mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-17 09:22:30 -05:00
[Security] Is it time to sign the Docker images ?? #1022
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @williamdes on GitHub (Apr 30, 2021).
Subject of the issue
Docker images when signed are more "secure" in the case of a security event because a non signed image could not be pulled if the previous one was signed.
Deployment environment
Docker
Steps to reproduce
Expected behaviour
Have a signed image I can trust
Actual behaviour
No signed image
Troubleshooting data
All needed information can be found in official docs and in the GitHub action: https://github.com/sudo-bot/action-docker-sign
All the needed commands can be copied from https://github.com/sudo-bot/action-docker-sign/blob/main/action.yml
Is it easy to implement: Yes
Do you have to backup in a very safe place the repository and root keys, YES !!
Knowing nothing about DCT I implemented a GitHub action in a bunch of hours, I can provide help for the setup if needed
@williamdes commented on GitHub (Apr 30, 2021):
You can find examples on https://github.com/sudo-bot/action-docker-sign#inspect-trust
@dani-garcia commented on GitHub (Apr 30, 2021):
As our images are getting built automatically by Docker Hub's infrastructure, enabling this would imply giving them the private signing key directly, so would this add any extra security in that case?
@williamdes commented on GitHub (Apr 30, 2021):
Well, the auto-builds are not possible anymore with that option. The repository would need to build the images :/
@williamdes commented on GitHub (Apr 30, 2021):
Switching to Images build with GitHub actions using a named env with run approvers seems to be the solution to make the secrets protected :)
@williamdes commented on GitHub (May 8, 2021):
Do you think this could get implemented ?
I did add all the needed instructions for multi arch images on my repository
@BlackDex commented on GitHub (Jun 21, 2021):
I'm going to move this to the discussions under
Ideas, also to keep the issues for actual issues to the software.