如何列出docker中所有已知的根密钥(Docker Content Trust)

如何列出docker中所有已知的根密钥(Docker Content Trust)

我如何列出所有的Docker 内容信任系统上的根密钥?

我正在设置一个 CI 流程,该流程将使用debian:stable-latestDocker 映像在临时云实例中构建我的应用程序版本。我想确保每次我的新构建系统执行时docker pull debian:stable-latest,它都不会盲目地 TOFU 用于签署 Debian 的 Docker 映像的根公钥——从而破坏 DCT 的整个安全模型。

在下载给定的 Docker 镜像之前,如何检查系统是否已经具有该镜像的根公钥?

答案1

要查看你的系统上已经有哪些密钥(除非你自己放置它们,否则可以通过 TOFU 轻松/盲目/默默地获得它们),请检查$HOME/.docker/trust/tuf/docker.io/library

例如:

root@disp9131:~# export DOCKER_CONTENT_TRUST=1
root@disp9131:~#

root@disp9131:~# docker pull debian:stable-slim
Pull (1 of 1): debian:stable-slim@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d: Pulling from library/debian
696098ac4087: Pull complete 
Digest: sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Status: Downloaded newer image for debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Tagging debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d as debian:stable-slim
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian
root@disp9131:~# 

root@disp9131:~# docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537: Pulling from library/ubuntu
d72e567cc804: Pull complete 
0f3630e5ff08: Pull complete 
b6a83d81d1f4: Pull complete 
Digest: sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Status: Downloaded newer image for ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Tagging ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537 as ubuntu:latest
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian  ubuntu
root@disp9131:~# 

警告!请注意,docker content trust 默认处于禁用状态。即使启用后,它也会默默下载并愚蠢地信任它获得的任何根密钥。因此,如果您在每次执行时都会全新启动的临时构建系统上使用 Docker,那么DCT 完全是安全剧场,每次运行时都容易受到 MITM 攻击

也可以看看

  1. https://docs-stage.docker.com/engine/security/trust/content_trust/
  2. https://github.com/docker/cli/issues/2752
  3. https://stackoverflow.com/questions/48277065/docker-trust-initialization
  4. https://security.stackexchange.com/questions/238529/how-to-list-all-of-the-known-root-keys-in-docker-docker-content-trust

相关内容