sudo docker "DOCKER_CONTENT_TRUST=1 docker pull ubuntu:focal" gives version not found at canonical.com/core/local

[AJRepo]

Hi,

Thanks for a great resource.

I'm trying to check the docker supplied image vs the ones at https://partner-images.canonical.com/core/focal/

If I do a pull with

$sudo DOCKER_CONTENT_TRUST=1 docker pull ubuntu:focal

Pull (1 of 1): ubuntu:focal@sha256:c95a8e48bf88e9849f3e0f723d9f49fa12c5a00cfc6e60d2bc99d87555295e4c
sha256:c95a8e48bf88e9849f3e0f723d9f49fa12c5a00cfc6e60d2bc99d87555295e4c: Pulling from library/ubuntu
Digest: sha256:c95a8e48bf88e9849f3e0f723d9f49fa12c5a00cfc6e60d2bc99d87555295e4c
Status: Image is up to date for ubuntu@sha256:c95a8e48bf88e9849f3e0f723d9f49fa12c5a00cfc6e60d2bc99d87555295e4c
Tagging ubuntu@sha256:c95a8e48bf88e9849f3e0f723d9f49fa12c5a00cfc6e60d2bc99d87555295e4c as ubuntu:focal
docker.io/library/ubuntu:focal

I see that the image creation date is given by

$sudo docker inspect ubuntu:focal | grep Created
        "Created": "2020-11-25T22:25:29.546718343Z",

But that image creation date is prior to any of the images listed at https://partner-images.canonical.com/core/focal/

  | 20210321/ | 21-Mar-2021 01:35 | - |  
  | 20210324/ | 24-Mar-2021 05:15 | - |  
  | 20210325/ | 25-Mar-2021 17:22 | - |  
  | 20210401/ | 01-Apr-2021 02:00 | - |  
  | 20210408/ | 08-Apr-2021 05:30 | - |  
  | current/ | 08-Apr-2021 05:30 | - |  

And I see that in the files in the delivered tarfile.

If I just do $sudo docker pull ubuntu:focal then I get

$ sudo docker pull ubuntu:focal

focal: Pulling from library/ubuntu
Digest: sha256:3c9c713e0979e9bd6061ed52ac1e9e1f246c9495aa063619d9d695fb8039aa1f
Status: Downloaded newer image for ubuntu:focal
docker.io/library/ubuntu:focal

$sudo docker inspect ubuntu:focal | grep Created
        "Created": "2021-04-03T00:53:09.625644166Z",

Which is a date I can find at canonical.com

I'm writing an open source tool to do a security check on docker images based on the original released image so I'd like to know where the source image can be found for any given docker release.

Is there a place that I can find the source image for the docker image created with sudo DOCKER_CONTENT_TRUST=1 docker pull ubuntu:focal ?

[tianon]

Unfortunately, Docker Content Trust for all docker.io/library/* images has been known broken off-and-on for quite some time (docker-library/postgres#822, redis/docker-library-redis#266, nodejs/docker-node#1065, docker-library/official-images#5874, docker-library/official-images#1516).

[AJRepo]

That is ... um ... interesting.

What's the best practices then for checking the security of ubuntu:focal images downloaded from docker?

I'm guessing that I could:

(1) Ignore "DOCKER_CONTENT_TRUST=1 " and just do my own binary diffs against versions that can be found by both docker.io and partner-images.canonical.com

or

(2) wait until each docker signs each version and save a local version released by canonical for future download checks.

I checked http://old-releases.ubuntu.com/releases/focal/ and http://cdimage.ubuntu.com/releases/focal/release/source/ but those just have what look to be CD/USB creation files and not the image that docker's image is built out of.

[tianon]

Yep, it's definitely unfortunate and I wish there were something more we could do 😞

If you're really paranoid, I'd suggest checking the contents of the image against the associated tarballs from https://partner-images.canonical.com/core/ as you've indicated.

[AJRepo]

I do that but it's kind of a grind to do it manually and a lot of other docker images use Ubuntu as the core anyway, so that's why I've been writing a bash tool to automate that comparison, which led to this question. https://github.com/AJRepo/docker_image_checks

I guess I'll close this ticket then. Thanks again.