Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upTag signatures seem to be broken #1065
Comments
|
@tianon any idea? |
|
The process described in docker-library/official-images#1516 is still accurate (in other words, we don't have any involvement or insight into the signing process); I'll poke internally at Docker and see if someone can take a look at what's up. |
|
Just for the record, it appears that similar problems happened before: docker-library/official-images#5874 |
|
@tianon Any luck with the poking? |
|
docker-library/official-images#5874 (comment) was the (successful) result of my last round of poking. |
|
Still facing the issue, so we decided to pull via the image digest, gotten from here @tianon am i right to say this should be as safe as using DCT, but just that we have to be more involved in our node upgrade process compared to using docker tags? bash-3.2$ export DOCKER_CONTENT_TRUST=1
bash-3.2$ docker pull node:12.9.0-alpine
No valid trust data for 12.9.0-alpine
bash-3.2$ docker pull node@sha256:b1a32805dbe3894722db93b7f1a3489a208ddf4e9b9341d1e8d3e366fcc0998d
sha256:b1a32805dbe3894722db93b7f1a3489a208ddf4e9b9341d1e8d3e366fcc0998d: Pulling from library/node
Digest: sha256:b1a32805dbe3894722db93b7f1a3489a208ddf4e9b9341d1e8d3e366fcc0998d
Status: Image is up to date for node@sha256:b1a32805dbe3894722db93b7f1a3489a208ddf4e9b9341d1e8d3e366fcc0998d
docker.io/library/node@sha256:b1a32805dbe3894722db93b7f1a3489a208ddf4e9b9341d1e8d3e366fcc0998d |
|
I don't believe notary is consulted at all when you pull by digest, but I'd generally recommend pulling by digest anyhow if you want to make sure you're getting the exact bits you expect to be (especially over time). |
|
@dyihoon90 My understanding is that DCT bind tags to digests, so you can be sure that pulling a tag gives you a legitimate image. And if you pull directly by the digest then the end result is the same, but the process is less convenient. (Of course it also depends on the proper implementation of digest verification in the Docker client--if that part is broken then I guess there can be no guarantees at all.) |
|
Anyone looking into this at the moment? Since we rely on trusted images this is quite a big deal... |
It seems that something is wrong with signing base Node images' tags on Docker Hub:
As you can see the signed
node:latesttag is outdated while the unsigned one is recent (and matchesnode:12.6.0).(By the way, there seem to be two digests for the same image, hopefully that's fine?)
Also, it appears that the recent images have no signed counterparts:
But images pushed roughly 5 months ago are still signed: