Our security team is uneasy that the docker containers used for pupperware hosted at https://hub.docker.com/u/puppet are not signed with a Docker Content Trust Key. Which makes verifying the software supply chain difficult for security vetting purposes.
Describe the Solution You Would Like
Would you be able to start using keys to sign containers published on docker.com?
Use Case
Our security team is uneasy that the docker containers used for pupperware hosted at https://hub.docker.com/u/puppet are not signed with a Docker Content Trust Key. Which makes verifying the software supply chain difficult for security vetting purposes.
Describe the Solution You Would Like
Would you be able to start using keys to sign containers published on docker.com?
Additional Context
Info about Docker Content Trust can be found here : https://docs.docker.com/engine/security/trust/