如何列出我系统上的所有Docker Content Trust根密钥?
我正在设置一个 CI 进程,它将使用debian:stable-slimdocker 映像在临时云实例中构建我的应用程序版本。我想确保每次我的新构建系统执行docker pull debian:stable-slim. 时,它不只是盲目地 TOFU 用于签署 debian 的 docker 映像的根公钥 - 从而破坏了 DCT 的整个安全模型。
在下载给定的 docker 镜像之前,如何检查系统是否已经拥有镜像的根公钥?
要查看您的系统上已有哪些密钥(通过 TOFU 愉快/盲目/默默地获得,除非您自己将它们放在那里),请检查$HOME/.docker/trust/tuf/docker.io/library
例如:
root@disp9131:~# export DOCKER_CONTENT_TRUST=1
root@disp9131:~#
root@disp9131:~# docker pull debian:stable-slim
Pull (1 of 1): debian:stable-slim@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d: Pulling from library/debian
696098ac4087: Pull complete
Digest: sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Status: Downloaded newer image for debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Tagging debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d as debian:stable-slim
root@disp9131:~#
root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian
root@disp9131:~#
root@disp9131:~# docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537: Pulling from library/ubuntu
d72e567cc804: Pull complete
0f3630e5ff08: Pull complete
b6a83d81d1f4: Pull complete
Digest: sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Status: Downloaded newer image for ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Tagging ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537 as ubuntu:latest
root@disp9131:~#
root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian ubuntu
root@disp9131:~#
警告!请注意,默认情况下禁用 docker 内容信任。即使启用后,它也会默默地下载并默认信任它获得的任何根密钥。因此,如果您在每次执行时都会重新启动的临时构建系统上使用 Docker,那么DCT 完全是安全剧院,并且每次运行都容易受到 MITM 攻击。