You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no way to verify the images published were actually build by jenkinsci.
We use digest-pinning to verify our images based upon jenkins/inbound-agent are based off the intended image. There was a new image uploaded last friday that updated the tag we use (jenkins/inbound-agent:4.11.2-4-jdk11). We are unable to verify if that change was "legimate".
Proposed solution:
Sign the published images using docker content trust. That way at least the origin can be verified. Additionally posting the digests at the release tag would probably be nice to manually verify a source as the builds aren't publicly accessible or publishing a buildinfo in artifactory.
Questions:
Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?
Upstream changes
No response
The text was updated successfully, but these errors were encountered:
Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?
What feature do you want to see added?
The problem:
There is no way to verify the images published were actually build by jenkinsci.
We use digest-pinning to verify our images based upon jenkins/inbound-agent are based off the intended image. There was a new image uploaded last friday that updated the tag we use (jenkins/inbound-agent:4.11.2-4-jdk11). We are unable to verify if that change was "legimate".
Proposed solution:
Sign the published images using docker content trust. That way at least the origin can be verified. Additionally posting the digests at the release tag would probably be nice to manually verify a source as the builds aren't publicly accessible or publishing a buildinfo in artifactory.
Questions:
Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?
Upstream changes
No response
The text was updated successfully, but these errors were encountered: