search

jenkinsci / docker-agent

Jenkins agent (base image) and inbound agent Docker images
https://hub.docker.com/r/jenkins/inbound-agent/
MIT License
287 stars 230 forks source link

Docker images should be signed utilizing docker content trust and digests should be published #233

Open css-inverso opened 2 years ago

css-inverso commented 2 years ago

What feature do you want to see added?

The problem:

There is no way to verify the images published were actually build by jenkinsci.

We use digest-pinning to verify our images based upon jenkins/inbound-agent are based off the intended image. There was a new image uploaded last friday that updated the tag we use (jenkins/inbound-agent:4.11.2-4-jdk11). We are unable to verify if that change was "legimate".

Proposed solution:

Sign the published images using docker content trust. That way at least the origin can be verified. Additionally posting the digests at the release tag would probably be nice to manually verify a source as the builds aren't publicly accessible or publishing a buildinfo in artifactory.

Questions:

Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?

Upstream changes

No response

timja commented 2 years ago

Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?

Likely this issue: https://github.com/jenkins-infra/helpdesk/issues/2