Fix DCT Security Theater (TOFU) #2752
Description
Description
In my setup, Docker Content Trust is 100% security theater. It provides zero security because of TOFU.
Steps to reproduce the issue:
- Launch a new (ephermal) build server
- Download image from docker hub
... - Build Finishes, ephemeral build server is destoryed
- GOTO 1
Describe the results you received:
Every time I execute my CI build pipeline (which necessarily runs in a new instance on every run), docker downloads the image without telling me it was also downloading the key at the same time, which means it's actually not able to cryptographically verify the authenticity and integrity of the image.
root@disp9131:~# export DOCKER_CONTENT_TRUST=1
root@disp9131:~#
root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian
root@disp9131:~#
root@disp9131:~# docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537: Pulling from library/ubuntu
d72e567cc804: Pull complete
0f3630e5ff08: Pull complete
b6a83d81d1f4: Pull complete
Digest: sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Status: Downloaded newer image for ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Tagging ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537 as ubuntu:latest
root@disp9131:~#
root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian ubuntu
root@disp9131:~#
Describe the results you expected:
By default, if running docker pull and the root key is not already downloaded, then the command should:
-
fail in non-interactive mode or
-
inform the user that the key isn't present and that it will have to download & TOFU the root key in order to proceed. Print a URL to a doc that provides more information on the risks in this, then prompt the user if they want to abort or continue with the tofu
It should not proceed as normal if the key is not present, misleading the user into thinking that their image download was cryptographically verified in a secure manner (when it wasn't).
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
root@disp9131:~# docker --version
Docker version 18.09.1, build 4c52b90
root@disp9131:~#
Output of docker info:
root@disp9131:~# docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 2
Server Version: 18.09.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 1.0.0~rc6+dfsg1-3
init version: v0.18.0 (expected: fec3683b971d9c3ef73f284f176672c44b448662)
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.132-1.pvops.qubes.x86_64
Operating System: Debian GNU/Linux 10 (buster)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.374GiB
Name: disp9131
ID: RTJT:KHJH:AW2N:AHCV:L4SD:3FYG:LIUV:FAYO:CMQM:LZX3:N5US:KULB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
root@disp9131:~#
Additional environment details (AWS, VirtualBox, physical, etc.):
QubesOS -> Debian 10
See Also