如何列出 docker(Docker 内容信任)中的所有已知根密钥

How to list all of the known root keys in docker (Docker Content Trust)

如何列出我系统上的所有 Docker Content Trust 根密钥?

我正在设置一个 CI 进程,该进程将使用 debian:stable-slim docker 映像在临时云实例中构建我的应用程序版本。我想确保每次我的新构建系统执行 docker pull debian:stable-slim 时,它不会盲目地 TOFU 用于签署 debian 的 docker 图像的根 public 密钥——从而击败DCT的完整安全模型。

在下载给定的 docker 图像之前,我如何检查系统是否已经具有图像的根 public 密钥?

要查看您的系统上已有哪些密钥(happily/blindly/silently 通过 TOFU 获得,除非您自己将它们放在那里),检查 $HOME/.docker/trust/tuf/docker.io/library

例如:

root@disp9131:~# export DOCKER_CONTENT_TRUST=1
root@disp9131:~#

root@disp9131:~# docker pull debian:stable-slim
Pull (1 of 1): debian:stable-slim@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d: Pulling from library/debian
696098ac4087: Pull complete 
Digest: sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Status: Downloaded newer image for debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Tagging debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d as debian:stable-slim
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian
root@disp9131:~# 

root@disp9131:~# docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537: Pulling from library/ubuntu
d72e567cc804: Pull complete 
0f3630e5ff08: Pull complete 
b6a83d81d1f4: Pull complete 
Digest: sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Status: Downloaded newer image for ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Tagging ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537 as ubuntu:latest
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian  ubuntu
root@disp9131:~# 

WARNING! Note that docker content trust is disabled by default. Even after it's enabled, it will silently download and dumbly trust any root keys it obtains. Therefore, if you're using Docker on an ephemeral build system that launches fresh on every execution, then DCT is entirely security theater and will be vulnerable to MITM attacks on every run.

另请参阅

  1. https://docs-stage.docker.com/engine/security/trust/content_trust/
  2. https://github.com/docker/cli/issues/2752
  3. https://security.stackexchange.com/questions/238529/how-to-list-all-of-the-known-root-keys-in-docker-docker-content-trust