[bug]: Dockerhub failure on the use of hardened images as base images #184
Description
Docker Hardened Image
trixie-debian13, probably all
Bug Description
Hello!
At @globaleaks, we are evaluating the possibility of using the Debian Docker Hardened Image as a base image, with the goal of developing a GlobaLeaks Docker Hardened Image.
While attempting to build the image using Docker Hub, we noticed that the packaging used to produce the official Docker Hardened Images is currently not compatible with the toolchain available on Docker Hub.
As a result, it is currently not possible for third-party projects to build and publish images on Docker Hub that are based on these images.
Steps to Reproduce
- Set an hardened image as base image in Dockerfile
- Build the image on DockerHub
Expected Behavior
Dockerhub should succeed building the image
Actual Behavior
Dockerhub fails while extracting the base image layers.
Environment
Dockehub
Relevant Logs
2026-02-07T17:28:07Z Cloning into '.'...
2026-02-07T17:28:07Z Warning: Permanently added the RSA host key for IP address '140.82.113.4' to the list of known hosts.
2026-02-07T17:29:12Z Checking out files: 91% (7059/7683)
Checking out files: 92% (7069/7683)
Checking out files: 93% (7146/7683)
Checking out files: 94% (7223/7683)
Checking out files: 95% (7299/7683)
Checking out files: 96% (7376/7683)
Checking out files: 97% (7453/7683)
Checking out files: 98% (7530/7683)
Checking out files: 99% (7607/7683)
Checking out files: 100% (7683/7683)
Checking out files: 100% (7683/7683), done.
2026-02-07T17:29:13Z Switched to a new branch 'v5.0.88-docker'
2026-02-07T17:29:13Z Executing pre_build hook...
2026-02-07T17:29:14Z WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
2026-02-07T17:29:14Z Configure a credential helper to remove this warning. See
2026-02-07T17:29:14Z https://docs.docker.com/engine/reference/commandline/login/#credentials-store
2026-02-07T17:29:14Z
2026-02-07T17:29:14Z Login Succeeded
2026-02-07T17:29:14Z KernelVersion: 5.4.0-1068-aws
2026-02-07T17:29:14Z Components: [{u'Version': u'20.10.15', u'Name': u'Engine', u'Details': {u'KernelVersion': u'5.4.0-1068-aws', u'Os': u'linux', u'BuildTime': u'2022-05-05T13:17:24.000000000+00:00', u'ApiVersion': u'1.41', u'MinAPIVersion': u'1.12', u'GitCommit': u'4433bf6', u'Arch': u'amd64', u'Experimental': u'false', u'GoVersion': u'go1.17.9'}}, {u'Version': u'1.6.21', u'Name': u'containerd', u'Details': {u'GitCommit': u'3dce8eb055cbb6872793272b4f20ed16117344f8'}}, {u'Version': u'1.1.7', u'Name': u'runc', u'Details': {u'GitCommit': u'v1.1.7-0-g860f061'}}, {u'Version': u'0.19.0', u'Name': u'docker-init', u'Details': {u'GitCommit': u'de40ad0'}}]
2026-02-07T17:29:14Z Arch: amd64
2026-02-07T17:29:14Z BuildTime: 2022-05-05T13:17:24.000000000+00:00
2026-02-07T17:29:14Z ApiVersion: 1.41
2026-02-07T17:29:14Z Platform: {u'Name': u'Docker Engine - Community'}
2026-02-07T17:29:14Z Version: 20.10.15
2026-02-07T17:29:14Z MinAPIVersion: 1.12
2026-02-07T17:29:14Z GitCommit: 4433bf6
2026-02-07T17:29:14Z Os: linux
2026-02-07T17:29:14Z GoVersion: go1.17.9
2026-02-07T17:29:14Z Buildkit: Starting build for index.docker.io/globaleaks/globaleaks:latest...
