Start using Docker Content Trust

Question

Start using Docker Content Trust

nhoughto opened this issue 7 years ago · 5 comments

So we would like to use minideb as a base for our images, but we have a requirement that we need to either pin or verify the upstream image we depend on. We like the philosophy of minideb that it is regularly rebuilt and kept up-to-date, but we can't use it as we don't want to pin to a specific sha256 hash (lose rebuild benefits) and we can't use Docker Content Trust as you guys don't support it. Would be great if you could start supporting it =)

https://docs.docker.com/engine/security/trust/content_trust/

Answer 1 · 2018-05-01T08:48:31.000Z

@nhoughto thanks, I'm not sure we were aware of content trust, will definitely look into that!

Answer 2 · 2018-09-19T21:36:21.000Z

@aruiz14 is this now available in latest tags of minideb?

Answer 3 · 2018-09-20T12:52:49.000Z

@prydonius yes, after fixing a couple of issues more, the deploy task finally worked:

$ DOCKER_CONTENT_TRUST=1 docker pull bitnami/minideb
Using default tag: latest
Pull (1 of 1): bitnami/minideb:latest@sha256:986e3bde074c25f697b67654ee4ac2f3759c3ff80793100215b2057db954dd06
sha256:986e3bde074c25f697b67654ee4ac2f3759c3ff80793100215b2057db954dd06: Pulling from bitnami/minideb
38c77e4048a1: Pull complete
Digest: sha256:986e3bde074c25f697b67654ee4ac2f3759c3ff80793100215b2057db954dd06
Status: Downloaded newer image for bitnami/minideb@sha256:986e3bde074c25f697b67654ee4ac2f3759c3ff80793100215b2057db954dd06
Tagging bitnami/minideb@sha256:986e3bde074c25f697b67654ee4ac2f3759c3ff80793100215b2057db954dd06 as bitnami/minideb:latest```

Answer 4 · 2018-09-20T18:57:43.000Z

Nice! @nhoughto, it's been a while, but it'd be great if you had some time to look into this and provide any feedback!

Answer 5 · 2018-09-20T22:26:41.000Z

works a treat, thanks for getting it done. We will be moving all our base images to minideb now 👍 🎉