Skip to content

Build and Sign Images

With the Help of a custom Buildkit, you can build your Docker images directly from GOSH, and sign them so they can be verified by the GOSH docker extension.

Instead of a dockerfile, this Buildkit uses a special goshfile to ensure code is taken from GOSH.

How to build from GOSH

1. Setup environment variables with your wallet

export WALLET=...
export WALLET_PUBLIC=...
export WALLET_SECRET=...

You received these when creating your account in GOSH Web or Docker Extension.

2. Create goshfile.yaml (this specification is a work in progress and subject to change)

# syntax=teamgosh/goshfile

apiVersion: 1
image: bash:latest
  - name: print date
      command: ["/usr/local/bin/bash"]
        - -c
        - >-
          (date +'%s %H:%M:%S %Z'; echo "Hi there") | tee /message.txt

3. Now to build an image


docker buildx build \
    --push \
    -f goshfile.yaml \
    -t "$TARGET_IMAGE" \

## OR more complicated way via buildctl directly
# # run buildkitd containered
# docker run -d --name buildkitd --privileged moby/buildkit:latest
# # build image
# buildctl --addr=docker-container://buildkitd build \
#         --frontend gateway.v0 \
#         --local dockerfile=. \
#         --local context=. \
#         --opt source=teamgosh/goshfile \
#         --opt filename=goshfile.yaml \
#         --opt wallet_public="$WALLET_PUBLIC" \
#         --output type=image,name="$TARGET_IMAGE",push=true

Here we parameterize the image build process with our wallet credentials.

4. Sign the image (WIP: will be part of build image process)

docker pull $TARGET_IMAGE # buildkit push image directly to the registry and it doesn't persist locally

# my-target-super-image's sha256
TARGET_IMAGE_SHA=`docker inspect --format='{{index (split (index .RepoDigests 0) "@") 1}}' $TARGET_IMAGE`

docker run --rm teamgosh/sign-cli sign \
    -n <blockchain_network e.g.> \
    -g $WALLET \
    $WALLET_SECRET \  # signer secret can be different

Now you have signed the image.

You can check the image signature with your public key

# or IMAGE_NAME="my_repo:5000/library/my-target-super-image:latest@sha256:..."

WALLET_PUBLIC=$(docker inspect --format='{{.Config.Labels.WALLET_PUBLIC}}' $TARGET_IMAGE)

TARGET_IMAGE_SHA=$(docker inspect --format='{{index (split (index .RepoDigests 0) "@") 1}}' $TARGET_IMAGE)

docker run --rm teamgosh/sign-cli check \
    -n <blockchain_network e.g.> \

NOTE: Anyone who has the image can validate it. The image has label WALLET_PUBLIC and image's sha256 also publicly available.

Additionally, signer tool can deploy a proof contract to GOSH blockchain that will be publicly available to all wanting to verify the image they pull from dockerhub.


Publisher example