Open burgerdev opened 1 month ago
Would container image signature schemes such as cosign
or notation
not work for you?
I tend to agree that this would be a vulnerability for clients, and treated it as a security issue in my own project. https://github.com/regclient/regclient/security/advisories/GHSA-qv35-3gw6-8q4j
Would container image signature schemes such as
cosign
ornotation
not work for you?
@rchincha: Thanks for pointing this out, I forgot to mention it in the use case. Signatures can be a replacement for the rebuild check I described in the first paragraph, but only if I fully trust the signing authority. If the signing authority is compromised I'm open to being served bad content, so I essentially need to sign the images myself. Now I have to keep that signing key safe and come up with a secure signing workflow. It would be much easier for me if I only needed the digest.
Not a distribution-spec maintainer, but I've been here a while and agree that this was the whole point of pull-by-digest so any client that isn't validating the user-specified digest (and is instead only validating the server-returned digest) is doing it Wrong and we should absolutely find and fix them. :smile:
The use case
Suppose I have a release workflow that builds reproducible container images, for example using Bazel or Nix image builders. Reproducibility guarantees that I can rebuild the image from the same sources and arrive at the same digest. This digest is used to upload the image to a registry.
I would like to pull these images in a trusted environment, but from a potentially untrusted container registry. Suppose I received the expected digest through some trusted channel that does not involve the registry (e.g., I rebuilt it). Instructing my OCI client to pull the image by that digest should have one of two outcomes:
The problem
The specification is not clear enough when it comes to digest verification. Quoting from https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#pull regarding manifests:
This allows a registry to respond to a
registry/repo@sha256:...
with aDocker-Content-Digest: sha512:...
, but only requires the client to verify the registry-provided digest. This is not sufficient to ensure case (1) above.For pulling blobs, there is a requirement for the registry, but it is acceptable to use a different hash algorithm in the response and the client is not required to check anything:
The proposal
Add a verification requirement to the spec:
Enforcement should not make a difference for conformant registries: The requirements related to manifest existence imply that the response body of a
200 OK
should also match the reference digest (because the registry found it under that digest), so it should be safe to fail the pull if it doesn't.Server-side considerations
Some aspects have been discussed in #494. I agree to @ktarplee's argument that digest algorithm choice should be client-driven. That would allow to avoid the use cases which I believe motivated the canonical digest idea.