Please sign newer docker images

[rhuddleston]

$ export DOCKER_CONTENT_TRUST=1 $ docker pull sentry:9.1 No valid trust data for 9.1

white the 9.0 version is signed correctly

Also note despite what the dockerhub page says all of these are the same image:

sentry:latest, sentry:9 sentry:9.0 sentry:9.0.0

While sentry:9.1 and sentry:9.1.1 are the same container but are not signed with notary

$ docker run --rm -it sentry:latest /bin/bash root@456f4fba1bf4:/# sentry --version sentry, version 9.0.0 $ docker run --rm -it sentry:9 /bin/bash root@43efcd24f456:/# sentry --version sentry, version 9.0.0 $ docker run --rm -it sentry:9.1 /bin/bash root@02ed88ab5afb:/# sentry --version sentry, version 9.1.1

[mattrobenolt]

Can you elaborate?

[rhuddleston]

Sorry accidentally submitted before I added the content. See above @mattrobenolt

[mattrobenolt]

How do I do this? We don’t even build the images, it’s up to the docker team since these are official images. So if things were properly signed in the past, I’ve never done anything explicitly there. Can you point me to some information about this? I’ve never heard or seen any of this before.

[rhuddleston]

Ah if this is an "official image" that the docker team is building then we'll need them to fix it. Do you have a way to contact them? I could point out how to sign images etc but it's pretty involved and like you say you're not even building them. @mattrobenolt

[rhuddleston]

Also note typically it says "Docker Official Images" at the top of dockerhub pages that are official e.g. https://hub.docker.com/_/mysql

But looks like the sentry one doesn't have that currently https://hub.docker.com/_/sentry/

Maybe there was some change @mattrobenolt ?

[mattrobenolt]

cc @tianon @yosifkit

I don’t really know what that means or if I have any control over it. I know I go through their process and they publish them. Beyond that, I’m not sure how this process works.

For example, https://github.com/docker-library/official-images/pull/5772

[mattrobenolt]

Maybe that “Docker Official Image” moreso means it’s maintained by Docker the company? In our case, we maintain the image, but it’s published under their namespace. Otherwise, it’d be like, docker pull getsentry/sentry:9.1 instead of just docker pull sentry:9.1.

[tianon]

This sounds like https://github.com/docker-library/official-images/issues/5874 😔

[mattrobenolt]

gg everyone.

Thanks for hopping in @tianon. ❤️

[rhuddleston]

This is fixed now BTW so thanks to whoever fixed it :)

Also sentry:9 points to sentry:9.1 now 👍

[mattrobenolt]

We did it.