Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker images should be signed utilizing docker content trust and digests should be published #233

Open
css-inverso opened this issue Feb 23, 2022 · 1 comment

Comments

@css-inverso
Copy link

What feature do you want to see added?

The problem:

There is no way to verify the images published were actually build by jenkinsci.

We use digest-pinning to verify our images based upon jenkins/inbound-agent are based off the intended image. There was a new image uploaded last friday that updated the tag we use (jenkins/inbound-agent:4.11.2-4-jdk11). We are unable to verify if that change was "legimate".

Proposed solution:

Sign the published images using docker content trust. That way at least the origin can be verified. Additionally posting the digests at the release tag would probably be nice to manually verify a source as the builds aren't publicly accessible or publishing a buildinfo in artifactory.

Questions:

Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?

Upstream changes

No response

@timja
Copy link
Member

timja commented Mar 11, 2022

Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?

Likely this issue: jenkins-infra/helpdesk#2

lemeurherve pushed a commit to lemeurherve/docker-agent that referenced this issue Nov 27, 2023
lemeurherve pushed a commit to lemeurherve/docker-agent that referenced this issue Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants