Closed mostlygeek closed 8 years ago
@jvehent r? this is a first step towards making images easier to verify without coupling too tightly to any specific implementation.
If I understand this correctly, circleci
generates a sha256 of the docker image it built and stores it in the artifact of the run. We could then go back to circleci
's history and compare the container hash we run in production against the one built during the run. Is this correct?
It's nice. It removes one of the unknown: the integrity of dockerhub. I'd like a magical way to verify that circleci
itself isn't messing with our builds, but that doesn't exist (yet).
That's correct, the CI (circle/task cluster) outputs the sha256 sum as part of its build artifacts. I'll be creating a Docker-Pull-Verify-Push job into jenkins that should be able to use these values if they fit the Dockerflow spec.
__version__
to REQUIRE abuild
key, which contains a URL to the CI build jobThis paves the way for basic verification of a docker image without having to completely switch to Docker's implementation of the TUF framework. The new requirements and recommendations have already been prototyped / tried with: