No DCT signing for recently published images? #5874
Comments
|
Doh, this isn't great -- thanks for pinging us. The current process to my understanding is still what's discussed over in #1516, so I'll see if I can find some Docker Inc folks who can help us look into what's going on. ❤️ |
|
Thanks! 🙏 |
|
By the way... do you have suggestions about where else I could have filed this issue, to have it be seen by the correct set of Docker Inc folks directly, and avoid using this project as the middle-man? I'm pretty ignorant about the structure and relationships between all the docker-related groups/orgs/hierarchies 😅 |
|
This should be fixed very soon, sorry for delay. @davejhilton you can contact hub support, through the form on https://success.docker.com/support or you can email security@docker.com if its security related. |
|
@justincormack is this an ongoing issue or is this fixed now? For example the sentry image isn't signed getsentry/docker-sentry#173 can it be corrected now or what all is involved in fixing already published versions that were not signed? |
|
I was just able to pull signed versions of Rust 1.34 and 1.35. @rhuddleston It looks like the latest Sentry image is signed too. I can't speak for all images, but if you've been experiencing this it's probably worth trying again now. |
|
Awesome, thanks all (especially those on the Docker side who got this fixed 👍❤️)! |
|
This has been fixed. I believe most of the images that were not signed are all signed. Please let us know if there is still any image that is not signed. |
|
Awesome, thanks for confirming here @manishtomar! 👍 ❤️ |
|
@manishtomar Node is broken as of almost a month ago (See above linked issue)-- any chance this will be fixed soon? And any chance there's a way to get this process fixed internally so this doesn't happen again? |
|
All node images using buster as a base are not signed as of 2019-08-29 Edit: after more investigation, even more images are not signed. The latest stretch releases are also not signed. This wasn't apparent at first because |
|
20 days later. The node image still has no valid trust signature. What's going on? @manishtomar I've emailed security@docker.com but haven't received any updates after an initial "looking into it" message. @tianon perhaps you could ping some contacts to get this issue visibility? |
|
I too am having issues with node images not being singed Any change we can get these signed? |
I apologize in advance if this isn't the right place for this...
I'm seeing that a majority (if not all) of the "official images" have recently published tags that are not being signed.
For example, the
phpandgolangimages—which have always had new tags published as signed (to my knowledge) in the past—have recently stopped being signed when published.Digging a little further... I see that, in addition to the latest SIGNED
golang:1.12.1image, there is a also a more recently-published UNSIGNED version of the same tag as well:I admittedly don't know much about the docker image publishing process used here, or how new tags get signed... but did something change with those processes between March 15th and March 27th (when those two tags were published)?
I've observed this same pattern of a sudden drop-off in signed tags for the
php,golang,alpine,node,busybox, and several other of the official images I've checked, all potentially within that same time window.Was this the result of a known, intentional change to the publishing process for these official images? Or can it be expected that at some future point, DCT signed versions of these image tags will be published?
Thanks!
The text was updated successfully, but these errors were encountered: