|
|
|
|
|
|
by cyphar
2609 days ago
|
|
|
The way image signing works with Docker is that there is a signature tying a tag to a sha256. If you use the sha256 directly you get immutable sources, but now your source isn't signed anymore -- how are you sure the hash is correct? |
|
|