From 9c06663b3ec15cc28d6a174b12720aabfc6a656a Mon Sep 17 00:00:00 2001
From: Davis Goodin <dagood@users.noreply.github.com>
Date: Tue, 26 May 2026 22:00:34 +0000
Subject: [PATCH 1/3] Add platform validation for multi-arch manifests in
 Post_Build stage

---
 eng/docker-tools/CHANGELOG.md                 |   8 +
 eng/docker-tools/DEV-GUIDE.md                 |   5 +-
 .../templates/jobs/post-build.yml             |   6 +
 .../templates/stages/build-and-test.yml       |   2 +
 .../stages/dotnet/build-and-test.yml          |   2 +
 .../stages/dotnet/build-test-publish-repo.yml |   2 +
 .../CreateManifestListCommandTests.cs         |  44 ++++
 .../ManifestListHelperTests.cs                |  73 ++++++
 .../Commands/CreateManifestListCommand.cs     |  14 +-
 .../Commands/CreateManifestListOptions.cs     |   8 +
 src/ImageBuilder/ManifestListHelper.cs        | 235 ++++++++++++++----
 11 files changed, 352 insertions(+), 47 deletions(-)

diff --git a/eng/docker-tools/CHANGELOG.md b/eng/docker-tools/CHANGELOG.md
index 99dbceb69..87598e9ed 100644
--- a/eng/docker-tools/CHANGELOG.md
+++ b/eng/docker-tools/CHANGELOG.md
@@ -4,6 +4,14 @@ All breaking changes and new features in `eng/docker-tools` will be documented i
 
 ---
 
+## 2026-05-26: Post_Build can validate manifest list platform completeness
+
+The build/test templates now accept `validateManifestListPlatforms` (boolean, default `false`). When enabled, Post_Build passes `--validate-manifest-list-platforms` to ImageBuilder's `createManifestList` command and fails if a generated multi-arch manifest tag would omit platforms expected by `manifest.json`.
+
+Enable this for normal official production builds where manifest tags should represent the full manifest-defined platform set. Leave it disabled for intentionally partial runs such as PR validation, filtered builds, platform bring-up, or temporary infrastructure recovery.
+
+---
+
 ## 2026-04-02: Extra Docker build options can be passed through ImageBuilder
 
 - Pull request: [#2063](https://github.com/dotnet/docker-tools/pull/2063)
diff --git a/eng/docker-tools/DEV-GUIDE.md b/eng/docker-tools/DEV-GUIDE.md
index 28ddc471b..dc59182dd 100644
--- a/eng/docker-tools/DEV-GUIDE.md
+++ b/eng/docker-tools/DEV-GUIDE.md
@@ -143,6 +143,7 @@ Build Stage
               ▼
           Post_Build Stage
             ├── Merge image info files
+            ├── Create multi-arch manifests
             └── Consolidate SBOMs
                     │
                     ▼
@@ -191,7 +192,9 @@ Common patterns:
 - `"publish"` - Publish only (when re-running a failed publish from a previous build)
 - `"build,test,sign,publish"` - Full pipeline
 
-**Note:** The `Post_Build` stage is implicitly included whenever `build` is in the stages list. You don't need to specify it separately—it automatically runs after Build to merge image info files and consolidate SBOMs.
+**Note:** The `Post_Build` stage is implicitly included whenever `build` is in the stages list. You don't need to specify it separately—it automatically runs after Build to merge image info files, create multi-arch manifests, and consolidate SBOMs.
+
+Set `validateManifestListPlatforms: true` on the build/test template to make Post_Build fail if any generated multi-arch manifest tag would omit platforms that are expected by `manifest.json`. This is recommended for normal official production builds, where `manifest.json` is the source of truth for the image platform surface. Leave it disabled for intentionally partial runs, such as PR validation, filtered builds, platform bring-up, or temporary infrastructure recovery where producing a partial manifest tag is expected.
 
 The stages variable is useful for:
 - Re-running just the publish stage after fixing a transient failure
diff --git a/eng/docker-tools/templates/jobs/post-build.yml b/eng/docker-tools/templates/jobs/post-build.yml
index 32b9c7999..30e6828f4 100644
--- a/eng/docker-tools/templates/jobs/post-build.yml
+++ b/eng/docker-tools/templates/jobs/post-build.yml
@@ -4,6 +4,7 @@ parameters:
   publicProjectName: null
   customInitSteps: []
   publishConfig: null
+  validateManifestListPlatforms: false
 
 jobs:
 - job: Build
@@ -14,6 +15,10 @@ jobs:
     imageInfosContainerDir: "$(artifactsPath)$(imageInfosSubDir)"
     imageInfosOutputSubDir: "/output"
     sbomOutputDir: "$(Build.ArtifactStagingDirectory)/sbom"
+    ${{ if eq(parameters.validateManifestListPlatforms, true) }}:
+      validateManifestListPlatformsArg: "--validate-manifest-list-platforms"
+    ${{ else }}:
+      validateManifestListPlatformsArg: ""
   steps:
   - template: /eng/docker-tools/templates/steps/init-common.yml@self
     parameters:
@@ -95,6 +100,7 @@ jobs:
           --architecture '*'
           --manifest '$(manifest)'
           --registry-override '${{ parameters.publishConfig.BuildRegistry.server }}'
+          $(validateManifestListPlatformsArg)
           $(manifestVariables)
   - template: /eng/docker-tools/templates/steps/publish-artifact.yml@self
     parameters:
diff --git a/eng/docker-tools/templates/stages/build-and-test.yml b/eng/docker-tools/templates/stages/build-and-test.yml
index d21e8de90..4cd8195be 100644
--- a/eng/docker-tools/templates/stages/build-and-test.yml
+++ b/eng/docker-tools/templates/stages/build-and-test.yml
@@ -24,6 +24,7 @@ parameters:
   linuxArmTestJobTimeout: 60
   windowsAmdTestJobTimeout: 60
   noCache: false
+  validateManifestListPlatforms: false
   publishConfig: null
 
   internalProjectName: null
@@ -221,6 +222,7 @@ stages:
       publicProjectName: ${{ parameters.publicProjectName }}
       customInitSteps: ${{ parameters.customInitSteps }}
       publishConfig: ${{ parameters.publishConfig }}
+      validateManifestListPlatforms: ${{ parameters.validateManifestListPlatforms }}
 
 ################################################################################
 # Sign Images
diff --git a/eng/docker-tools/templates/stages/dotnet/build-and-test.yml b/eng/docker-tools/templates/stages/dotnet/build-and-test.yml
index a9e8f05fd..aec2a8551 100644
--- a/eng/docker-tools/templates/stages/dotnet/build-and-test.yml
+++ b/eng/docker-tools/templates/stages/dotnet/build-and-test.yml
@@ -20,6 +20,7 @@ parameters:
 
   # Build parameters
   noCache: false
+  validateManifestListPlatforms: false
   publishConfig: null
   buildMatrixType: platformDependencyGraph
   buildMatrixCustomBuildLegGroupArgs: ""
@@ -46,6 +47,7 @@ stages:
 - template: /eng/docker-tools/templates/stages/build-and-test.yml@self
   parameters:
     noCache: ${{ parameters.noCache }}
+    validateManifestListPlatforms: ${{ parameters.validateManifestListPlatforms }}
     publishConfig: ${{ parameters.publishConfig }}
     internalProjectName: ${{ parameters.internalProjectName }}
     publicProjectName: ${{ parameters.publicProjectName }}
diff --git a/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml b/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml
index c590a5287..199afcbc5 100644
--- a/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml
+++ b/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml
@@ -12,6 +12,7 @@ parameters:
 
   # Build parameters
   noCache: false
+  validateManifestListPlatforms: false
   publishConfig: null
   buildMatrixType: platformDependencyGraph
   buildMatrixCustomBuildLegGroupArgs: ""
@@ -50,6 +51,7 @@ stages:
     customCopyBaseImagesInitSteps: ${{ parameters.customCopyBaseImagesInitSteps }}
     # Build
     noCache: ${{ parameters.noCache }}
+    validateManifestListPlatforms: ${{ parameters.validateManifestListPlatforms }}
     publishConfig: ${{ parameters.publishConfig }}
     buildMatrixType: ${{ parameters.buildMatrixType }}
     buildMatrixCustomBuildLegGroupArgs: ${{ parameters.buildMatrixCustomBuildLegGroupArgs }}
diff --git a/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs b/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
index 1504b57ef..c46f4f40f 100644
--- a/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
+++ b/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
@@ -297,6 +297,50 @@ public async Task ExecuteAsync_OnlyCreatesForBuiltPlatforms()
             false));
     }
 
+    /// <summary>
+    /// Verifies that platform validation fails before creating partial manifest lists when enabled.
+    /// </summary>
+    [Fact]
+    public async Task ExecuteAsync_ValidateManifestListPlatforms_MissingPlatformThrows()
+    {
+        Mock<IManifestService> manifestServiceMock = CreateManifestServiceMock();
+        Mock<IManifestServiceFactory> manifestServiceFactory = CreateManifestServiceFactoryMock(manifestServiceMock);
+        Mock<IDockerService> dockerServiceMock = new();
+
+        CreateManifestListCommand command = CreateCommand(
+            manifestServiceFactory, dockerServiceMock, Mock.Of<IDateTimeService>());
+        command.Options.ValidateManifestListPlatforms = true;
+
+        using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
+
+        string dockerfileAmd64 = CreateDockerfile("1.0/repo/linux-amd64", tempFolderContext);
+        string dockerfileArm64 = CreateDockerfile("1.0/repo/linux-arm64", tempFolderContext);
+
+        Manifest manifest = CreateManifest(
+            CreateRepo("repo",
+                CreateImage(
+                    ["sharedtag"],
+                    CreatePlatform(dockerfileAmd64, ["tag-amd64"]),
+                    CreatePlatform(dockerfileArm64, ["tag-arm64"], architecture: Architecture.ARM64))));
+
+        ImageArtifactDetails imageArtifactDetails = CreateImageArtifactDetails(
+            CreateRepoData("repo",
+                CreateImageData(
+                    ["sharedtag"],
+                    CreatePlatform(dockerfileAmd64, simpleTags: ["tag-amd64"]))));
+
+        SetupCommand(command, manifest, imageArtifactDetails, tempFolderContext);
+
+        InvalidOperationException exception = await Should.ThrowAsync<InvalidOperationException>(command.ExecuteAsync);
+
+        exception.Message.ShouldContain("repo:sharedtag");
+        exception.Message.ShouldContain("linux/arm64");
+        exception.Message.ShouldContain(dockerfileArm64);
+        dockerServiceMock.Verify(
+            o => o.CreateManifestList(It.IsAny<string>(), It.IsAny<IEnumerable<string>>(), It.IsAny<bool>()),
+            Times.Never);
+    }
+
     private static CreateManifestListCommand CreateCommand(
         Mock<IManifestServiceFactory> manifestServiceFactory,
         Mock<IDockerService> dockerServiceMock,
diff --git a/src/ImageBuilder.Tests/ManifestListHelperTests.cs b/src/ImageBuilder.Tests/ManifestListHelperTests.cs
index 6e8bd4593..b902d26e6 100644
--- a/src/ImageBuilder.Tests/ManifestListHelperTests.cs
+++ b/src/ImageBuilder.Tests/ManifestListHelperTests.cs
@@ -102,6 +102,79 @@ public void GetManifestListsForImages_OnlyIncludesBuiltPlatforms()
         results[0].PlatformTags.ShouldNotContain("repo:tag-windows");
     }
 
