Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possibility of signing images? #2

Closed
moritzheiber opened this issue Jan 27, 2016 · 9 comments
Closed

Possibility of signing images? #2

moritzheiber opened this issue Jan 27, 2016 · 9 comments

Comments

@moritzheiber
Copy link

Thank you for your work on this. It's pretty much the basis for any and every Alpine Linux container image that requires glibc :)

Would it be possible to get the resulting artifacts/packages signed in any way? What I usually see in a lot of Dockerfiles is

apk add --allow-untrusted <some-apk>

That really doesn't fit with my understanding of chain of trust, especially when it comes to something as vital as a C runtime library.

@andyshinn
Copy link
Collaborator

It is already signed. The file should be with the build artifacts at https://circle-artifacts.com/gh/andyshinn/alpine-pkg-glibc/14/artifacts/0/home/ubuntu/alpine-pkg-glibc/packages/andyshinn.rsa.pub.

@andyshinn
Copy link
Collaborator

The key should be with the new GitHub releases as well (https://github.com/andyshinn/alpine-pkg-glibc/releases). Let me know if this wasn't what you were looking for.

@moritzheiber
Copy link
Author

@andyshinn The build steps in the Circle CI pipeline, specifically the docker run -e RSA_PRIVATE_KEY="$RSA_PRIVATE_KEY" -v $(pwd):/home/builder/package -v $(pwd)/packages:/home/builder/packages andyshinn/alpine-abuild step is showing a lot of error, particularly related to signing. Are you sure it's working?

Also, how would I, given the provided key, be able to verify to integrity of the images? I would just really like to get rid of the --allow-untrusted switch ..

@andyshinn
Copy link
Collaborator

Yea, I see this in logs now:

unable to load key file
140208373525996:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

I guess I expected it to outright fail if no key could be used for signing... I'll try and fix it in the next week.

@andyshinn andyshinn reopened this Feb 9, 2016
@moritzheiber
Copy link
Author

@andyshinn How would one go about and even verify the files' signatures? I have found zero docs relating to using the information provided to keep track of a package's integrity. And literally every Dockerfile I've seen always uses --allow-untrusted, which I find rather unsatisfying.

@andyshinn
Copy link
Collaborator

The latest 2.23-r1 should be signed properly now.

$ docker run alpine ash -c "apk -q -U add ca-certificates \
  && wget -q -O /etc/apk/keys/andyshinn.rsa.pub https://raw.githubusercontent.com/andyshinn/alpine-pkg-glibc/master/andyshinn.rsa.pub \
  && wget -q https://github.com/andyshinn/alpine-pkg-glibc/releases/download/unreleased/glibc-2.23-r1.apk \
  && apk add glibc-2.23-r1.apk"
(1/1) Installing glibc (2.23-r1)
OK: 10 MiB in 14 packages

@moritzheiber
Copy link
Author

Cheers @andyshinn, much appreciated, thank you!

@ysangkok
Copy link

@andyshinn your key is not available by that URL anymore, where can I find it? I tried keybase but you must have another username there...

@andyshinn
Copy link
Collaborator

The newer packages don't use my key. But if you are using an older package I've attached my key to this issue.
andyshinn.rsa.pub.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants