## Summary From https://gitlab.com/gitlab-org/gitlab/-/issues/348736 Provide collated release information about the SHA2 of all images from the final images of a release tag into a document that can be used to verify when mirroring to on-premise. ## Details > Customers are requesting if GitLab can provide a verifiable document giving the SHA256 sum of the published image tags so they could verify, and then push to internal registry. We already have the information they're requesting, we simply need to collect it, and place it to a location / document that can easily be used to reference and verify said content. See [v14.5.2-ee pipeline](https://dev.gitlab.org/gitlab/charts/components/images/-/commit/98bbc366c88571bb4e50c0f70a41d2ea211b0cef/pipelines?ref=v14.5.2-ee) of the CNG. The [sync-images](https://dev.gitlab.org/gitlab/charts/components/images/-/jobs/11470299) Job is used to mirror the final images from dev to .com. We also have the [final-images-listing](https://dev.gitlab.org/gitlab/charts/components/images/-/jobs/11470200) logic, which provide a reasonable method for extending this to a full listing of `IMAGE:TAG@DIGEST`. This is already output as a part of our `docker push`, and is simple to collect with other artifact content. See [gitlab-webservice-ee's log, line 157](https://dev.gitlab.org/gitlab/charts/components/images/-/jobs/11470298#L527): `v14.5.2: digest: sha256:13ef328abce88b57c9642694b54178a8f8d9ddda91499a518cd08059aec5b506 size: 3047` ## Acceptance Criteria - [ ] All Final images collect the SHA at the end of their respective **job** - [ ] A document is collected which contains all final images, their tag, and the SHA256 digest - [ ] The above document is posted to the public Release evidences [here](https://gitlab.com/gitlab-org/build/CNG/-/releases) cc @chloe @dorrino