+    /// <summary>
+    /// Verifies that validation reports generated manifest lists that are missing expected platforms.
+    /// </summary>
+    [Fact]
+    public void GetManifestListPlatformValidationIssues_MissingPlatform()
+    {
+        using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
+
+        string dockerfileAmd64 = CreateDockerfile("1.0/repo/linux-amd64", tempFolderContext);
+        string dockerfileArm64 = CreateDockerfile("1.0/repo/linux-arm64", tempFolderContext);
+        string dockerfileWindows = CreateDockerfile("1.0/repo/windows", tempFolderContext);
+
+        Manifest manifest = CreateManifest(
+            CreateRepo("repo",
+                CreateImage(
+                    ["sharedtag"],
+                    CreatePlatform(dockerfileAmd64, ["tag-amd64"]),
+                    CreatePlatform(dockerfileArm64, ["tag-arm64"], architecture: Architecture.ARM64),
+                    CreatePlatform(dockerfileWindows, ["tag-windows"], os: OS.Windows, osVersion: "ltsc2022"))));
+
+        ImageArtifactDetails imageArtifactDetails = CreateImageArtifactDetails(
+            CreateRepoData("repo",
+                CreateImageData(
+                    ["sharedtag"],
+                    CreatePlatform(dockerfileAmd64, simpleTags: ["tag-amd64"]),
+                    CreatePlatform(dockerfileArm64, simpleTags: ["tag-arm64"], architecture: "arm64"))));
+
+        ManifestInfo manifestInfo = LoadManifest(manifest, tempFolderContext);
+        ImageArtifactDetails linkedImageInfo = LoadImageInfo(imageArtifactDetails, manifestInfo, tempFolderContext);
+
+        IReadOnlyList<ManifestListPlatformValidationIssue> issues =
+            ManifestListHelper.GetManifestListPlatformValidationIssues(
+                manifestInfo, linkedImageInfo, repoPrefix: null);
+
+        issues.Count.ShouldBe(1);
+        issues[0].ManifestListTag.ShouldBe("repo:sharedtag");
+        issues[0].MissingPlatforms.Count.ShouldBe(1);
+        issues[0].MissingPlatforms[0].ShouldContain("windows/amd64");
+        issues[0].MissingPlatforms[0].ShouldContain(dockerfileWindows);
+    }
+
+    /// <summary>
+    /// Verifies that validation succeeds when every generated manifest list has all expected platforms.
+    /// </summary>
+    [Fact]
+    public void ValidateManifestListPlatforms_AllPlatformsPresent()
+    {
+        using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
+
+        string dockerfileAmd64 = CreateDockerfile("1.0/repo/linux-amd64", tempFolderContext);
+        string dockerfileArm64 = CreateDockerfile("1.0/repo/linux-arm64", tempFolderContext);
+
+        Manifest manifest = CreateManifest(
+            CreateRepo("repo",
+                CreateImage(
+                    ["sharedtag"],
+                    CreatePlatform(dockerfileAmd64, ["tag-amd64"]),
+                    CreatePlatform(dockerfileArm64, ["tag-arm64"], architecture: Architecture.ARM64))));
+
+        ImageArtifactDetails imageArtifactDetails = CreateImageArtifactDetails(
+            CreateRepoData("repo",
+                CreateImageData(
+                    ["sharedtag"],
+                    CreatePlatform(dockerfileAmd64, simpleTags: ["tag-amd64"]),
+                    CreatePlatform(dockerfileArm64, simpleTags: ["tag-arm64"], architecture: "arm64"))));
+
+        ManifestInfo manifestInfo = LoadManifest(manifest, tempFolderContext);
+        ImageArtifactDetails linkedImageInfo = LoadImageInfo(imageArtifactDetails, manifestInfo, tempFolderContext);
+
+        Should.NotThrow(() => ManifestListHelper.ValidateManifestListPlatforms(
+            manifestInfo, linkedImageInfo, repoPrefix: null));
+    }
+
     /// <summary>
     /// Verifies that no manifest list is returned when an image has shared tags
     /// but no platforms exist in image-info.
diff --git a/src/ImageBuilder/Commands/CreateManifestListCommand.cs b/src/ImageBuilder/Commands/CreateManifestListCommand.cs
index 62825906a..8f85cf47e 100644
--- a/src/ImageBuilder/Commands/CreateManifestListCommand.cs
+++ b/src/ImageBuilder/Commands/CreateManifestListCommand.cs
@@ -57,14 +57,20 @@ public override async Task ExecuteAsync()
 
         ImageArtifactDetails imageArtifactDetails = ImageInfoHelper.LoadFromFile(Options.ImageInfoPath, Manifest);
 
+        IReadOnlyList<ManifestListInfo> manifestLists =
+            ManifestListHelper.GetManifestListsForImages(
+                Manifest, imageArtifactDetails, Options.RepoPrefix);
+
+        if (Options.ValidateManifestListPlatforms)
+        {
+            ManifestListHelper.ValidateManifestListPlatforms(
+                Manifest, imageArtifactDetails, Options.RepoPrefix);
+        }
+
         await _registryCredentialsProvider.ExecuteWithCredentialsAsync(
             Options.IsDryRun,
             async () =>
             {
-                IReadOnlyList<ManifestListInfo> manifestLists =
-                    ManifestListHelper.GetManifestListsForImages(
-                        Manifest, imageArtifactDetails, Options.RepoPrefix);
-
                 foreach (ManifestListInfo manifestListInfo in manifestLists)
                 {
                     _dockerService.CreateManifestList(manifestListInfo.Tag, manifestListInfo.PlatformTags, Options.IsDryRun);
diff --git a/src/ImageBuilder/Commands/CreateManifestListOptions.cs b/src/ImageBuilder/Commands/CreateManifestListOptions.cs
index d03d1cc8f..ee30b9685 100644
--- a/src/ImageBuilder/Commands/CreateManifestListOptions.cs
+++ b/src/ImageBuilder/Commands/CreateManifestListOptions.cs
@@ -13,17 +13,24 @@ public class CreateManifestListOptions : ManifestOptions, IFilterableOptions
     public ManifestFilterOptions FilterOptions { get; set; } = new ManifestFilterOptions();
     public RegistryCredentialsOptions CredentialsOptions { get; set; } = new RegistryCredentialsOptions();
     public string ImageInfoPath { get; set; } = string.Empty;
+    public bool ValidateManifestListPlatforms { get; set; }
 
     private static readonly Argument<string> ImageInfoPathArgument = new(nameof(ImageInfoPath))
     {
         Description = "Path to the image info file to read and update with manifest list digests"
     };
 
+    private static readonly Option<bool> ValidateManifestListPlatformsOption = new("--validate-manifest-list-platforms")
+    {
+        Description = "Validate that generated manifest list tags include every expected platform defined in the manifest"
+    };
+
     public override IEnumerable<Option> GetCliOptions() =>
     [
         ..base.GetCliOptions(),
         ..FilterOptions.GetCliOptions(),
         ..CredentialsOptions.GetCliOptions(),
+        ValidateManifestListPlatformsOption,
     ];
 
     public override IEnumerable<Argument> GetCliArguments() =>
@@ -40,5 +47,6 @@ public override void Bind(ParseResult result)
         FilterOptions.Bind(result);
         CredentialsOptions.Bind(result);
         ImageInfoPath = result.GetValue(ImageInfoPathArgument) ?? string.Empty;
+        ValidateManifestListPlatforms = result.GetValue(ValidateManifestListPlatformsOption);
     }
 }
diff --git a/src/ImageBuilder/ManifestListHelper.cs b/src/ImageBuilder/ManifestListHelper.cs
index 97ef8128b..91ff86ac5 100644
--- a/src/ImageBuilder/ManifestListHelper.cs
+++ b/src/ImageBuilder/ManifestListHelper.cs
@@ -18,6 +18,13 @@ namespace Microsoft.DotNet.ImageBuilder;
 /// <param name="PlatformTags">The fully-qualified platform image tags included in this manifest list.</param>
 public record ManifestListInfo(string Tag, IReadOnlyList<string> PlatformTags);
 
+/// <summary>
+/// Describes platforms that are expected by the manifest but missing from a generated manifest list.
+/// </summary>
+/// <param name="ManifestListTag">The fully-qualified manifest list tag.</param>
+/// <param name="MissingPlatforms">Descriptions of the expected platforms missing from the tag.</param>
+public record ManifestListPlatformValidationIssue(string ManifestListTag, IReadOnlyList<string> MissingPlatforms);
+
 /// <summary>
 /// Determines which Docker manifest lists should be created based on
 /// the manifest definition and which platforms were actually built.
@@ -35,7 +42,65 @@ public static IReadOnlyList<ManifestListInfo> GetManifestListsForImages(
         ImageArtifactDetails imageArtifactDetails,
         string? repoPrefix)
     {
-        IEnumerable<(RepoInfo Repo, ImageInfo Image)> imagesWithBuiltPlatforms = manifest.FilteredRepos
+        IEnumerable<(RepoInfo Repo, ImageInfo Image)> imagesWithBuiltPlatforms =
+            GetImagesWithBuiltPlatforms(manifest, imageArtifactDetails);
+
+        return imagesWithBuiltPlatforms
+            .SelectMany(pair => GetManifestListsForImage(pair.Repo, pair.Image, manifest, imageArtifactDetails, repoPrefix))
+            .ToList()
+            .AsReadOnly();
+    }
+
+    /// <summary>
+    /// Validates that each generated manifest list contains every platform expected by the manifest.
+    /// </summary>
+    /// <exception cref="InvalidOperationException">
+    /// Thrown when one or more generated manifest list tags would omit expected platforms.
+    /// </exception>
+    public static void ValidateManifestListPlatforms(
+        ManifestInfo manifest,
+        ImageArtifactDetails imageArtifactDetails,
+        string? repoPrefix)
+    {
+        IReadOnlyList<ManifestListPlatformValidationIssue> issues = GetManifestListPlatformValidationIssues(
+            manifest, imageArtifactDetails, repoPrefix);
+
+        if (issues.Count == 0)
+        {
+            return;
+        }
+
+        string details = string.Join(
+            Environment.NewLine,
+            issues.Select(issue =>
+                $"- {issue.ManifestListTag}: {string.Join(", ", issue.MissingPlatforms)}"));
+
+        throw new InvalidOperationException(
+            $"Generated manifest list tags are missing expected platforms defined in the manifest:{Environment.NewLine}{details}");
+    }
+
+    /// <summary>
+    /// Gets validation issues for generated manifest lists that would omit expected platforms.
+    /// </summary>
+    public static IReadOnlyList<ManifestListPlatformValidationIssue> GetManifestListPlatformValidationIssues(
+        ManifestInfo manifest,
+        ImageArtifactDetails imageArtifactDetails,
+        string? repoPrefix)
+    {
+        IEnumerable<(RepoInfo Repo, ImageInfo Image)> imagesWithBuiltPlatforms =
+            GetImagesWithBuiltPlatforms(manifest, imageArtifactDetails);
+
+        return imagesWithBuiltPlatforms
+            .SelectMany(pair => GetManifestListPlatformValidationIssuesForImage(
+                pair.Repo, pair.Image, manifest, imageArtifactDetails, repoPrefix))
+            .ToList()
+            .AsReadOnly();
+    }
+
+    private static IEnumerable<(RepoInfo Repo, ImageInfo Image)> GetImagesWithBuiltPlatforms(
+        ManifestInfo manifest,
+        ImageArtifactDetails imageArtifactDetails) =>
+        manifest.FilteredRepos
             .SelectMany(repo =>
                 repo.FilteredImages
                     .Where(image => image.SharedTags.Any())
@@ -45,12 +110,6 @@ public static IReadOnlyList<ManifestListInfo> GetManifestListsForImages(
                     .Select(image => (repo, image)))
             .ToList();
 
-        return imagesWithBuiltPlatforms
-            .SelectMany(pair => GetManifestListsForImage(pair.Repo, pair.Image, manifest, imageArtifactDetails, repoPrefix))
-            .ToList()
-            .AsReadOnly();
-    }
-
     private static IEnumerable<ManifestListInfo> GetManifestListsForImage(
         RepoInfo repo,
         ImageInfo image,
@@ -86,6 +145,39 @@ private static IEnumerable<ManifestListInfo> GetManifestListsForImage(
         return primaryManifestLists.Concat(syndicatedManifestLists);
     }
 
+    private static IEnumerable<ManifestListPlatformValidationIssue> GetManifestListPlatformValidationIssuesForImage(
+        RepoInfo repo,
+        ImageInfo image,
+        ManifestInfo manifest,
+        ImageArtifactDetails imageArtifactDetails,
+        string? repoPrefix)
+    {
+        IEnumerable<ManifestListPlatformValidationIssue> primaryManifestListIssues = GetManifestListPlatformValidationIssuesForTags(
+            repo, image, imageArtifactDetails,
+            image.SharedTags.Select(tag => tag.Name),
+            tag => DockerHelper.GetImageName(manifest.Registry, repoPrefix + repo.Name, tag),
+            platform => platform.Tags.First());
+
+        IEnumerable<IGrouping<string, TagInfo>> syndicatedTagGroups = image.SharedTags
+            .Where(tag => tag.SyndicatedRepo != null)
+            .GroupBy(tag => tag.SyndicatedRepo);
+
+        IEnumerable<ManifestListPlatformValidationIssue> syndicatedManifestListIssues = syndicatedTagGroups
+            .SelectMany(syndicatedTags =>
+            {
+                string syndicatedRepo = syndicatedTags.Key;
+                IEnumerable<string> destinationTags = syndicatedTags.SelectMany(tag => tag.SyndicatedDestinationTags);
+
+                return GetManifestListPlatformValidationIssuesForTags(
+                    repo, image, imageArtifactDetails,
+                    destinationTags,
+                    tag => DockerHelper.GetImageName(manifest.Registry, repoPrefix + syndicatedRepo, tag),
+                    platform => platform.Tags.FirstOrDefault(tag => tag.SyndicatedRepo == syndicatedRepo));
+            });
+
+        return primaryManifestListIssues.Concat(syndicatedManifestListIssues);
+    }
+
     private static IEnumerable<ManifestListInfo> GetManifestListsForTags(
         RepoInfo repo,
         ImageInfo image,
@@ -99,6 +191,20 @@ private static IEnumerable<ManifestListInfo> GetManifestListsForTags(
             .OfType<ManifestListInfo>();
     }
 
+    private static IEnumerable<ManifestListPlatformValidationIssue> GetManifestListPlatformValidationIssuesForTags(
+        RepoInfo repo,
+        ImageInfo image,
+        ImageArtifactDetails imageArtifactDetails,
+        IEnumerable<string> tags,
+        Func<string, string> getImageName,
+        Func<PlatformInfo, TagInfo?> getTagRepresentative)
+    {
+        return tags
+            .Select(tag => BuildManifestListPlatformValidationIssue(
+                repo, image, imageArtifactDetails, tag, getImageName, getTagRepresentative))
+            .OfType<ManifestListPlatformValidationIssue>();
+    }
+
     private static ManifestListInfo? BuildManifestListInfo(
         RepoInfo repo,
         ImageInfo image,
@@ -122,56 +228,101 @@ private static IEnumerable<ManifestListInfo> GetManifestListsForTags(
             }
 
             TagInfo? imageTag;
-            if (platform.Tags.Any())
+            imageTag = GetPlatformTagRepresentative(repo, image, platform, getTagRepresentative, throwIfMissing: true);
+
+            if (imageTag is not null)
             {
-                imageTag = getTagRepresentative(platform);
+                platformTags.Add(getImageName(imageTag.Name));
             }
-            else
+        }
+
+        if (platformTags.Count == 0)
+        {
+            return null;
+        }
+
+        return new ManifestListInfo(manifestListTag, platformTags.AsReadOnly());
+    }
+
+    private static ManifestListPlatformValidationIssue? BuildManifestListPlatformValidationIssue(
+        RepoInfo repo,
+        ImageInfo image,
+        ImageArtifactDetails imageArtifactDetails,
+        string tag,
+        Func<string, string> getImageName,
+        Func<PlatformInfo, TagInfo?> getTagRepresentative)
+    {
+        string manifestListTag = getImageName(tag);
+        List<string> missingPlatforms = [];
+        bool hasExpectedPlatform = false;
+
+        foreach (PlatformInfo platform in image.AllPlatforms)
+        {
+            TagInfo? imageTag = GetPlatformTagRepresentative(repo, image, platform, getTagRepresentative, throwIfMissing: false);
+            if (imageTag is null)
             {
-                // This platform has no tags of its own (it's a "tagless" platform included
-                // only via shared tags). To reference it in the manifest list, we need a tag.
-                // Search all images in the repo for a different platform that builds the same
-                // Dockerfile/OS/arch and does have tags, then borrow one of its tags.
-                (ImageInfo Image, PlatformInfo Platform)? matchingPlatform =
-                    repo.AllImages
-                    .SelectMany(candidateImage =>
-                        candidateImage.AllPlatforms
+                continue;
+            }
+
+            hasExpectedPlatform = true;
+
+            if (ImageInfoHelper.GetMatchingPlatformData(platform, repo, imageArtifactDetails) is null)
+            {
+                missingPlatforms.Add(GetPlatformDescription(platform));
+            }
+        }
+
+        if (!hasExpectedPlatform || missingPlatforms.Count == 0)
+        {
+            return null;
+        }
+
+        return new ManifestListPlatformValidationIssue(manifestListTag, missingPlatforms.AsReadOnly());
+    }
+
+    private static TagInfo? GetPlatformTagRepresentative(
+        RepoInfo repo,
+        ImageInfo image,
+        PlatformInfo platform,
+        Func<PlatformInfo, TagInfo?> getTagRepresentative,
+        bool throwIfMissing)
+    {
+        if (platform.Tags.Any())
+        {
+            return getTagRepresentative(platform);
+        }
+
+        // Tagless platforms included by shared tags need a matching concrete tag to reference in the manifest list.
+        (ImageInfo Image, PlatformInfo Platform)? matchingPlatform =
+            repo.AllImages
+                .SelectMany(candidateImage =>
+                    candidateImage.AllPlatforms
                         .Select(candidatePlatform => (Image: candidateImage, Platform: candidatePlatform))
                         .Where(candidate =>
-                            // Exclude the current platform itself
                             platform != candidate.Platform
-                            // Must be the same Dockerfile, OS, and architecture
                             && PlatformInfo.AreMatchingPlatforms(
-                                image1: candidateImage,
+                                image1: image,
                                 platform1: platform,
                                 image2: candidate.Image,
                                 platform2: candidate.Platform)
-                            // Must actually have tags we can borrow
-                            && candidate.Platform.Tags.Any()
-                        )
-                    )
-                    // Cast to nullable so FirstOrDefault returns null (not a default struct)
-                    // when no match is found, allowing the ?? to throw.
-                    .Cast<(ImageInfo Image, PlatformInfo Platform)?>()
-                    .FirstOrDefault()
-                        ?? throw new InvalidOperationException(
-                            $"Could not find a platform with concrete tags for"
-                            + $" '{platform.DockerfilePathRelativeToManifest}'.");
-
-                imageTag = getTagRepresentative(matchingPlatform.Value.Platform);
-            }
+                            && candidate.Platform.Tags.Any()))
+                .Cast<(ImageInfo Image, PlatformInfo Platform)?>()
+                .FirstOrDefault();
 
-            if (imageTag is not null)
-            {
-                platformTags.Add(getImageName(imageTag.Name));
-            }
+        if (matchingPlatform is not null)
+        {
+            return getTagRepresentative(matchingPlatform.Value.Platform);
         }
 
-        if (platformTags.Count == 0)
+        if (throwIfMissing)
         {
-            return null;
+            throw new InvalidOperationException(
+                $"Could not find a platform with concrete tags for '{platform.DockerfilePathRelativeToManifest}'.");
         }
 
