Sign docker hub image
shrikrishnaholla opened this issue · 2 comments
shrikrishnaholla commented
Docker Hub image for docker-bench-security is not signed, which causes some hilarity when you try to pull the image to run security audit when content trust is enabled and docker says the image is not trusted
konstruktoid commented
Thanks @shrikrishnaholla for reporting this, an oversight from our part.
@diogomonica, I believe you have to do the signing part.
diogomonica commented
Forgot to followup. We signed it on Friday.
@shrikrishnaholla docker-bench-security is actually not an official-image yet, that is why it wasn't signed. I'm trying to get it to be an official image soon, and then it will follow the standard process for signatures. Right now it's more of a one-off, and updates might be slower.
Thank you for the report!
# docker pull --disable-content-trust=false docker/docker-bench-security
Using default tag: latest
Pull (1 of 1): docker/docker-bench-security:latest@sha256:6b6d7d58520ea5d6f7648d1f811aa6f5967c53c0281a9ec9d3ffd814861f74e5
sha256:6b6d7d58520ea5d6f7648d1f811aa6f5967c53c0281a9ec9d3ffd814861f74e5: Pulling from docker/docker-bench-security
e6c44a677827: Already exists
611b93cbc045: Already exists
0443d7b0569f: Already exists
5e1171f65b34: Already exists
Digest: sha256:6b6d7d58520ea5d6f7648d1f811aa6f5967c53c0281a9ec9d3ffd814861f74e5
Status: Image is up to date for docker/docker-bench-security@sha256:6b6d7d58520ea5d6f7648d1f811aa6f5967c53c0281a9ec9d3ffd814861f74e5
Tagging docker/docker-bench-security@sha256:6b6d7d58520ea5d6f7648d1f811aa6f5967c53c0281a9ec9d3ffd814861f74e5 as docker/docker-bench-security:latest