This message was deleted Rancher Users #general

Join Slack

This message was deleted.

# general

adamant-kite-43734

06/28/2024, 2:52 PM

This message was deleted.

curved-forest-28066

06/28/2024, 4:08 PM

I think you can run with DOCKER_CONTENT_TRUST=1 to see. Whether it matters depends on your threat model, like always. You're hedging against a scenario where the rancher dockerhub account gets popped but they don't get the signing keys, which I guess isn't the craziest idea.

witty-xylophone-10946

06/28/2024, 4:39 PM

I tried running against some sample rancher rke2 images like, docker trust inspect --pretty rancher/rke2-runtime:latest and returned: no signatures or cannot access rancher/rke2-runtime:latest Other images like nginx:latest do return signatures. Hopefully my verification steps are correct.

curved-forest-28066

06/28/2024, 6:20 PM

Copy code

#rancher doesn't seem to sign
$ docker trust inspect --pretty rancher/rancher
no signatures or cannot access rancher/rancher
$ docker trust inspect --pretty rancher/rancher:v2.8.5
no signatures or cannot access rancher/rancher:v2.8.5
$ docker trust inspect --pretty rancher/rancher:latest
no signatures or cannot access rancher/rancher:latest
#example of one that does sign, official mongo
$ docker trust inspect --pretty mongo:latest

Signatures for mongo:latest

SIGNED TAG   DIGEST                                                             SIGNERS
latest       bd38dc3d2895c7434b9b75c86525642efe3d65e4c6aadfe397486d7cc89406f0   (Repo Admin)

Administrative keys for mongo:latest

  Repository Key: d1a56c0e76f066a1880188daf7f424e082e8b7131a70a1f520c8e129582bcf73
  Root Key: 78c4f5e9a6813ce233566231666324a5f9f466ab70358308aa1d9594a28d2f3e

witty-xylophone-10946

06/28/2024, 7:52 PM

Thanks for the confirmation.

3 Views

Open in Slack

Previous Next