Replies: 1 comment
-
|
I wouldn't say the signing is pointless, rather the signing is doing exactly what it should be - providing authenticity and integrity for the image. The registry can tamper with the image but the tampering becomes evident on verification. You need to verify that the container is signed using the identity or with the expected key, to prevent the registry (or any other malicious intermediary) from signing a malicious image with their own key. If either the identity/key is mismatched or signature verification fails, you know that the image was tampered with at some point and shouldn't be trusted. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
When signing a Docker image I usually follow these steps:
cosign, which also pushes the signature artifact to the registryThe container registry could tamper with the image, for example adding a new layer, and thus the signing is pointless because I am not verifying that the digest I got when pulling again corresponds to what I previously built.
Is there a way to prevent this, for example by signing without pulling, or perhaps this is an non-problem because of the way cosign verifies authenticity of the image?
Beta Was this translation helpful? Give feedback.
All reactions