New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possibility of signing images? #2

Closed
moritzheiber opened this Issue Jan 27, 2016 · 9 comments

Comments

Projects
None yet
3 participants
@moritzheiber

moritzheiber commented Jan 27, 2016

Thank you for your work on this. It's pretty much the basis for any and every Alpine Linux container image that requires glibc :)

Would it be possible to get the resulting artifacts/packages signed in any way? What I usually see in a lot of Dockerfiles is

apk add --allow-untrusted <some-apk>

That really doesn't fit with my understanding of chain of trust, especially when it comes to something as vital as a C runtime library.

@andyshinn

This comment has been minimized.

Show comment
Hide comment
@andyshinn
Collaborator

andyshinn commented Feb 6, 2016

@andyshinn

This comment has been minimized.

Show comment
Hide comment
@andyshinn

andyshinn Feb 7, 2016

Collaborator

The key should be with the new GitHub releases as well (https://github.com/andyshinn/alpine-pkg-glibc/releases). Let me know if this wasn't what you were looking for.

Collaborator

andyshinn commented Feb 7, 2016

The key should be with the new GitHub releases as well (https://github.com/andyshinn/alpine-pkg-glibc/releases). Let me know if this wasn't what you were looking for.

@andyshinn andyshinn closed this Feb 7, 2016

@moritzheiber

This comment has been minimized.

Show comment
Hide comment
@moritzheiber

moritzheiber Feb 9, 2016

@andyshinn The build steps in the Circle CI pipeline, specifically the docker run -e RSA_PRIVATE_KEY="$RSA_PRIVATE_KEY" -v $(pwd):/home/builder/package -v $(pwd)/packages:/home/builder/packages andyshinn/alpine-abuild step is showing a lot of error, particularly related to signing. Are you sure it's working?

Also, how would I, given the provided key, be able to verify to integrity of the images? I would just really like to get rid of the --allow-untrusted switch ..

moritzheiber commented Feb 9, 2016

@andyshinn The build steps in the Circle CI pipeline, specifically the docker run -e RSA_PRIVATE_KEY="$RSA_PRIVATE_KEY" -v $(pwd):/home/builder/package -v $(pwd)/packages:/home/builder/packages andyshinn/alpine-abuild step is showing a lot of error, particularly related to signing. Are you sure it's working?

Also, how would I, given the provided key, be able to verify to integrity of the images? I would just really like to get rid of the --allow-untrusted switch ..

@andyshinn

This comment has been minimized.

Show comment
Hide comment
@andyshinn

andyshinn Feb 9, 2016

Collaborator

Yea, I see this in logs now:

unable to load key file
140208373525996:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

I guess I expected it to outright fail if no key could be used for signing... I'll try and fix it in the next week.

Collaborator

andyshinn commented Feb 9, 2016

Yea, I see this in logs now:

unable to load key file
140208373525996:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

I guess I expected it to outright fail if no key could be used for signing... I'll try and fix it in the next week.

@andyshinn andyshinn reopened this Feb 9, 2016

@moritzheiber

This comment has been minimized.

Show comment
Hide comment
@moritzheiber

moritzheiber Feb 21, 2016

@andyshinn How would one go about and even verify the files' signatures? I have found zero docs relating to using the information provided to keep track of a package's integrity. And literally every Dockerfile I've seen always uses --allow-untrusted, which I find rather unsatisfying.

moritzheiber commented Feb 21, 2016

@andyshinn How would one go about and even verify the files' signatures? I have found zero docs relating to using the information provided to keep track of a package's integrity. And literally every Dockerfile I've seen always uses --allow-untrusted, which I find rather unsatisfying.

@andyshinn

This comment has been minimized.

Show comment
Hide comment
@andyshinn

andyshinn Feb 22, 2016

Collaborator

The latest 2.23-r1 should be signed properly now.

$ docker run alpine ash -c "apk -q -U add ca-certificates \
  && wget -q -O /etc/apk/keys/andyshinn.rsa.pub https://raw.githubusercontent.com/andyshinn/alpine-pkg-glibc/master/andyshinn.rsa.pub \
  && wget -q https://github.com/andyshinn/alpine-pkg-glibc/releases/download/unreleased/glibc-2.23-r1.apk \
  && apk add glibc-2.23-r1.apk"
(1/1) Installing glibc (2.23-r1)
OK: 10 MiB in 14 packages
Collaborator

andyshinn commented Feb 22, 2016

The latest 2.23-r1 should be signed properly now.

$ docker run alpine ash -c "apk -q -U add ca-certificates \
  && wget -q -O /etc/apk/keys/andyshinn.rsa.pub https://raw.githubusercontent.com/andyshinn/alpine-pkg-glibc/master/andyshinn.rsa.pub \
  && wget -q https://github.com/andyshinn/alpine-pkg-glibc/releases/download/unreleased/glibc-2.23-r1.apk \
  && apk add glibc-2.23-r1.apk"
(1/1) Installing glibc (2.23-r1)
OK: 10 MiB in 14 packages

@andyshinn andyshinn closed this Feb 22, 2016

@moritzheiber

This comment has been minimized.

Show comment
Hide comment
@moritzheiber

moritzheiber Feb 22, 2016

Cheers @andyshinn, much appreciated, thank you!

moritzheiber commented Feb 22, 2016

Cheers @andyshinn, much appreciated, thank you!

@ysangkok

This comment has been minimized.

Show comment
Hide comment
@ysangkok

ysangkok Feb 13, 2017

@andyshinn your key is not available by that URL anymore, where can I find it? I tried keybase but you must have another username there...

ysangkok commented Feb 13, 2017

@andyshinn your key is not available by that URL anymore, where can I find it? I tried keybase but you must have another username there...

@andyshinn

This comment has been minimized.

Show comment
Hide comment
@andyshinn

andyshinn Feb 13, 2017

Collaborator

The newer packages don't use my key. But if you are using an older package I've attached my key to this issue.
andyshinn.rsa.pub.zip

Collaborator

andyshinn commented Feb 13, 2017

The newer packages don't use my key. But if you are using an older package I've attached my key to this issue.
andyshinn.rsa.pub.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment