Container Image Signing
Red Hat engineers have been working to more securely distribute container images. In this post we look at where we’ve come from, where we need to go, and how we hope to get there.
When the Docker image specification was introduced it did not have a cryptographic verification model. The most significant reason (for not having one) was the lack of a reliable checksum hash of image content. Two otherwise identical images could have different checksum values. Without a consistent tarsum mechanism, cryptographic verification would be very challenging. With Docker version 1.10, checksums are more consistent and could be used as a stable reference for cryptographic verification. The version 2 image format provides an image manifest digest hash value that is useful for this.
New Packaging Format, Old Problem
Language-specific package formats such as npm and pip have struggled to implement signing models. The Docker image format is unique but ultimately is just another software packaging format. Meanwhile, software vendors and system administrators have had years of experience with securing RPM packages. While RPM signatures have served the industry for a long time, there are improvements that can be made to satisfy the following use cases:
Read the entire article here, Container Image Signing
via the fine folks at Red Hat.