To me, one of the requirements for putting docker into production use would be the ability to verify that any images we use as base images are in fact the official "ubuntu" or "busybox" images. I'm not seeing any obvious evidence that images on the public repository are cryptographically signed so that it may be verified that they haven't been tampered with. Am I missing something?
(As an alternative, I suppose it would be possible to start from scratch with our own base images in our own private registry, but even then I'd want to put some checks in place that we don't accidentally pull anything from the public repo.)
Currently, apparently no useful validation is done.
As Adrian Mouat says, docker 1.3 added "something" to do with image verification.
However, findings in this post indicate that only the manifest rather than the image itself is currently verified. That is, the manifest is signed and checked, but the checksum it contains for the image doesn't appear to be used correctly to check the image itself hasn't been tampered with. It is worrying that the apparently broken checksum verification slipped through to a release.
Docker does do "Digital Signature Verification" as of release 1.3, although it is still in very early stages. This verification ensures that any official image you download has not been tampered with in transit. At the time of writing, some official images need to do more work with regards to ensuring files downloaded during the image building process are properly checked against stored hashes.
You may also want to look at this post on container provenance.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With