-        return new ManifestListInfo(manifestListTag, platformTags.AsReadOnly());
+        return null;
     }
+
+    private static string GetPlatformDescription(PlatformInfo platform) =>
+        $"{platform.PlatformLabel} ({platform.DockerfilePathRelativeToManifest})";
 }

From f1d7e23abeb735f2eaaa1f5a51edb6e2517f3d0c Mon Sep 17 00:00:00 2001
From: Davis Goodin <dagood@microsoft.com>
Date: Wed, 27 May 2026 10:29:13 -0700
Subject: [PATCH 2/3] Change --validate-manifest-list-platforms to standard
 behavior

---
 eng/docker-tools/CHANGELOG.md                 |  6 +-
 eng/docker-tools/DEV-GUIDE.md                 |  4 +-
 .../templates/jobs/post-build.yml             |  6 --
 .../templates/stages/build-and-test.yml       |  2 -
 .../stages/dotnet/build-and-test.yml          |  2 -
 .../stages/dotnet/build-test-publish-repo.yml |  2 -
 .../CreateManifestListCommandTests.cs         | 60 +------------------
 .../Commands/CreateManifestListCommand.cs     |  7 +--
 .../Commands/CreateManifestListOptions.cs     |  8 ---
 9 files changed, 8 insertions(+), 89 deletions(-)

diff --git a/eng/docker-tools/CHANGELOG.md b/eng/docker-tools/CHANGELOG.md
index 87598e9ed..e275c5195 100644
--- a/eng/docker-tools/CHANGELOG.md
+++ b/eng/docker-tools/CHANGELOG.md
@@ -4,11 +4,11 @@ All breaking changes and new features in `eng/docker-tools` will be documented i
 
 ---
 
-## 2026-05-26: Post_Build can validate manifest list platform completeness
+## 2026-05-26: Post_Build validates manifest list platform completeness
 
-The build/test templates now accept `validateManifestListPlatforms` (boolean, default `false`). When enabled, Post_Build passes `--validate-manifest-list-platforms` to ImageBuilder's `createManifestList` command and fails if a generated multi-arch manifest tag would omit platforms expected by `manifest.json`.
+- Pull request: [#2126](https://github.com/dotnet/docker-tools/pull/2126)
 
-Enable this for normal official production builds where manifest tags should represent the full manifest-defined platform set. Leave it disabled for intentionally partial runs such as PR validation, filtered builds, platform bring-up, or temporary infrastructure recovery.
+The `Create Manifest Lists` step in the `Post_Build` stage now fails if a generated multi-arch manifest tag would omit platforms expected by `manifest.json`.
 
 ---
 
diff --git a/eng/docker-tools/DEV-GUIDE.md b/eng/docker-tools/DEV-GUIDE.md
index dc59182dd..035116fc4 100644
--- a/eng/docker-tools/DEV-GUIDE.md
+++ b/eng/docker-tools/DEV-GUIDE.md
@@ -192,9 +192,7 @@ Common patterns:
 - `"publish"` - Publish only (when re-running a failed publish from a previous build)
 - `"build,test,sign,publish"` - Full pipeline
 
-**Note:** The `Post_Build` stage is implicitly included whenever `build` is in the stages list. You don't need to specify it separately—it automatically runs after Build to merge image info files, create multi-arch manifests, and consolidate SBOMs.
-
-Set `validateManifestListPlatforms: true` on the build/test template to make Post_Build fail if any generated multi-arch manifest tag would omit platforms that are expected by `manifest.json`. This is recommended for normal official production builds, where `manifest.json` is the source of truth for the image platform surface. Leave it disabled for intentionally partial runs, such as PR validation, filtered builds, platform bring-up, or temporary infrastructure recovery where producing a partial manifest tag is expected.
+**Note:** The `Post_Build` stage is implicitly included whenever `build` is in the stages list. You don't need to specify it separately—it automatically runs after Build to merge image info files, create and validate multi-arch manifests, and consolidate SBOMs.
 
 The stages variable is useful for:
 - Re-running just the publish stage after fixing a transient failure
diff --git a/eng/docker-tools/templates/jobs/post-build.yml b/eng/docker-tools/templates/jobs/post-build.yml
index 30e6828f4..32b9c7999 100644
--- a/eng/docker-tools/templates/jobs/post-build.yml
+++ b/eng/docker-tools/templates/jobs/post-build.yml
@@ -4,7 +4,6 @@ parameters:
   publicProjectName: null
   customInitSteps: []
   publishConfig: null
-  validateManifestListPlatforms: false
 
 jobs:
 - job: Build
@@ -15,10 +14,6 @@ jobs:
     imageInfosContainerDir: "$(artifactsPath)$(imageInfosSubDir)"
     imageInfosOutputSubDir: "/output"
     sbomOutputDir: "$(Build.ArtifactStagingDirectory)/sbom"
-    ${{ if eq(parameters.validateManifestListPlatforms, true) }}:
-      validateManifestListPlatformsArg: "--validate-manifest-list-platforms"
-    ${{ else }}:
-      validateManifestListPlatformsArg: ""
   steps:
   - template: /eng/docker-tools/templates/steps/init-common.yml@self
     parameters:
@@ -100,7 +95,6 @@ jobs:
           --architecture '*'
           --manifest '$(manifest)'
           --registry-override '${{ parameters.publishConfig.BuildRegistry.server }}'
-          $(validateManifestListPlatformsArg)
           $(manifestVariables)
   - template: /eng/docker-tools/templates/steps/publish-artifact.yml@self
     parameters:
diff --git a/eng/docker-tools/templates/stages/build-and-test.yml b/eng/docker-tools/templates/stages/build-and-test.yml
index 4cd8195be..d21e8de90 100644
--- a/eng/docker-tools/templates/stages/build-and-test.yml
+++ b/eng/docker-tools/templates/stages/build-and-test.yml
@@ -24,7 +24,6 @@ parameters:
   linuxArmTestJobTimeout: 60
   windowsAmdTestJobTimeout: 60
   noCache: false
-  validateManifestListPlatforms: false
   publishConfig: null
 
   internalProjectName: null
@@ -222,7 +221,6 @@ stages:
       publicProjectName: ${{ parameters.publicProjectName }}
       customInitSteps: ${{ parameters.customInitSteps }}
       publishConfig: ${{ parameters.publishConfig }}
-      validateManifestListPlatforms: ${{ parameters.validateManifestListPlatforms }}
 
