Sign local container images before they are pushed to registries #777
Comments
yizha1
changed the title
|
why couldn’t we standardizing in OCI tar output from buildx? |
|
Per investigation in the Sign local images PRD and discussion in the community meeting on Oct 31, we chose to defer this feature to future releases since it has external dependencies. So I updated the milestone from v1.1.0 to future. We will need to prepare another proposal for integration with other image build tools (e.g. Docker buildx) What we can improve in Notation v1.1.0 for the existing feature of signing local image is to update the user guide to simplify the prerequisite steps. |
|
I see milestone is still set to "future", so this is not going to be addressed in v1.2.0 for example? Can you also elaborate what the "external dependencies" mentioned are, and if there is expected timeline for solving those? |
|
Hi @tuminoid , Thanks for your interest in this feature plan. Are you looking for a local signing solution in Notation? |
|
Hi @FeynmanZhou. We consider it both convenience feature (pushing, signing, pulling vs signing) and also as mentioned in the description, a security gap. There is workaround via |
Is your feature request related to a problem?
Background
Nowadays, in order to sign container images, users must first push the images to a registry. However, registries are not within the trust boundary of Notation, as outlined in the threat model. If a registry is compromised, attackers can tamper with container images during the short period between when they are pushed to the registry and when they are signed by users. From the perspective of image consumers, the image can be verified against the signature successfully, but it may still be malicious. This is a serious security issue that cannot be easily detected.
Notation supports an experimental feature that allows users to sign a local image in OCI layout format. However, this is not how most users build their container images. Most users build container images using Docker Engine, including Docker CLI and
dockerdas the daemon. The container images built on a local machine are not in the format of OCI layout; instead, they are in Docker’s own format. Docker Engine also supportscontainerdas the daemon, and the image built on a local machine is in the format of OCI layout with minor differences. However, supportingcontainerdis not yet a stable feature.Scenario
A software engineer wants to sign local container images built by
docker buildbefore pushing images to a registry. Verification of the image should be the same workflow for signing and verifying images stored in OCI complaint registry.What solution do you propose?
docker savecommand can save a local image into a tar file, however, it is in the format of docker own, not OCI layout or other standard format. The tar file is not the one thatdocker pushcommand pushes to the registry. So, if we sign local images created bydocker savecommand, the digest is different from digest of manifest of the image that is pushed to the container registry. To sign tar file created bydocker save, and verify it beforedocker load, I would suggest considering feature sign and verify arbitrary file.My proposal is to create an official docker plugin to generate an OCI descriptor and sign the descriptor. Here is the experience.
docker build/buildxdocker build -t localhost:5001/net-monitor:v1 https://github.com/wabbit-networks/net-monitor.git#maindocker imagesdescriptorto generate a OCI descriptor for the container image.docker descriptor generate localhost:5001/net-monitor:v1-o net-monitor.jsonnotation sign --descriptor net-monitor.json --output-signature digest.sigdocker push localhost:5001/net-monitor:v1notation push digest.sig localhost:5001/net-monitor:v1notation listWhat alternatives have you considered?
Use a tool to convert local docker images to an OCI layout, and then sign the OCI layout as the experimental feature.
Any additional context?
No response
The text was updated successfully, but these errors were encountered: