Project

Profile

Help

Story #2625

Updated by ipanova@redhat.com over 7 years ago

During sync we fetch manifests from registry by tag. Yes we do some digest verification but it is not enough. What we do is that we compare docker-content-digest received in the response headers with calculated digest from fetched json. 

 To properly verify it, we need to know what digest to expect. It doesn't add any security to check against the Docker-Content-Digest returned by the registry, since if the manifest is replaced with a malicious one, the Docker-Content-Digest will also change to match that malicious manifest. 



 

 what we could do is: 

 <pre> 
     get the ID after an insecure pull by tag 
     pull the same by its ID 
     reread the ID of the image 
     if the IDs are the same, I know that the original image was secure. 
 </pre> 

 But as far as i understand we can afford this kind of approach with docker 1.10 and newer, because it has secure hashes. 

 I still do not have enough information how we could solve all this, but the current approach definitely does not protect us from malicious intents

Back