Add sigature to published images #2335
Replies: 4 comments
-
Hi @ivanvaccari I'm not familiar with this topic at all, it sound interesting but rather complex, do you have some recommended reads about it (other than the Docker documentation) ? |
Beta Was this translation helpful? Give feedback.
-
Somebody referenced this Github Action to me: https://github.com/sudo-bot/action-docker-sign |
Beta Was this translation helpful? Give feedback.
-
Hi, i'm not super familiar too since this is the first time also for me, bui i got it quite easily using the docs: https://docs.docker.com/engine/security/trust/ Not entering details (they're written off in docs), but a quick example for a demo image i've signed: # one time, if you don't already have it. Asks for passkeys, create new ones and do not lose them
$> docker trust key generate ivanvaccarimitech
# Add a signer to notary server (docker hub in this case)
$> docker trust signer add --key .\ivanvaccarimitech.pub ivanvaccarimitech "ivanvaccarimitech/helloworld"
# Effectively sign data
$> docker trust sign ivanvaccarimitech/helloworld:1.0.0 After this, the inspect command returns some data:
|
Beta Was this translation helpful? Give feedback.
-
@ivanvaccari I've since played a bit with DCT. Signing single arch image is really easy but signing multi arch image is a nightmare. Unlike vanilla DockerHub library image are multiarch and signed but there is zero publicly available info on how they achieve this. Unless there is a positive evolution to docker/buildx#313, I don't see how we can realistically sign our multi arch images and regular tags. I don't think I'll give It might however be possible, like @SchoNie suggested, to sign single arch images and make them available on separate tags, like |
Beta Was this translation helpful? Give feedback.
-
I plan to use this this image to serve some services on a bare metal server.
The customer however requires signature verification for the installed softwares, and this image does not provide one.
By running
docker trust inspect nginxproxy/nginx-proxy
the output is
no signatures or cannot access nginxproxy/nginx-proxy
With this discussion i'm requesting to sign the images published on registries. Signing images should not (hopefully) introduce errors since is purely an extra security layer, and users pulling the image now for sure don't check signature, having it should not introduce problems.
Beta Was this translation helpful? Give feedback.
All reactions