Skip to content

dockerfile verify command fails when stage names are used in FROM #3880

New issue
New issue
Open
#3881
Open
dockerfile verify command fails when stage names are used in FROM#3880
#3881
Labels
bugSomething isn't working
@slmsbrhgn

Description

@slmsbrhgn
slmsbrhgn
opened on Sep 15, 2024

Description

When a Dockerfile contains a FROM statement using a stage name instead of image, dockerfile verify fails because cosign tries to pull the stage name as if it was an image.

For example, using this Dockerfile:

FROM cgr.dev/chainguard/static:latest AS base_image
# some customization here
FROM base_image
ENTRYPOINT "/executable"

running cosign dockerfile verify Dockerfile --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main ends with an error:

Extracted image(s): cgr.dev/chainguard/static:latest, base_image
(...)
Error: GET https://index.docker.io/v2/library/base_image/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/base_image Type:repository]]
main.go:69: error during command execution: GET https://index.docker.io/v2/library/base_image/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/base_image Type:repository]]

Commenting out FROM base_image in Dockerfile makes it work.

Version

GitVersion:    v2.4.0
GitCommit:     b5e7dc123a272080f4af4554054797296271e902
GitTreeState:  clean
BuildDate:     2024-08-06T21:39:53Z
GoVersion:     go1.22.5
Compiler:      gc
Platform:      linux/amd64

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions