DevOps introduced several third-party components in the CI/CD Pipeline. The automation engine downloads OS libraries, software binaries, third party tools to build a Container.
With the use of third parties comes the question “Do I trust the Source?’.
Most of us are familiar with GitHub GPG signature trust for commit and tags. Why do we even sign the code commit? A beautiful answer that I found on stackexchange is below;
There are several ways in which a git repository can be compromised (this isn’t a security flaw, just a fact of life one should not avoid using git because of this). For example, someone may have pushed to your repository claiming to be you. Or for that matter, someone could have pushed to someone else’s repository claiming to be you (someone could push to their repository claiming to be you too). This is just part of life in a DVCS (Distributed Version Control System).
Imagine the similar use case for a Container Registry. A person pretending to be you can push a Container to a registry with a malware and it will affect the user when they pull the container. OR someone can tamper the Container in-transit because there is no digital signature. In-Transit security issues.
Docker introduced a security framework called ‘Docker Content Trust’.
When a publisher using Docker Content Trust pushes an image to a remote registry, Docker Engine signs the image locally with the publisher’s private key. When a user later pulls this image, Docker Engine uses the publisher’s public key to verify that the image is exactly what the publisher created, has not been tampered with, and is up to date.
In this article, I detail how to setup a DCT (Docker Content Trust) for your Containers.
There are 4 major steps to setup DCT.
To sign a Docker Image, you will need a delegation key pair. These keys can be generated locally using $ docker trust key generate <keyname>.
Next you will need to add the delegation public key to the Docker Repository;
You need an Image to be signed.
Tag the pulled Image with a unique name to distinguish between unsigned and signed images.
It is important to inspect the image to know if the signing process went through.
Push the signed Image to the repository.
It’s a flag at the shell. You should enable it on your environment to ensure the integrity of Docker Content Trust
It will fail because your Docker host is enabled with Content Trust.
It asks you to enter the passphrase you supplied in the previous steps and add the container to the Docker host.
This is it.
There are commands to revoke the trust, add notary, build your own keys etc. Refer the DCT document to know more about them.
Please subscribe at www.kuberiter.com to try our DevOps SaaS Services.