2026-02-07T17:29:14Z #1 [internal] load .dockerignore
2026-02-07T17:29:14Z #1 transferring context: 2B done
2026-02-07T17:29:14Z #1 DONE 0.0s
2026-02-07T17:29:14Z
2026-02-07T17:29:14Z #2 [internal] load build definition from Dockerfile
2026-02-07T17:29:14Z #2 transferring dockerfile: 1.30kB done
2026-02-07T17:29:14Z #2 DONE 0.1s
2026-02-07T17:29:14Z
2026-02-07T17:29:14Z #3 [auth] debian-base:pull token for dhi.io
2026-02-07T17:29:14Z #3 DONE 0.0s
2026-02-07T17:29:14Z
2026-02-07T17:29:14Z #4 [internal] load metadata for dhi.io/debian-base:trixie-debian13@sha256:b00e3adeeac63e73ccb806b375d1b0b8bc765d75daf3dd7efc3bed15778f0a85
2026-02-07T17:29:15Z #4 DONE 1.2s
2026-02-07T17:29:15Z
2026-02-07T17:29:15Z #5 [internal] load build context
2026-02-07T17:29:15Z #5 DONE 0.0s
2026-02-07T17:29:15Z
2026-02-07T17:29:15Z #6 [1/5] FROM dhi.io/debian-base:trixie-debian13@sha256:b00e3adeeac63e73ccb806b375d1b0b8bc765d75daf3dd7efc3bed15778f0a85
2026-02-07T17:29:15Z #6 resolve dhi.io/debian-base:trixie-debian13@sha256:b00e3adeeac63e73ccb806b375d1b0b8bc765d75daf3dd7efc3bed15778f0a85 done
2026-02-07T17:29:16Z #6 sha256:b00e3adeeac63e73ccb806b375d1b0b8bc765d75daf3dd7efc3bed15778f0a85 2.63kB / 2.63kB done
2026-02-07T17:29:16Z #6 sha256:48ce6444ca51758717cdc7afc2991bdd7dc6ecf00c3de24442403a9563e2bf70 1.92kB / 1.92kB done
2026-02-07T17:29:16Z #6 sha256:063d1e58f288511cf8647bdce80adb66860aa03ac326b805752d27bee64e2ebf 181.02kB / 181.02kB 0.1s done
2026-02-07T17:29:16Z #6 sha256:53e176e144958880ef0b32fd1ac6c83dcb538a63694e4563b1aec2dd5b66a777 0B / 25.20MB 0.2s
2026-02-07T17:29:16Z #6 sha256:a1ee098fb1d7ddbcc441a40d450032fd4405db64990f72684e12a166201a18ff 438B / 438B 0.1s done
2026-02-07T17:29:16Z #6 extracting sha256:063d1e58f288511cf8647bdce80adb66860aa03ac326b805752d27bee64e2ebf
2026-02-07T17:29:16Z #6 sha256:9e69ff3a50ab2c98776b11f0fd184f4d0e853b766693ec94841e0e837f39e7a1 0B / 16.93kB 0.2s
2026-02-07T17:29:16Z #6 sha256:3c9e181a281d44425d9366aba4d22f51442b1bf3ddfe888d6b8e227d1b70441c 0B / 5.91kB 0.2s
2026-02-07T17:29:16Z #6 sha256:53e176e144958880ef0b32fd1ac6c83dcb538a63694e4563b1aec2dd5b66a777 4.19MB / 25.20MB 0.3s
2026-02-07T17:29:16Z #6 sha256:9e69ff3a50ab2c98776b11f0fd184f4d0e853b766693ec94841e0e837f39e7a1 16.93kB / 16.93kB 0.3s done
2026-02-07T17:29:16Z #6 sha256:53e176e144958880ef0b32fd1ac6c83dcb538a63694e4563b1aec2dd5b66a777 15.73MB / 25.20MB 0.4s
2026-02-07T17:29:16Z #6 sha256:3c9e181a281d44425d9366aba4d22f51442b1bf3ddfe888d6b8e227d1b70441c 5.91kB / 5.91kB 0.3s done
2026-02-07T17:29:16Z #6 ...
2026-02-07T17:29:16Z
2026-02-07T17:29:16Z #7 https://deb.globaleaks.org/install.sh
2026-02-07T17:29:16Z #7 DONE 0.6s
2026-02-07T17:29:16Z
2026-02-07T17:29:16Z #6 [1/5] FROM dhi.io/debian-base:trixie-debian13@sha256:b00e3adeeac63e73ccb806b375d1b0b8bc765d75daf3dd7efc3bed15778f0a85
2026-02-07T17:29:16Z #6 sha256:53e176e144958880ef0b32fd1ac6c83dcb538a63694e4563b1aec2dd5b66a777 17.83MB / 25.20MB 0.5s
2026-02-07T17:29:16Z #6 ...
2026-02-07T17:29:16Z
2026-02-07T17:29:16Z #7 https://deb.globaleaks.org/install.sh
2026-02-07T17:29:16Z #7 DONE 0.6s
2026-02-07T17:29:16Z
2026-02-07T17:29:16Z #5 [internal] load build context
2026-02-07T17:29:16Z #5 transferring context: 65B done
2026-02-07T17:29:16Z #5 DONE 0.1s
2026-02-07T17:29:16Z
2026-02-07T17:29:16Z #6 [1/5] FROM dhi.io/debian-base:trixie-debian13@sha256:b00e3adeeac63e73ccb806b375d1b0b8bc765d75daf3dd7efc3bed15778f0a85
2026-02-07T17:29:16Z #6 sha256:53e176e144958880ef0b32fd1ac6c83dcb538a63694e4563b1aec2dd5b66a777 25.20MB / 25.20MB 0.7s done
2026-02-07T17:29:16Z ------
2026-02-07T17:29:16Z > [1/5] FROM dhi.io/debian-base:trixie-debian13@sha256:b00e3adeeac63e73ccb806b375d1b0b8bc765d75daf3dd7efc3bed15778f0a85:
2026-02-07T17:29:16Z ------
2026-02-07T17:29:16Z ERROR: failed to solve: failed to register layer: Error processing tar file(exit status 1): archive/tar: invalid tar header
2026-02-07T17:29:16Z Build failed using Buildkit (1)Additional Context
No response
Pre-submission Checklist
- I have searched existing issues to ensure this bug hasn't been reported before
- I have provided all the requested information above
- I have tested this with the latest available version of the hardened image