0

I have a local docker image registry running on my Linux machine and want to push signed images with public key available to verify the images. I could use for instance cosign to verify signatures before pushing to the registry. But this check could be by-passed leading to a security loophole.

Is it possible to configure the registry such that it only accepts the verifiable images?

I have looked into related tutorials online but they are all talking about verification at 'pull'.

Muzammil
  • 417
  • 1
  • 4
  • 20

1 Answers1

0

Is it possible to configure the registry such that it only accepts the verifiable images?

By "verifiable images" I assume you are referring to "signed images". Could a registry be created to do this? Yes, you can reject an image manifest push if a signature for that manifest doesn't already exist in the repo. However I'm not aware of a registry doing this today, and the workflow gets complicated. Most build tools want to output to a registry and cosign wants an image reference on a registry.

Typically this is best handled by tracking the digest on the image when you push to avoid the digest changing between pushing and signing. And when pulling, verifying the signature on pull rather than trusting the registry has done this for you. The value of signing the image is it removes the requirement to trust the registry server, and allows the consumer to directly trust the producer.

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • @BMicth - how can we track the digest on the image on push and reject if it's changed? I don't think docker/podman push command can be used to do this. – Muzammil Mar 09 '23 at 14:31
  • @Muzammil the output of `docker push` and `docker inspect` includes the repo digest. Same for `docker buildx build`. If you use github actions, it's also an output of the build action. https://github.com/docker/build-push-action#outputs. I'm not familiar with the podman cli. – BMitch Mar 09 '23 at 14:37