Manifest lists are not signed #2001
Description
Problem
Container image signing is implemented in the pipeline's Sign stage, which runs after the Post_Build stage. However, manifest lists (multi-arch image indexes) are not created until the Publish stage - which runs after the Sign stage. This means manifest lists are never signed.
The signing infrastructure already supports manifest lists - SignImagesCommand signs all digests returned by GetAllDigests(), which includes manifest list digests when they exist in image-info.json. The problem is that at sign time, manifest list digests have not been populated yet because the publishManifest command hasn't run.
Current Pipeline Flow
- Build - creates platform images, produces per-job image-info fragments
- Post_Build - merges image-info fragments into a single file
- Sign - signs all digests in image-info (platform images only - no manifest list digests exist yet)
- Test - tests images
- Publish - copies images, creates manifest lists here (too late to sign)
Proposed Solution
Move manifest list creation from the Publish stage to the Post_Build stage so that manifest list digests exist in image-info.json before the Sign stage runs. See #2002 for details.