.1s
#16 [6/6] RUN CGO_ENABLED=0 GOOS=linux go build -o app -ldflags="-X 'main.Version=local'"
#16 DONE 38.1s
#17 [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1
#17 0.096 time="2025-01-22T14:15:02Z" level=info msg="starting syft scanner for buildkit v1.5.0"
#17 DONE 13.6s
#18 exporting to image
#18 exporting layers
#18 exporting layers 5.6s done
#18 exporting manifest sha256:b1c3ac6cc9616fc5594107d223e9ce3e5f94e8ef3d7912980243eb2c93992434
#18 exporting manifest sha256:b1c3ac6cc9616fc5594107d223e9ce3e5f94e8ef3d7912980243eb2c93992434 done
#18 exporting config sha256:052668f3507a0ce6d9410665c7d02b9ab800b1454b1f3aea90d558bbe9c3ea2c done
#18 exporting attestation manifest sha256:df7fe0d6e324a3cf13d29a5fc57ea627f3b3914dd9cbc656d509421ebe23ae40
#18 exporting attestation manifest sha256:df7fe0d6e324a3cf13d29a5fc57ea627f3b3914dd9cbc656d509421ebe23ae40 done
#18 exporting manifest list sha256:17ecc45b079ab01a39ebc1e2c698924d02d6796b8b1b3a6c377bd5444980c376 done
#18 naming to 1234567890.dkr.ecr.us-east-1.amazonaws.com/prober-db:4b6fac62c7bb08adc9b8ebe7a70575d0a05b4525-amd done
#18 DONE 7.4s
View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/kdh6985a2razyvap3v280x02b