Docker Content Trust Data Missing for 1.16 Release and 1.15 Updates

[wind0r]

Hello,

I maybe missed some news and could not find a similar topic, so i am creating this issue.

did golang images stopped getting signed?

I noticed this because our CI was using outdated 1.15 images and 1.16 builds fail because of missing trust data

Pulling 1.15 with Content Trust enabled

> docker pull golang:1.15
Pull (1 of 1): golang:1.15@sha256:68d8b4d7ec2847a6886fa31323bfc166e6850ce4927939c12c0f536153d28394
sha256:68d8b4d7ec2847a6886fa31323bfc166e6850ce4927939c12c0f536153d28394: Pulling from library/golang
Digest: sha256:68d8b4d7ec2847a6886fa31323bfc166e6850ce4927939c12c0f536153d28394
Status: Image is up to date for golang@sha256:68d8b4d7ec2847a6886fa31323bfc166e6850ce4927939c12c0f536153d28394
Tagging golang@sha256:68d8b4d7ec2847a6886fa31323bfc166e6850ce4927939c12c0f536153d28394 as golang:1.15
docker.io/library/golang:1.15

Pulling 1.15 with Content Trust disabled

> docker pull --disable-content-trust golang:1.15
1.15: Pulling from library/golang
Digest: sha256:689e121cba70452d374b53f64669f8c6ae68cfa4b3c5c20e518f21ce4de350be
Status: Image is up to date for golang:1.15
docker.io/library/golang:1.15

Pulling 1.16 with Content Trust enabled

> docker pull golang:1.16
No valid trust data for 1.16

Pulling 1.16 with Content Trust disabled

>  docker pull --disable-content-trust golang:1.16
1.16: Pulling from library/golang
Digest: sha256:29b63705e5851b1f95862c5a26396f981e907c763e113bf470682759c9d9a702
Status: Downloaded newer image for golang:1.16
docker.io/library/golang:1.16

[wglambert]

We don't have any control over or involvement in the signing process of the images we publish
docker-library/official-images#6838

[KEINOS]

As of 2021/08/04 this issue still happens.

$ date -R
Wed, 04 Aug 2021 18:30:55 +0900
$ docker --version
Docker version 20.10.7, build f0df350

$ # Without DCT
$ docker system prune -af && \
    docker pull golang:alpine && \
    docker run --rm golang:alpine go version
...
go version go1.16.6 linux/amd64

$ # With DCT
$ docker system prune -af && \
    DOCKER_CONTENT_TRUST=1 docker pull golang:alpine && \
    docker run --rm golang:alpine go version
...
go version go1.15.6 linux/amd64

We don't have any control over or involvement in the signing process of the images we publish
docker-library/official-images#6838

I have been passed around the issues and still don't get where to issue this problem.

As far as I understood;

1. The only authority who can sign the published "official image" in Docker Hub as DOCKER_CONTENT_TRUST (a.k.a. DCT) is the Docker Inc Team.
2. Thus, no community member even the docker-library/official-images repo, nor the upstream Go team can sign their "official image" on Docker Hub.
3. But the Docker Team has been kind of capricious to review the built image these days.
4. This has happened since 2016 but the Docker Team refuses (ignores?) to hand it over the process to the community for authorization.

Tl; dr, it seems to me to be rather DOCKER_TRUSTED_CONTENT than DOCKER_CONTENT_TRUST.

[tianon]

Closing in favor of the more specific docker-library/official-images#6838 central issue.