 ################################################################################
 # Sign Images
diff --git a/eng/docker-tools/templates/stages/dotnet/build-and-test.yml b/eng/docker-tools/templates/stages/dotnet/build-and-test.yml
index aec2a8551..a9e8f05fd 100644
--- a/eng/docker-tools/templates/stages/dotnet/build-and-test.yml
+++ b/eng/docker-tools/templates/stages/dotnet/build-and-test.yml
@@ -20,7 +20,6 @@ parameters:
 
   # Build parameters
   noCache: false
-  validateManifestListPlatforms: false
   publishConfig: null
   buildMatrixType: platformDependencyGraph
   buildMatrixCustomBuildLegGroupArgs: ""
@@ -47,7 +46,6 @@ stages:
 - template: /eng/docker-tools/templates/stages/build-and-test.yml@self
   parameters:
     noCache: ${{ parameters.noCache }}
-    validateManifestListPlatforms: ${{ parameters.validateManifestListPlatforms }}
     publishConfig: ${{ parameters.publishConfig }}
     internalProjectName: ${{ parameters.internalProjectName }}
     publicProjectName: ${{ parameters.publicProjectName }}
diff --git a/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml b/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml
index 199afcbc5..c590a5287 100644
--- a/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml
+++ b/eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml
@@ -12,7 +12,6 @@ parameters:
 
   # Build parameters
   noCache: false
-  validateManifestListPlatforms: false
   publishConfig: null
   buildMatrixType: platformDependencyGraph
   buildMatrixCustomBuildLegGroupArgs: ""
@@ -51,7 +50,6 @@ stages:
     customCopyBaseImagesInitSteps: ${{ parameters.customCopyBaseImagesInitSteps }}
     # Build
     noCache: ${{ parameters.noCache }}
-    validateManifestListPlatforms: ${{ parameters.validateManifestListPlatforms }}
     publishConfig: ${{ parameters.publishConfig }}
     buildMatrixType: ${{ parameters.buildMatrixType }}
     buildMatrixCustomBuildLegGroupArgs: ${{ parameters.buildMatrixCustomBuildLegGroupArgs }}
diff --git a/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs b/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
index c46f4f40f..4bf884ba8 100644
--- a/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
+++ b/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
@@ -243,65 +243,10 @@ public async Task ExecuteAsync_MissingImageInfoFile_LogsWarningAndReturns()
     }
 
     /// <summary>
-    /// Verifies that only platforms present in image-info are included in manifest lists,
-    /// testing the full command end-to-end.
+    /// Verifies that platform validation fails before creating partial manifest lists.
     /// </summary>
     [Fact]
-    public async Task ExecuteAsync_OnlyCreatesForBuiltPlatforms()
-    {
-        Mock<IManifestService> manifestServiceMock = CreateManifestServiceMock();
-        Mock<IManifestServiceFactory> manifestServiceFactory = CreateManifestServiceFactoryMock(manifestServiceMock);
-        manifestServiceMock
-            .Setup(o => o.GetManifestDigestShaAsync(It.IsAny<string>(), It.IsAny<bool>()))
-            .ReturnsAsync("digest1");
-
-        Mock<IDockerService> dockerServiceMock = new();
-
-        CreateManifestListCommand command = CreateCommand(
-            manifestServiceFactory, dockerServiceMock, Mock.Of<IDateTimeService>());
-
-        using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
-
-        string dockerfileAmd64 = CreateDockerfile("1.0/repo/linux-amd64", tempFolderContext);
-        string dockerfileArm64 = CreateDockerfile("1.0/repo/linux-arm64", tempFolderContext);
-        string dockerfileWindows = CreateDockerfile("1.0/repo/windows", tempFolderContext);
-
-        // Manifest defines 3 platforms
-        Manifest manifest = CreateManifest(
-            CreateRepo("repo",
-                CreateImage(
-                    ["sharedtag"],
-                    CreatePlatform(dockerfileAmd64, ["tag-amd64"]),
-                    CreatePlatform(dockerfileArm64, ["tag-arm64"], architecture: Architecture.ARM64),
-                    CreatePlatform(dockerfileWindows, ["tag-windows"], os: OS.Windows, osVersion: "ltsc2022"))));
-
-        // Only 2 platforms were built
-        ImageArtifactDetails imageArtifactDetails = CreateImageArtifactDetails(
-            CreateRepoData("repo",
-                CreateImageData(
-                    ["sharedtag"],
-                    CreatePlatform(dockerfileAmd64, simpleTags: ["tag-amd64"]),
-                    CreatePlatform(dockerfileArm64, simpleTags: ["tag-arm64"], architecture: "arm64"))));
-
-        SetupCommand(command, manifest, imageArtifactDetails, tempFolderContext);
-
-        await command.ExecuteAsync();
-
-        // Manifest list should only reference the 2 built platforms
-        dockerServiceMock.Verify(o => o.CreateManifestList(
-            "repo:sharedtag",
-            It.Is<IEnumerable<string>>(images =>
-                images.Contains("repo:tag-amd64") &&
-                images.Contains("repo:tag-arm64") &&
-                !images.Contains("repo:tag-windows")),
-            false));
-    }
-
-    /// <summary>
-    /// Verifies that platform validation fails before creating partial manifest lists when enabled.
-    /// </summary>
-    [Fact]
-    public async Task ExecuteAsync_ValidateManifestListPlatforms_MissingPlatformThrows()
+    public async Task ExecuteAsync_MissingPlatformThrows()
     {
         Mock<IManifestService> manifestServiceMock = CreateManifestServiceMock();
         Mock<IManifestServiceFactory> manifestServiceFactory = CreateManifestServiceFactoryMock(manifestServiceMock);
@@ -309,7 +254,6 @@ public async Task ExecuteAsync_ValidateManifestListPlatforms_MissingPlatformThro
 
         CreateManifestListCommand command = CreateCommand(
             manifestServiceFactory, dockerServiceMock, Mock.Of<IDateTimeService>());
-        command.Options.ValidateManifestListPlatforms = true;
 
         using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
 
diff --git a/src/ImageBuilder/Commands/CreateManifestListCommand.cs b/src/ImageBuilder/Commands/CreateManifestListCommand.cs
index 8f85cf47e..0657c1ce2 100644
--- a/src/ImageBuilder/Commands/CreateManifestListCommand.cs
+++ b/src/ImageBuilder/Commands/CreateManifestListCommand.cs
@@ -61,11 +61,8 @@ public override async Task ExecuteAsync()
             ManifestListHelper.GetManifestListsForImages(
                 Manifest, imageArtifactDetails, Options.RepoPrefix);
 
-        if (Options.ValidateManifestListPlatforms)
-        {
-            ManifestListHelper.ValidateManifestListPlatforms(
-                Manifest, imageArtifactDetails, Options.RepoPrefix);
-        }
+        ManifestListHelper.ValidateManifestListPlatforms(
+            Manifest, imageArtifactDetails, Options.RepoPrefix);
 
         await _registryCredentialsProvider.ExecuteWithCredentialsAsync(
             Options.IsDryRun,
diff --git a/src/ImageBuilder/Commands/CreateManifestListOptions.cs b/src/ImageBuilder/Commands/CreateManifestListOptions.cs
index ee30b9685..d03d1cc8f 100644
--- a/src/ImageBuilder/Commands/CreateManifestListOptions.cs
+++ b/src/ImageBuilder/Commands/CreateManifestListOptions.cs
@@ -13,24 +13,17 @@ public class CreateManifestListOptions : ManifestOptions, IFilterableOptions
     public ManifestFilterOptions FilterOptions { get; set; } = new ManifestFilterOptions();
     public RegistryCredentialsOptions CredentialsOptions { get; set; } = new RegistryCredentialsOptions();
     public string ImageInfoPath { get; set; } = string.Empty;
-    public bool ValidateManifestListPlatforms { get; set; }
 
     private static readonly Argument<string> ImageInfoPathArgument = new(nameof(ImageInfoPath))
     {
         Description = "Path to the image info file to read and update with manifest list digests"
     };
 
-    private static readonly Option<bool> ValidateManifestListPlatformsOption = new("--validate-manifest-list-platforms")
-    {
-        Description = "Validate that generated manifest list tags include every expected platform defined in the manifest"
-    };
-
     public override IEnumerable<Option> GetCliOptions() =>
     [
         ..base.GetCliOptions(),
         ..FilterOptions.GetCliOptions(),
         ..CredentialsOptions.GetCliOptions(),
-        ValidateManifestListPlatformsOption,
     ];
 
     public override IEnumerable<Argument> GetCliArguments() =>
@@ -47,6 +40,5 @@ public override void Bind(ParseResult result)
         FilterOptions.Bind(result);
         CredentialsOptions.Bind(result);
         ImageInfoPath = result.GetValue(ImageInfoPathArgument) ?? string.Empty;
-        ValidateManifestListPlatforms = result.GetValue(ValidateManifestListPlatformsOption);
     }
 }

From 1f3809bead83e99e2cf97d7e94a658f6b32319f1 Mon Sep 17 00:00:00 2001
From: Davis Goodin <dagood@users.noreply.github.com>
Date: Mon, 1 Jun 2026 22:13:34 +0000
Subject: [PATCH 3/3] Add createManifestList command test: detects missing
 platform

---
 .../CreateManifestListCommandTests.cs         | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs b/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
index 0164637b8..3fee0d7aa 100644
--- a/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
+++ b/src/ImageBuilder.Tests/CreateManifestListCommandTests.cs
@@ -496,6 +496,64 @@ public async Task ExecuteAsync_DoesNotPortImagesThatAreAbsentFromImageInfo()
             Times.Never);
     }
 
+    /// <summary>
+    /// Verifies that a missing manifest platform is reported when the old-build
+    /// import path has no platform to port forward.
+    /// </summary>
+    [Fact]
+    public async Task ExecuteAsync_ThrowsMissingPlatform_WhenNoOldBuildImportExists()
+    {
+        Mock<IManifestService> manifestServiceMock = new(MockBehavior.Strict);
+        Mock<IDockerService> dockerServiceMock = new();
+        Mock<ICopyImageService> copyImageServiceMock = new();
+
+        CreateManifestListCommand command = CreateCommand(
+            CreateManifestServiceFactoryMock(manifestServiceMock),
+            dockerServiceMock,
+            copyImageServiceMock,
+            Mock.Of<IDateTimeService>());
+
+        using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
+
+        string dockerfileAmd64 = CreateDockerfile("1.0/repo/linux-amd64", tempFolderContext);
+        string dockerfileArm64 = CreateDockerfile("1.0/repo/linux-arm64", tempFolderContext);
+
+        Manifest manifest = CreateManifest(
+            CreateRepo("repo",
+                CreateImage(
+                    ["sharedtag"],
+                    CreatePlatform(dockerfileAmd64, ["tag-amd64"]),
+                    CreatePlatform(dockerfileArm64, ["tag-arm64"], architecture: Architecture.ARM64))));
+
+        ImageArtifactDetails imageArtifactDetails = CreateImageArtifactDetails(
+            CreateRepoData("repo",
+                CreateImageData(
+                    CreatePlatform(dockerfileAmd64, simpleTags: ["tag-amd64"]))));
+
+        SetupCommand(command, manifest, imageArtifactDetails, tempFolderContext);
+
+        InvalidOperationException exception = await Should.ThrowAsync<InvalidOperationException>(
+            () => command.ExecuteAsync());
+
+        exception.Message.ShouldContain("Generated manifest list tags are missing expected platforms defined in the manifest");
+        exception.Message.ShouldContain("repo:sharedtag");
+        exception.Message.ShouldContain("linux/arm64");
+        exception.Message.ShouldContain(dockerfileArm64);
+
+        manifestServiceMock.Verify(
+            o => o.GetManifestAsync(It.IsAny<ImageName>(), It.IsAny<bool>()),
+            Times.Never);
+        copyImageServiceMock.Verify(o => o.ImportImageAsync(
+                It.IsAny<string[]>(), It.IsAny<string>(), It.IsAny<string>(),
+                It.IsAny<bool>(), It.IsAny<string>(),
+                It.IsAny<ContainerRegistryImportSourceCredentials>(),
+                It.IsAny<bool>()),
+            Times.Never);
+        dockerServiceMock.Verify(o => o.CreateManifestList(
+                It.IsAny<string>(), It.IsAny<IEnumerable<string>>(), It.IsAny<bool>()),
+            Times.Never);
+    }
+
     /// <summary>
     /// Verifies that when a manifest-declared platform is missing from image-info AND
     /// the source registry returns 404 for its tag (e.g. a misconfigured <c>--path</c>