#6230 sign our docker images
Closed: Get back later 4 years ago by syeghiay. Opened 8 years ago by mattdm.

This is a long-term task -- I just wanted to throw it somewhere. Docker 1.8 includes the ability to sign images, and we should do that. https://blog.docker.com/2015/08/docker-1-8-content-trust-toolbox-registry-orchestration/


I'm relatively certain that the signing has to be done by Docker Hub because they are the distribution layer and it looks as though this is already done:

{{{

$ docker pull fedora
Using default tag: latest
Trying to pull repository docker.io/library/fedora ... latest: Pulling from library/fedora
48ecf305d2cf: Pull complete
ded7cd95e059: Pull complete
library/fedora:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:49ae2d6d0b51f713a18db1c0da9fb1b5c94e92eb43cd712ba09028161ea22880
Status: Downloaded newer image for docker.io/fedora:latest

}}}

Verified, the images are signed by Docker on the Docker Hub. No further action needed by Fedora, the current workflow we follow for https://github.com/docker-library/official-images handles the signing on their end.

If we provide our own registry as it seems we will, for rawhide etc we should look at what it will take to sign the images we provide.

Metadata Update from @mattdm:
- Issue assigned to maxamillion

7 years ago

registry.fedoraproject.org is live but we don't have anything in place to provide "general use" signing. There has been work done by Patrick that handles signing in a way that works with the atomic cli, but the only way to get direct integration with the docker client such that non-Fedora/RHEL/CentOS users can take advantage is to use notary which isn't ideal for various reasons that have been pointed out in the past by Fedora security folks. The signing of images is live today in Production but is not yet fully automated. I will update when we have that in place.

Metadata Update from @maxamillion:
- Issue close_status updated to: None

7 years ago

@Kellin will ping @puiterwijk to see if signing automation is done.

@kellin did ping @puiterwijk but haven't heard back yet. Will check again.

10:32 (      Kellin) smooge: do you know if we sign our docker images?  https://pagure.io/releng/issue/6230  for reference
10:33 (      smooge) I do not. That would actually be more likely a question for releng people                                                                              206 10:33 (      Kellin) smooge: I am releng :)  our notes say ask patrick, but since the oncall is a thing now...we ask oncall :)                                              
10:34 (      smooge) my notes say it falls under releng and I need to ask them                                                                                              
10:34 (      Kellin) LOL                                                                                                                                                    209 10:34 * puiterwijk reads                                                                                                                                                    210 10:35 (      Kellin) bowlofeggs: did mboddu get with you RE: https://pagure.io/releng/issue/6482                                                                            212 10:35 (  puiterwijk) Kellin: we have docker signing, just another format.                                                                                                   
10:35 (      Kellin) puiterwijk: how do you mean "another format", you mean a different kind of signing? 

@puiterwijk if you could clarify what you meant by a different kind of signing; also how can we identify signing errors for containers for escalation purposes.

Metadata Update from @syeghiay:
- Issue tagged with: meeting

5 years ago

From our releng meeting on June 21st 2018:

[13:58:57] <mboddu> #info With upcoming new robosig, we will start supporting container signing and they will signed just like what we have with rpms today, containers will be signed when they are submitted to bodhi.

@puiterwijk , when is new robosig going to get deployed?

No new information. Still waiting to hear from @puiterwijk ...

Still waiting on @puiterwijk to work on this ticket.

@humaton is happy to help with some guidance from @puiterwijk

From our grooming discussion on #fedora-releng channel on Apr 12 2019

Need some upstream robosig work to enable this. Will add "waiting on external" tag and create and link the robosig ticket

https://pagure.io/robosignatory/issue/22

Metadata Update from @mohanboddu:
- Issue untagged with: meeting
- Issue tagged with: waiting on external

4 years ago

Cannot be done since an update to robosignatory is required.

Metadata Update from @syeghiay:
- Issue close_status updated to: Get back later
- Issue status updated to: Closed (was: Open)

4 years ago

Login to comment on this ticket.

Metadata