Skip to content
Latchkey

How to Build a Multi-Arch Image and Sign It in GitHub Actions

A multi-arch image without a signature is unverifiable; Cosign keyless signing binds it to the workflow that built it.

Build with docker/build-push-action for multiple platforms, then cosign sign the resulting digest keylessly via the OIDC token.

Steps

  • Set up QEMU and Buildx for multi-platform builds.
  • Build and push for linux/amd64,linux/arm64, capturing the digest.
  • Install Cosign and sign the digest keylessly.
  • Grant id-token: write so Cosign can fetch the OIDC token.

Workflow

.github/workflows/build-sign.yml
name: Build & Sign
on:
  push:
    branches: [main]
permissions:
  id-token: write
  packages: write
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - id: push
        uses: docker/build-push-action@v6
        with:
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
      - uses: sigstore/cosign-installer@v3
      - run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.push.outputs.digest }}

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →