0

Let's say a company has pushed and signed an image on its own docker registry using its X509 certificate and corresponding private key issued by a public CA.

Having a copy of their certificate on my computer, how can I verify that the image I pulled from their registry is really signed by them?

Marc
  • 856
  • 1
  • 8
  • 20
  • 1
    First you'll have to verify that this certificate was really issued by them. And I'm not sure how can you do that with a self-signed certiticate (this is what they have, right?). This is the whole point of having certification authorities and chain of trust. – Sergio Tulentsev Dec 12 '18 at 16:58
  • @Sergio, sorry that was not clear, I meant that the company has a certificate issued by a public CA, not a private or self-signed – Marc Dec 13 '18 at 10:34
  • Ah, that's good to hear. I don't know how to do the other part, but let's wait, maybe someone does. – Sergio Tulentsev Dec 13 '18 at 10:38

0 Answers0