Thank you for pointing out this inconsistency and linking the two CLI issues. I have created a third CLI issue to make sure that this problem is captured in the balena-cli repository as well:
I agree that this is an issue that needs attention and a proper solution.
In terms of a workaround (in an attempt “to be helpful today”), would it be an option for you to include the image’s sha256 hash in the FROM line? I have recently answered another forum thread whether it was reported that FROM nginx:1.17.1-alpine was selecting the incorrect image architecture (amd64 instead of arm64v8), and a successful workaround was to include the sha256 hash for the correct architecture as follows:
FROM nginx:1.17.1-alpine@sha256:ba0713e56ea1d0ce7aad766529dda12c2e47e1fcb2b6ee0079ada8c575873c3a
See more details in the following comment, including how to find the sha256 hash in Docker Hub:
The obvious downside of this workaround is that including the sha256 hash makes it harder (extra work) to update the base image (it won’t update automatically), and makes it harder (impossible) to have a single Dockerfile that works with multiple architectures.
The proper/best solution is probably for the balena CLI to implement support for image manifests. I don’t have an ETA to share at the moment, but this is issue has high priority in the CLI project / repository. Thanks again for raising it.