Skip to content

Image manifest JWS verification #1331

New issue
New issue
Closed
Closed
Image manifest JWS verification#1331
Labels
EpicRepresents a ZenHub Epicarea/dockerSupport for the Docker operationsarea/securityManagement of security functionality and other issues that impact securitycomponent/imageckind/investigationA scoped effort to learn the answers to a set of questions which may include prototypingpriority/p1resolution/will-not-fixThis issue is valid, but will not be fixed
Milestone
Sprint 39
@hickeng

Description

@hickeng
hickeng
opened on Jul 1, 2016

Story
As a user I want to know that the image I pull has not been tampered with

Details
Implementation of the JWS signature validation on image manfiests should be performed in the lib/imagec code.
The digest for the image layers is already computed and verified by the portlayer.WriteImage call

  • verify that the layer digests are passed to this call

There should be no provision for accepting an image that fails signature validation if a signature is present.

Acceptance

  • layer with checksum that does not match the layer digest - should be rejected
  • image manifest that fails validation via JWS signature - should be rejected
  • layers and images with correct digests should be accepted

bug1727662

Metadata

Metadata

Assignees

No one assigned

    Labels

    EpicRepresents a ZenHub Epicarea/dockerSupport for the Docker operationsarea/securityManagement of security functionality and other issues that impact securitycomponent/imageckind/investigationA scoped effort to learn the answers to a set of questions which may include prototypingpriority/p1resolution/will-not-fixThis issue is valid, but will not be fixed

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions