Can we create verifiable checksums for our dockerBuild images? #2734

sxa · 2022-09-07T09:53:20Z

Our docker build images which are created from the files in https://github.com/adoptium/infrastructure/tree/master/ansible/docker are created via mechanisms described in https://github.com/adoptium/infrastructure/blob/master/FAQ.md#what-about-the-builds-that-use-the-dockerbuild-tag

Once created those images are uploaded to dockerhub, and then where applicable they are downloaded and used on nodes with the dockerBuild tag.

This issue is to cover whether we can store checksums of the docker images prior to upload to give us the ability to verify that they have not been tampered with while being uploaded to, or retrieved from, GitHub.

zdtsw · 2022-09-07T14:32:54Z

Guess we can get the checksum right after build
docker inspect <image> | jq .[0].Digest but how do we want to store and consume these?

sxa added this to Secure Software Development Activities Sep 7, 2022

sxa changed the title ~~Can we create verifyable checksums for our dockerBuild images?~~ Can we create verifiable checksums for our dockerBuild images? Sep 7, 2022

github-actions bot added the docker label Sep 7, 2022

sxa added this to the 2023-04 (April) milestone Feb 24, 2023

sxa added the security label Feb 24, 2023

sxa mentioned this issue Feb 24, 2023

Tracker: Adoptium Secure Software Development Framework (SSDF) adoptium/adoptium#120

Open

sxa modified the milestones: 2023-04 (April), 2023-05 (May) May 16, 2023

sxa modified the milestones: 2023-05 (May), Backlog Jun 6, 2023

sxa added this to Adoptium 3Q 2023 Plan Jul 12, 2023

smlambert removed this from Adoptium 3Q 2023 Plan Nov 22, 2023

smlambert added this to Adoptium 4Q 2023 Plan Nov 22, 2023

smlambert moved this to Todo in Adoptium 4Q 2023 Plan Nov 22, 2023

smlambert added this to 2024 1Q Adoptium Plan Jan 8, 2024

smlambert moved this to Todo in 2024 1Q Adoptium Plan Jan 8, 2024

smlambert removed this from Secure Software Development Activities Jan 8, 2024

smlambert removed this from Adoptium 4Q 2023 Plan Jan 8, 2024

smlambert added this to Adoptium Backlog Sep 5, 2024

github-project-automation bot moved this to Todo in Adoptium Backlog Sep 5, 2024

sxa removed this from Adoptium Backlog Nov 1, 2024

sxa added this to 2024 4Q Adoptium Plan Nov 1, 2024

sxa removed this from 2024 1Q Adoptium Plan Nov 1, 2024

sxa modified the milestones: Backlog, 2024-11 (November) Nov 1, 2024

smlambert moved this to Todo in 2024 4Q Adoptium Plan Nov 6, 2024

sxa modified the milestones: 2024-11 (November), 2024-12 (December) Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can we create verifiable checksums for our dockerBuild images? #2734

Can we create verifiable checksums for our dockerBuild images? #2734

sxa commented Sep 7, 2022 •

edited

Loading

zdtsw commented Sep 7, 2022

Can we create verifiable checksums for our dockerBuild images? #2734

Can we create verifiable checksums for our dockerBuild images? #2734

Comments

sxa commented Sep 7, 2022 • edited Loading

zdtsw commented Sep 7, 2022

sxa commented Sep 7, 2022 •

edited

Loading