-
Notifications
You must be signed in to change notification settings - Fork 513
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tags are updated for old images #448
Comments
I should say that DCT succeeds but it succeeds with a different SHA than the one we pin. |
We verify our base images as follows. img="golang:1.19.4@sha256:cfaad8202aed5121121dfe3a252e98d5c89cc67fc456cc69fe70eb7dcc1b8cff"
image_full=$(echo "$img" | awk '{ print $2 }')
image_name=$(echo "$image_full" | cut -d '@' -f 1)
image_sha=$(echo "$image_full" | cut -d '@' -f 2- | cut -d ':' -f 2-)
DOCKER_CONTENT_TRUST=1 docker trust inspect --pretty "$image_name" | grep "$image_sha" The full script we use is here: |
I'm going to guess this is happening because other stuff in the image has updates, and those are being rebuilt and pushed back to As an example, that image contains In other words, I don't think Docker shares your expectation that the tag won't change after it's been produced. If the images had SBOMs it could help narrow down exactly what changed between edit: In this case, it looks like most of the images in the manifest are unchanged between those two digests, only the
|
Thanks Jason! There are indeed a couple misunderstandings at play here: 😅
Can you elaborate a bit on what you're trying to verify by cross-referencing the current tag's value back to the saved digest? (I don't think I'm fully understanding the use-case.) |
Hi thanks.
I suppose I didn't have this expectation either, but nor did I expect that they would change as frequently as they sometimes do. e.g. daily.
This I think is a real downside of DCT. Verifying an image at a tag that changes all the time makes it pretty hard to ensure that you are using an image that has been verified as the tag could change out from under you. With a digest you have guarantees that the image hasn't changed. It's also hard to map between the tag and digest if you are pinning images by digest, because DCT only supports verifying by tag. It also makes it hard to avoid TOCTOU issues unless you can really ensure that you are using the same image as was verified. For docker this means you need control over
Yeah, Right now we are using a Docker container action which builds the image on every GHA run. It would pick up the changes in the base image tag immediately and AFAIK has no way of verifying the images before using it. We pin the base images by digest and verify the base images using DCT in a pre-submit action. So, since we verify the images used when they are changed in the repo, we want to make sure that the image hasn't changed since the last time it's been verified (thus pinning by digest). It sounds like, if we want to continue using Docker container action on GitHub we'll need to use pre-built images and verify the base images at build time. And then pin our pre-built image by digest to make sure it hasn't changed since verification (as there is no way to sign our own image and verify it when used by GHA AFAICT). |
It seems that when some kind of change is made all the old image tags are re-built and pushed. We check the image sha for our based images because we don't expect tags in the docker repository to change.
We can pull the old sha, but Docker Content Trust verification fails in that case.
Is it necessary to continuously re-build and push all old image tags?
The text was updated successfully, but these errors were encountered: