Learn more about these different git repos.
Other Git URLs
This is a long-term task -- I just wanted to throw it somewhere. Docker 1.8 includes the ability to sign images, and we should do that. https://blog.docker.com/2015/08/docker-1-8-content-trust-toolbox-registry-orchestration/
I'm relatively certain that the signing has to be done by Docker Hub because they are the distribution layer and it looks as though this is already done:
{{{
$ docker pull fedora Using default tag: latest Trying to pull repository docker.io/library/fedora ... latest: Pulling from library/fedora 48ecf305d2cf: Pull complete ded7cd95e059: Pull complete library/fedora:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security. Digest: sha256:49ae2d6d0b51f713a18db1c0da9fb1b5c94e92eb43cd712ba09028161ea22880 Status: Downloaded newer image for docker.io/fedora:latest
}}}
Verified, the images are signed by Docker on the Docker Hub. No further action needed by Fedora, the current workflow we follow for https://github.com/docker-library/official-images handles the signing on their end.
If we provide our own registry as it seems we will, for rawhide etc we should look at what it will take to sign the images we provide.
Metadata Update from @mattdm: - Issue assigned to maxamillion
registry.fedoraproject.org is live but we don't have anything in place to provide "general use" signing. There has been work done by Patrick that handles signing in a way that works with the atomic cli, but the only way to get direct integration with the docker client such that non-Fedora/RHEL/CentOS users can take advantage is to use notary which isn't ideal for various reasons that have been pointed out in the past by Fedora security folks. The signing of images is live today in Production but is not yet fully automated. I will update when we have that in place.
Metadata Update from @maxamillion: - Issue close_status updated to: None
@Kellin will ping @puiterwijk to see if signing automation is done.
@kellin did ping @puiterwijk but haven't heard back yet. Will check again.
10:32 ( Kellin) smooge: do you know if we sign our docker images? https://pagure.io/releng/issue/6230 for reference 10:33 ( smooge) I do not. That would actually be more likely a question for releng people 206 10:33 ( Kellin) smooge: I am releng :) our notes say ask patrick, but since the oncall is a thing now...we ask oncall :) 10:34 ( smooge) my notes say it falls under releng and I need to ask them 10:34 ( Kellin) LOL 209 10:34 * puiterwijk reads 210 10:35 ( Kellin) bowlofeggs: did mboddu get with you RE: https://pagure.io/releng/issue/6482 212 10:35 ( puiterwijk) Kellin: we have docker signing, just another format. 10:35 ( Kellin) puiterwijk: how do you mean "another format", you mean a different kind of signing?
@puiterwijk if you could clarify what you meant by a different kind of signing; also how can we identify signing errors for containers for escalation purposes.
Metadata Update from @syeghiay: - Issue tagged with: meeting
From our releng meeting on June 21st 2018:
[13:58:57] <mboddu> #info With upcoming new robosig, we will start supporting container signing and they will signed just like what we have with rpms today, containers will be signed when they are submitted to bodhi.
@puiterwijk , when is new robosig going to get deployed?
No new information. Still waiting to hear from @puiterwijk ...
No change in status.
Still waiting on @puiterwijk to work on this ticket.
@humaton is happy to help with some guidance from @puiterwijk
From our grooming discussion on #fedora-releng channel on Apr 12 2019
Need some upstream robosig work to enable this. Will add "waiting on external" tag and create and link the robosig ticket
https://pagure.io/robosignatory/issue/22
Metadata Update from @mohanboddu: - Issue untagged with: meeting - Issue tagged with: waiting on external
Cannot be done since an update to robosignatory is required.
Metadata Update from @syeghiay: - Issue close_status updated to: Get back later - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.