问题描述
如何列出系统上的所有Docker Content Trust根密钥?
我正在设置一个CI流程,该流程将使用debian:stable-slim docker映像在临时云实例中构建应用程序的发行版。我想确保每次我的新构建系统执行docker pull debian:stable-slim时,都不会盲目地使用TOFU来签名debian的docker映像的根公钥,从而击败了DCT的整个安全模型。 >
在下载给定的Docker映像之前,如何检查系统是否已经具有该映像的根公共密钥?
解决方法
要查看系统上已经拥有的密钥(除非自己将TOFU高兴/一味/默默地获得,除非您将它们自己放在那里),请检查$HOME/.docker/trust/tuf/docker.io/library
例如:
root@disp9131:~# export DOCKER_CONTENT_TRUST=1
root@disp9131:~#
root@disp9131:~# docker pull debian:stable-slim
Pull (1 of 1): debian:stable-slim@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d: Pulling from library/debian
696098ac4087: Pull complete
Digest: sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Status: Downloaded newer image for debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Tagging debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d as debian:stable-slim
root@disp9131:~#
root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian
root@disp9131:~#
root@disp9131:~# docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537: Pulling from library/ubuntu
d72e567cc804: Pull complete
0f3630e5ff08: Pull complete
b6a83d81d1f4: Pull complete
Digest: sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Status: Downloaded newer image for ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Tagging ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537 as ubuntu:latest
root@disp9131:~#
root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian ubuntu
root@disp9131:~#
警告!请注意,默认情况下禁用Docker内容信任。即使启用它,它也将以静默方式下载并哑信它获得的所有根密钥。因此,如果您在短暂的构建系统上使用Docker,并且每次执行时都会重新启动,则 DCT完全是安全区,并且每次运行都容易受到MITM攻击。