1

Does anyone have a good solution for a generic container signature verification? From what I've seen (please correct any mistakes)

  • Docker Hub uses signatures based on "Notary", that needs docker
  • RedHat use their own signing mechanism, that needs podman

As I can't install both podman and docker (containerd.io and runc have a conflict in RHEL, maybe a different host would allow it?) there seems to be no way to validate signatures that works for both sources.

Even if I could install them both I'd need to parse the dockerfile, work out where the source image was, do a docker/podman pull on the images and then do the build if no pulls fail. (Which feels likely to fail!)

For example : a build stage used a container from docker hub (eg maven) and run stage from redhat (eg registry.access.redhat.com/ubi8).

I really want a generic "validate the container signature at this URL" function that I can drop into a CICD tool. Some teams like using the RH registry, some Docker Hub, some mix and match.

Any good ideas? Obvious solutions I missed?

Max Allan
  • 859
  • 1
  • 8
  • 25

1 Answers1

0

look at cosign https://github.com/sigstore/cosign

$ cosign verify --key cosign.pub dlorenc/demo

EricBDev
  • 1,279
  • 13
  • 21
  • I have tried to follow cosign instructions before. Where do I find the public key for containers? Without the .pub file - you can't verify the signature. Also, cosign seems to use sha256 signatures. RedHat's container signing uses GPG, so I can't see cosign validating RedHat's images. It doesn't even look like cosign works with DCT either. It feels like you answered the headline without reading the detail. – Max Allan Aug 19 '22 at 13:24
  • cosign offers a very valid approach to the problem. Kindly research there documentation....You can generate the keys, the signature (with a private key) and later validate the image against the public key. All the commands are one-liners. Cosign verifies the sha256 hash of the image, this is why sha256 was mentioned in the documentation. The signature itself uses ECDSA-P256. – Andrew Rukin Dec 23 '22 at 11:53
  • "Where do I find the public key for containers?" - here is the command to sign the image 'user/tag' with a local key 'cosign.key', upload the signature to the dockerhub and save the signature itself into a file: cosign sign --key cosign.key --output-signature=disconnected.sig user/tag – Andrew Rukin Dec 23 '22 at 11:58