|
|
|
|
|
|
by yackob03
4577 days ago
|
|
|
I will speak to the issues about which I am familiar. Checksums are currently uploaded by the client and verified by the registry. Signing is on the roadmap[1]. I'm not sure what you mean by a fingerprint, would this be analogous to an SSH host key? What function would it serve if you already had a signature that only you could reproduce? [1]: https://github.com/dotcloud/docker/issues/2700 |
|
|
The process that is the gold standard for this, IMO, is what's used over at Apache Software Foundation.
https://www.apache.org/dev/release-signing.html
For those who aren't familiar with the topic, I'll illustrate with a release I made a few years ago, here's the release artifacts for Lucene.Net 2.9.2:
http://www.apache.org/dist/incubator/lucene.net/source/2.9.2...
You'll find a .zip, .asc, .md5, and .sha1 file. The .zip is the release artifact. The MD5 and SHA1 are just two different hashes to prove that the package you got is not corrupt and is what it should be, similar to a checksum (note: these hashes should also be signed, IMO). The .asc is a signature for the release.
A signature is made from the release engineer's key pair and the release artifact. gpg can take the .asc and the .zip as inputs and tell you what pub key made the signature (and it reports it as a short fingerprint). If you've imported a trusted key into gpg, it will tell you that it's a verified and trusted key, and tell you who it was.
My pub key for ASF signing is available here:
http://people.apache.org/~thoward/F1AADDE6.asc
If you pull all these files together and verify them, this should be your result:
$ curl -sSL http://people.apache.org/\~thoward/F1AADDE6.asc | gpg --import gpg: key F1AADDE6: public key "Troy Howard (CODE SIGNING KEY) <thoward@apache.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
$ gpg --verify ~/Downloads/Apache-Lucene.Net-2.9.2-incubating.src.zip.asc ~/Downloads/Apache-Lucene.Net-2.9.2-incubating.src.zip gpg: Signature made Fri Feb 25 09:33:40 2011 PST using RSA key ID F1AADDE6 gpg: Good signature from "Troy Howard (CODE SIGNING KEY) <thoward@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 062B 4DAF 06F8 61CD 2E71 E40B 8EAA A8A8 F1AA DDE6
Anything else, and you should not use the release.
A good package and release system, like Docker Index/Registry should build these verifications in automatically. A tool like Quay can host pub keys, and can automatically sign images. The Docker Index API can be extended slightly to support fetching the signature. Docker itself could be extended to support "verified" mode, where it refuses to run images that don't have a signature, or fail key verification from a trusted set of keys.
Hmm.. maybe I need to write another blog post. ;)