pull base images with content trust for binfmt, rngd, tini, toybox-media

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2026-04-05 02:57:06 +00:00 · 2017-04-26 14:06:25 -07:00
parent 664ebae2bd
commit 38ad84bfbd
6 changed files with 15 additions and 3 deletions
--- a/pkg/binfmt/Makefile
+++ b/pkg/binfmt/Makefile
@@ -2,6 +2,7 @@
 default: push

 IMAGE=binfmt
+BASE=alpine:edge
 SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
 DEPS=Dockerfile Makefile main.go $(wildcard etc/binmft.d/*)

@@ -14,7 +15,8 @@ hash: $(DEPS)

 tag: hash
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker build --no-cache -t $(IMAGE):build . && \
+		(DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \
+		 docker build --no-cache -t $(IMAGE):build . && \
 		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))

 push: tag
--- a/pkg/init/Makefile
+++ b/pkg/init/Makefile
@@ -5,6 +5,7 @@ default: push

 $(START_STOP_DAEMON): start-stop-daemon.c
 	mkdir -p $(dir $@)
+	DOCKER_CONTENT_TRUST=1 docker pull $(C_COMPILE)
 	tar cf - $^ | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf -

 .PHONY: tag push
--- a/pkg/rngd/Makefile
+++ b/pkg/rngd/Makefile
@@ -2,6 +2,7 @@
 default: push

 IMAGE=rngd
+BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d
 SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
 DEPS=Dockerfile Makefile

@@ -9,8 +10,10 @@ hash: $(DEPS)
 	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash

 tag: hash
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker build --no-cache -t $(IMAGE):build . && \
+		(DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \
+		 docker build --no-cache -t $(IMAGE):build . && \
 		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))

 push: tag