I have a rather simple repo hosted on GitHub that I’m building an image for via Docker Hub automated builds, and being hosted in the Docker Hub registry. I’ve been trying to figure out how to enable providence attestation for that image, but it doesn’t seem to be working. I’ve tried adding a hooks/build file and adding the the --attest type=provenance,mode=max option to buildx, but the build failed with an error:
ERROR: attestations are not supported by the current buildkitd
Is there any way to enable build attestation via Docker Hub automated builds? It seems really odd that Docker’s infrastructure doesn’t support this build if I did my builds on Github it would support the latest Docker features. Is there some way to opt in to a later version of buildkitd that does support attestations?
For some reason, Docker Hub uses an older version of Docker and the default builder doesn’t support attestations, but you can still use it. The documentatation mentions the solution, although it was not obvious that it was the solution for this issue as well, so I tried.
To make sure the attestations are preserved, you can:
Use a docker-container driver with the --push flag to push the image to a registry directly.
It doesn’t mention (at least on this page) how that “docker-container” driver can be used, but when I used Docker Hub’s autobuild feature for multiarch images I used the following command to create the builder:
docker buildx create --name multiarch --use
The name is not important, I just followed a guide when I chose it. The point is that it will create a new builder which is basically a container that supports emulation so it can build multiarch images. And that same container-based builder is what you need for attestations. To make it more obvious in your pipeline, I would use this command:
I also tried this one, so it should work for you too. This creates and automatically switches to the container-based builder. I used the driver option just to make it visible in the command, but that would be the default driver too. Run it before your docker buildx build command.
This is exactly what I needed, thank you. I already switched to building on GitHub and pushing my image to Docker Hub, but next time I’ll keep this in mind. Why Docker Hub doesn’t create a docker-container instance by default I don’t know.