-
-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibility of signing images? #2
Comments
It is already signed. The file should be with the build artifacts at https://circle-artifacts.com/gh/andyshinn/alpine-pkg-glibc/14/artifacts/0/home/ubuntu/alpine-pkg-glibc/packages/andyshinn.rsa.pub. |
The key should be with the new GitHub releases as well (https://github.com/andyshinn/alpine-pkg-glibc/releases). Let me know if this wasn't what you were looking for. |
@andyshinn The build steps in the Circle CI pipeline, specifically the Also, how would I, given the provided key, be able to verify to integrity of the images? I would just really like to get rid of the |
Yea, I see this in logs now:
I guess I expected it to outright fail if no key could be used for signing... I'll try and fix it in the next week. |
@andyshinn How would one go about and even verify the files' signatures? I have found zero docs relating to using the information provided to keep track of a package's integrity. And literally every Dockerfile I've seen always uses |
The latest 2.23-r1 should be signed properly now. $ docker run alpine ash -c "apk -q -U add ca-certificates \
&& wget -q -O /etc/apk/keys/andyshinn.rsa.pub https://raw.githubusercontent.com/andyshinn/alpine-pkg-glibc/master/andyshinn.rsa.pub \
&& wget -q https://github.com/andyshinn/alpine-pkg-glibc/releases/download/unreleased/glibc-2.23-r1.apk \
&& apk add glibc-2.23-r1.apk"
(1/1) Installing glibc (2.23-r1)
OK: 10 MiB in 14 packages |
Cheers @andyshinn, much appreciated, thank you! |
@andyshinn your key is not available by that URL anymore, where can I find it? I tried keybase but you must have another username there... |
The newer packages don't use my key. But if you are using an older package I've attached my key to this issue. |
Thank you for your work on this. It's pretty much the basis for any and every Alpine Linux container image that requires glibc :)
Would it be possible to get the resulting artifacts/packages signed in any way? What I usually see in a lot of Dockerfiles is
That really doesn't fit with my understanding of chain of trust, especially when it comes to something as vital as a C runtime library.
The text was updated successfully, but these errors were encountered: