mostlygeek
commented
8 years ago @jvehent r? this is a first step towards making images easier to verify without coupling too tightly to any specific implementation.
Closed mostlygeek closed 8 years ago
mostlygeek
commented
8 years ago @jvehent r? this is a first step towards making images easier to verify without coupling too tightly to any specific implementation.
jvehent
commented
8 years ago If I understand this correctly, circleci generates a sha256 of the docker image it built and stores it in the artifact of the run. We could then go back to circleci's history and compare the container hash we run in production against the one built during the run. Is this correct?
It's nice. It removes one of the unknown: the integrity of dockerhub. I'd like a magical way to verify that circleci itself isn't messing with our builds, but that doesn't exist (yet).
mostlygeek
commented
8 years ago That's correct, the CI (circle/task cluster) outputs the sha256 sum as part of its build artifacts. I'll be creating a Docker-Pull-Verify-Push job into jenkins that should be able to use these values if they fit the Dockerflow spec.
__version__to REQUIRE abuildkey, which contains a URL to the CI build jobThis paves the way for basic verification of a docker image without having to completely switch to Docker's implementation of the TUF framework. The new requirements and recommendations have already been prototyped / tried with: