Digital Trust in Transit — Docker Content Trust
DevOps introduced several third-party components in the CI/CD Pipeline. The automation engine downloads OS libraries, software binaries, third party tools to build a Container.
With the use of third parties comes the question “Do I trust the Source?’.
Most of us are familiar with GitHub GPG signature trust for commit and tags. Why do we even sign the code commit? A beautiful answer that I found on stackexchange is below;
There are several ways in which a git repository can be compromised (this isn’t a security flaw, just a fact of life one should not avoid using git because of this). For example, someone may have pushed to your repository claiming to be you. Or for that matter, someone could have pushed to someone else’s repository claiming to be you (someone could push to their repository claiming to be you too). This is just part of life in a DVCS (Distributed Version Control System).
Imagine the similar use case for a Container Registry. A person pretending to be you can push a Container to a registry with a malware and it will affect the user when they pull the container. OR someone can tamper the Container in-transit because there is no digital signature. In-Transit security issues.
Docker introduced a security framework called ‘Docker Content Trust’.
When a publisher using Docker Content Trust pushes an image to a remote registry, Docker Engine signs the image locally with the publisher’s private key. When a user later pulls this image, Docker Engine uses the publisher’s public key to verify that the image is exactly what the publisher created, has not been tampered with, and is up to date.
In this article, I detail how to setup a DCT (Docker Content Trust) for your Containers.
There are 4 major steps to setup DCT.
Generate Docker Content Trust Key
To sign a Docker Image, you will need a delegation key pair. These keys can be generated locally using $ docker trust key generate <keyname>
Add the Signer to the Docker Repository
Next you will need to add the delegation public key to the Docker Repository;
Pull the Image
You need an Image to be signed.
Tag the Image
Tag the pulled Image with a unique name to distinguish between unsigned and signed images.
Sign the Image
Inspect the Image
It is important to inspect the image to know if the signing process went through.
Push the Signed Image
Push the signed Image to the repository.
Enable Content Trust at the Docker host
It’s a flag at the shell. You should enable it on your environment to ensure the integrity of Docker Content Trust
Pull the unsigned Image
It will fail because your Docker host is enabled with Content Trust.
Pull the signed Image
It asks you to enter the passphrase you supplied in the previous steps and add the container to the Docker host.
This is it.
You can also watch the youtube demo video here https://youtu.be/JVy-O27lc2A
There are commands to revoke the trust, add notary, build your own keys etc. Refer the DCT document to know more about them.
Lawrence Manickam is the Founder of Kuberiter Inc, a Seattle based Start-up that provide Enterprise/SaaS DevOps Services (Kubernetes, Docker, Helm, Istio and CyberArk Conjur) for MultiCloud.
Please subscribe at www.kuberiter.com to try our DevOps SaaS Services.
