> On 4. Jun 2024, at 10:35, Kiszka, Jan (T CED) <
jan.k...@siemens.com> wrote:
>
> On 04.06.24 08:25, 'Jörg Sommer' via kas-devel wrote:
>> Jan Kiszka schrieb am Mo 03. Jun, 13:09 (GMT):
>>> On 03.06.24 12:45, 'Jörg Sommer' via kas-devel wrote:
>>>> Hello,
>>>>
>>>> is it intended that kas-container pins the image by the version tag and not
>>>> the SHA ID? Some proxies might mess with the tag. Wouldn't it be better to
>>>> use the SHA ID?
>>> How do you want to resolve the issue that the SHA is only known after I
>>> tagged, built and released? We would have to split up kas-container into
>>> a separate repo to allow its own, slightly delayed release cycle.
>>
>> Oh yes, I didn't thought of the chicken-egg-problem.
>>
>> But would it be possible to sign the images?
>>
>>
https://www.howtogeek.com/devops/how-to-sign-your-docker-images-to-increase-trust/
>>
>> % docker trust inspect
ghcr.io/siemens/kas/kas:4.4
>> []
>> no signatures or cannot access
ghcr.io/siemens/kas/kas:4.4
>>
>
> This looks architecturally broken to me, asking me to load my private
> key into docker (docker trust key load). But maybe my colleagues have
> better understanding here.
Jan, is your concern adding your private key to your local Docker instance?
Or is your concern that “docker trust” might send your private key to the Docker Hub?
In both cases some investigation would be need to:
- an alternative without using docker toolchain could be investigated
- understand what the tool itself does (hopefully OSS) to gain some trust on it
Being container images built up as Merkle trees, in theory you only need to sign the top-level manifest.
You shouldn’t need to pull the whole image, but I have to admit I don’t know how the Docker CLI does it.
>
>>
>>> But you can always set your own local KAS_IMAGE_VERSION using a SHA
>>> instead.
>>
>> Sounds good.
>>
>>> BTW, which kind of proxies could actually cause troubles here? GitHub
>>> itself? Or some fishy middle boxes which you enabled / had to enable to
>>> break your E2E encryption?
>>
>> A self-build solution for image caching and pinning and fancy foobar. It
>> took me hours for another image to find out that the tag in this proxy of
>> our customer did not match the tag online.
>>
>
> OK, I see.
A self-built solution for image caching? That sounds scary…
Jörg, did you considered the usage of a local container registry in proxy mode?
It should take care of it all transparently and reliably.
The CNCF registry can only proxy from one registry, but Harbor appears to support multiple upstream registries.
Tags are not as reliable as SHAs, that’s right.
Still I would say that having tags being modified by the proxy should be considered a bug
Silvano