-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: Add integrity pinning to Docker build images #9115
base: master
Are you sure you want to change the base?
build: Add integrity pinning to Docker build images #9115
Conversation
To improve integrity security of builds, a SHA256 hash is added to the Docker image used for release compilation. Pinning the image to a SHA256 hash reduced need to trust Dockerhub or transport security.
To improve integrity security of builds, a SHA256 hash is added to the Docker image used for release compilation. Pinning the image to a SHA256 hash reduced need to trust Dockerhub or transport security.
…hash To improve integrity security of builds, a SHA256 hash is added to the Docker image used for release compilation. Pinning the image to a SHA256 hash reduced need to trust Dockerhub or transport security.
Project no longer uses Travis. [skip ci]
Important Review skippedAuto reviews are limited to specific labels. Labels to auto review (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Build system improvements are being opened in litd: If this PR is merged the benefits can be duplicated into other repos. |
lmk if the the section "Producing Integrity Pinning Digests" should be added to development guides: |
I think that would be helpful, yes. And perhaps a comment above each version in the Dockerfiles where to find the commands for how to extract the hash. |
Change Description
This PR adds integrity pinning to Docker build images. Referencing the Docker environment by a specified SHA hash reduces the need to trust, the on-going integrity of Dockerhub resources, or data-transport.
Before this change, build Dockerfiles referenced docker images by notional content which could be malicously swapped without alerting.
Docker-Image digests exist under a cohesive
index digest
which account for the fact that different architectures will obtain different image files. See additional commentary: docker/hub-feedback#1925 (comment)Producing Integrity Pinning Digests
Local:
HTTP:
https://hub.docker.com/layers/library/golang/1.22.6-bookworm/images/sha256-8ae92b0f1598356df80f4e9bd682c4cdbae8f1a3fc9cee1f05ce88a00462f05f
JSON API:
https://registry.hub.docker.com/v2/repositories/library/golang/tags/1.22
Steps to Test
# Fetch gh pr checkout 9115 git checkout docker-build-image-integrity SKIP_VERSION_CHECK=1 make docker-release tag=docker-build-image-integrity
Pull Request Checklist
Testing
Code Style and Documentation
[skip ci]
in the commit message for small changes.