Sign the docker images #6199
-
|
Your docker images are currently distributed via Docker Hub and you intend to switch to ghcr.io. Neither of these platforms are operated by you. Typically, when software is distributed by third parties or through an insecure channel, it is signed by the developers and the integrity of the software is checked against a widely known public key obtained directly from the developers via a different, secure channel. Being familiar with Debian-based GNU-Linux systems and their package management where software is always signed and the signatures are always checked by default, I was actually quite shocked when |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
Hi, this indeed should have been reported to https://hackerone.com/nextcloud. Actually, you are the first one that reports this issue. This is why we don't have them signed yet. As you said, it will get better with moving the containers to ghcr.io which I will work on next week. |
Beta Was this translation helpful? Give feedback.
Hi, this indeed should have been reported to https://hackerone.com/nextcloud.
Actually, you are the first one that reports this issue. This is why we don't have them signed yet.
As you said, it will get better with moving the containers to ghcr.io which I will work on next week.
I will then also look into signing the docker images.
Inspiration: docjyJ/aio-helloworld@b435f58