Almost all newly released tags are not signed. #672
Description
We rely on having trusted, signed builds of Python images. However, it seems that some tags are not signed at all which is causing issues. Please note the following:
❯ docker trust inspect python:3.9 | jq '.[0].SignedTags'
[
{
"SignedTag": "3.9",
"Digest": "797aee34488c660ebaf5b88e622fdd458e65bb3c2500d48f9fbb3711e8688a1e",
"Signers": [
"Repo Admin"
]
}
]
❯ docker trust inspect python:3.9.9 | jq '.[0].SignedTags'
[]docker trust inspect python:3.10 | jq '.[0].SignedTags'
[]In addition, I have executed the following script (zsh) to see which tags were signed and which were not.
#!/usr/bin/zsh
URL="https://registry.hub.docker.com/v2/repositories/library/python/tags/?page=1"
stripquotes() {
str=$1
str=${str#\"}
echo ${str%\"}
}
check_tag() {
# Remove any unnecessary quotes from beginning and end.
tag=$(stripquotes $1)
echo -n "Checking tag ${tag##\"}... "
# Check the trust status of the tag.
result=$(docker trust inspect python:${tag#\"} | jq "select(.[0].SignedTags[0].SignedTag == null) | .[0].Name" | tr -d '"')
if [[ -z $result ]] {
echo "signed."
} else {
# If tag is not signed, save it to a file.
echo $result >>unsigned_tags.txt
echo "not signed."
}
}
fetch_page() {
# Print progress.
echo -n "Fetching page #"
echo $URL | sed -n -e 's/^.*page=//p'
# Get current page.
page=$(curl -sS $URL)
# Save the tag names as an array.
arr=(${(f)"$(echo $page | jq '.results[].name')"})
for tag in $arr; do
check_tag $tag
done
# Get an URL to the next page.
URL=$(stripquotes $(echo $page | jq '.next // ""'))
}
while [[ -n $URL ]] {
fetch_page
}
The script lists all tags for the python library, for each tag it executes docker trust inspect python:<tag> and checks whether that tag is signed. If it is not, it outputs the name of the tag. I'f I'm not mistaken, there are 1714 tags, out of which 449 are not signed. Below you will find the shorten output of the command. The full list (tags only, without unnecessary text) is available here or you could generate it yourself with the script above. Could please someone have a look at the tags and perhaps sign then (or at least the most recent ones, like 3.10 and bullseye
Thanks in advance.
Fetching page #1
Checking tag latest... signed.
Checking tag buster... signed.
Checking tag bullseye... not signed.
Checking tag 3.9.9-buster... not signed.
Checking tag 3.9.9-bullseye... not signed.
Checking tag 3.9.9... not signed.
Checking tag 3.9-buster... signed.
Checking tag 3.9-bullseye... not signed.
Checking tag 3.9... signed.
Checking tag 3.8.12-buster... not signed.
Fetching page #2
Checking tag 3.8.12-bullseye... not signed.
Checking tag 3.8.12... not signed.
Checking tag 3.8-buster... signed.
Checking tag 3.8-bullseye... not signed.
Checking tag 3.8... signed.
Checking tag 3.7.12-buster... not signed.
Checking tag 3.7.12-bullseye... not signed.
Checking tag 3.7.12... not signed.
Checking tag 3.7-buster... signed.
Checking tag 3.7-bullseye... not signed.
Fetching page #3
Checking tag 3.7... signed.
Checking tag 3.6.15-buster... not signed.
Checking tag 3.6.15-bullseye... not signed.
Checking tag 3.6.15... not signed.
Checking tag 3.6-buster... signed.
Checking tag 3.6-bullseye... not signed.
Checking tag 3.6... signed.
Checking tag 3.11.0a2-bullseye... not signed.
Checking tag 3.11.0a2... not signed.
Checking tag 3.11-rc-bullseye... not signed.
Fetching page #4
Checking tag 3.11-rc... not signed.
Checking tag 3.10.0-buster... not signed.
Checking tag 3.10.0-bullseye... not signed.
Checking tag 3.10.0... not signed.
Checking tag 3.10-buster... not signed.
Checking tag 3.10-bullseye... not signed.
Checking tag 3.10... not signed.
Checking tag 3-buster... signed.
Checking tag 3-bullseye... not signed.
Checking tag 3... signed.
...