-
Notifications
You must be signed in to change notification settings - Fork 27
Signed Docker image #19
Comments
This seem to be complicated: Content trust in Docker @augi If you have any experience with signing docker images you can help us to configure our github workflows so add additional image signing. |
Agree that it seems to be complicated 😢 It actually requires to load the key But I don't have any real-world experience. |
I found that one can load the key, but how to pass the password ? Because it need to be integrated to our docker builder |
I've found here that |
OK, does docker hub support content trust for open source projects? |
This is also not clear to me from the documentation 😢 According to this article, it should work for everyone with Docker Hub account. |
so the steps would be:
Queststions
|
I can store it.
The reality is anyone with write access to a github repo can access secrets if they want. Which means anyone with write access or anyone who compromises someone with write access can published a signed image.
Presumably it would be as per above. |
So we can use the same key and same passphrase for all images, as we only have one docker user for publish anyways. |
So @rarkins needs to configure the keys and then i can configure the signing. We should add a test docker image / repo first, so we can test everything and after we can add signing to all our images. |
With sigstore and cosign, we now have an easy-to-use alternative for image signing, which also works outside the Docker ecosystem. It also supports keyless signing, which addresses your concerns about key storage. GitHub itself blogged about it yesterday. Renovate per design has access to a lot of sensible information. Having its images signed and verifyable would certainly be a great thing. Would this be something that you'd be interested in looking into? |
|
Renovate images are now signed using cosign Detailscosign verify docker.io/renovate/renovate:latest | jq .
Verification for index.docker.io/renovate/renovate:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- Any certificates were verified against the Fulcio roots.
[
{
"critical": {
"identity": {
"docker-reference": "index.docker.io/renovate/renovate"
},
"image": {
"docker-manifest-digest": "sha256:efff49102c74aec8fdd56a8405676fd16b6c02804813555c1b9306e7a0f26f50"
},
"type": "cosign container image signature"
},
"optional": {
"Bundle": {
"SignedEntryTimestamp": "MEQCIGPKSja6d/vdtEyzCsobBOe69pCIqPBSe/rohcRbNDDeAiARoabsa0EQARGVa75q+YlEJouURJp+SqikoOdr/5l6TQ==",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjNmRkOTE5MjZhNGUxNzE3NWE3NmNkNzNlOTY4MTQ0YWM0MjkyOTJjMWIzNzI3MGE0NmQ2ZWY5MTNhMjhjN2FlIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRFFZRWFINlJ1a0t5MzBUV01QWUpXSlhndWlwTFRhMGxpdG5DaXNqb0ZSTUFpRUFyUTBHR3ZKMDM4Q3cxRXNmbEJOTzNWcmdXT096UldTL0JZTWdsT1l0NURzPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVha05EUVd4SFowRjNTVUpCWjBsVlFVeEJVV0kxTmpJMFdWQm1RVTluYVUxMlJsTlZibEI2U1hnd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5ha0Y0VFVSSmVFNTZWVEpOUkZaaFJuY3dlVTFxUVhoTlJFbDRUMFJCTWsxRVVtRk5RazE0UlZSQlVFSm5UbFpDUVc5VVEwaE9jRm96VGpCaU0wcHNDazFHYTNkRmQxbElTMjlhU1hwcU1FTkJVVmxKUzI5YVNYcHFNRVJCVVdORVVXZEJSVlZoZFM5T1N6aHNOazFsY1c1elR5dHRjRTlJWVcwclEyTjFhMFVLT1haSVozaDVhMll5TWpZM1EyUnhka3BsWTJwc1ZVOW9iblpsYld4RlltZE1VVEZpTjBWbFVHWTFlVGc0Y0hkbFFtZGxZVkE1WVVSbFlVOURRVmR2ZHdwblowWnRUVUUwUjBFeFZXUkVkMFZDTDNkUlJVRjNTVWhuUkVGVVFtZE9Wa2hUVlVWRVJFRkxRbWRuY2tKblJVWkNVV05FUVhwQlRVSm5UbFpJVWsxQ0NrRm1PRVZCYWtGQlRVSXdSMEV4VldSRVoxRlhRa0pVWmxKVFNITkVNRFZJZGtaYVVIZ3hUR1JTWlM5M2F6Y3hVVE5xUVdaQ1owNVdTRk5OUlVkRVFWY0taMEpTV1hkQ05XWnJWVmRzV25Gc05ucEtRMmhyZVV4UlMzTllSaXRxUW5GQ1owNVdTRkpGUlZsNlFtaG9iRGx2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NUXBaYVRWcVlqSXdkbU50Vm5WaU0xcG9aRWRXYVdJelVYWmFSemxxWVRKV2VVeFlTbXhpYlRreVdWaFNiRXhYV2pGaVIzZDJURzFrY0dSSGFERlphVGt6Q21JelNuSmFiWGgyWkROTmRsbHVWbkJpUjFGMVpWY3hjMUZJU214YWJrMTJZVWRXYUZwSVRYWmlWMFp3WW1wQlUwSm5iM0pDWjBWRlFWbFBMMDFCUlVNS1FrRlNkMlJZVG05TlJHdEhRMmx6UjBGUlVVSm5OemgzUVZGRlJVc3lhREJrU0VKNlQyazRkbVJIT1hKYVZ6UjFXVmRPTUdGWE9YVmplVFZ1WVZoU2J3cGtWMG94WXpKV2VWa3lPWFZrUjFaMVpFTTFhbUl5TUhkT1oxbExTM2RaUWtKQlIwUjJla0ZDUVhkUmIxcFVZekpPUjA1c1drUmpNbHBIVG0xT1JFWnRDazFxWXpSUFJHdDZXbXBTYWxwSFZUTk9WRlpyV2tSSk5VNHlVVE5PYWxKc1dYcEJTMEpuWjNGb2EycFBVRkZSUkVGM1RtNUJSRUpyUVdwQmEwbzVORlVLTTNKT1VWSkRSR3BEWWxReGMxVXhRM0kzUjBwaU1YQTRVM2RpUm1OVWQxWlRUM0UwVG1kUlRHZExjSEk1YWtSaVlVWXZhek5qVFUxM05ITkRUVVF2TUFveVpIb3JNSGt3Y1hGVlp6QkVPV2N3WjFSSU5ta3ZUVXhYVVU5dWJHMURUbUkzTUVwWk0xUXZiM1JHYmxwb2EySnBXak4zY1VseE5FVmpiekExWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19",
"integratedTime": 1641146166,
"logIndex": 1018569,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
},
"Issuer": "https://token.actions.githubusercontent.com",
"Subject": "https://github.com/renovatebot/docker-renovate-full/.github/workflows/build.yml@refs/heads/main"
}
}
] Docker currently has an open item to use cosign for integrated image verification1. Please give it a 👍 Footnotes |
I close this as we use cosign |
Hello, it would be great if the
renovate/renovate
Docker images were signed, so we could use it in a more strict environment whereDOCKER_CONTENT_TRUST=1
is enforced.Now, the pull is failing on this:
The text was updated successfully, but these errors were encountered: