Use image digest from build output for signing images
The following discussion from !1481 (merged) should be addressed:
-
@marshall007 started a discussion: (+1 comment) @balasankarc @WarheadsSE we cannot fetch the image digest in the signing step. In order to ensure the image tag was not modified between the build/push and sign operations, we need to get it from the build output directly. There are two ways to do this:
- write the image to a tarball locally and extract the digest before pushing tags
- pass
--iidfile
to the build command and extract the digest from the resulting file