Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image manifest JWS verification #1331

Closed
4 tasks
hickeng opened this issue Jul 1, 2016 · 1 comment
Closed
4 tasks

Image manifest JWS verification #1331

hickeng opened this issue Jul 1, 2016 · 1 comment
Labels
area/docker Support for the Docker operations area/security Management of security functionality and other issues that impact security component/imagec Epic Represents a ZenHub Epic kind/investigation A scoped effort to learn the answers to a set of questions which may include prototyping priority/p1 resolution/will-not-fix This issue is valid, but will not be fixed
Milestone
Sprint 39

Comments

@hickeng
Copy link
Member

hickeng commented Jul 1, 2016
edited
Loading

Story
As a user I want to know that the image I pull has not been tampered with

Details
Implementation of the JWS signature validation on image manfiests should be performed in the lib/imagec code.
The digest for the image layers is already computed and verified by the portlayer.WriteImage call

  • verify that the layer digests are passed to this call

There should be no provision for accepting an image that fails signature validation if a signature is present.

Acceptance

  • layer with checksum that does not match the layer digest - should be rejected
  • image manifest that fails validation via JWS signature - should be rejected
  • layers and images with correct digests should be accepted

bug1727662
@hickeng hickeng added area/security Management of security functionality and other issues that impact security area/docker Support for the Docker operations component/imagec labels Jul 1, 2016
@hickeng hickeng added this to the VIC GA Release milestone Jul 1, 2016
@mdubya66 mdubya66 added the impact/doc/note Requires creation of or changes to an official release note label Sep 20, 2016
@mdubya66 mdubya66 removed this from the VIC GA Release milestone Sep 20, 2016
@hickeng hickeng removed the impact/doc/note Requires creation of or changes to an official release note label Nov 7, 2016
@hickeng hickeng removed their assignment Feb 1, 2017
@hickeng hickeng mentioned this issue Mar 29, 2017
Open
5 tasks
@hickeng hickeng added kind/investigation A scoped effort to learn the answers to a set of questions which may include prototyping priority/p2 and removed priority/p4 labels Mar 29, 2017
@hickeng hickeng self-assigned this Mar 29, 2017
@hickeng hickeng added this to the Sprint 6 milestone Mar 29, 2017
@hickeng hickeng added the Epic Represents a ZenHub Epic label Apr 11, 2017
@mhagen-vmware mhagen-vmware removed this from the Sprint 6 milestone Apr 12, 2017
@hickeng hickeng assigned hickeng and unassigned hickeng Apr 12, 2017
@mdubya66 mdubya66 added this to the Sprint 32 Container Ops milestone May 9, 2018
@gigawhitlocks gigawhitlocks self-assigned this May 9, 2018
@gigawhitlocks gigawhitlocks mentioned this issue May 21, 2018
Closed
@renmaosheng renmaosheng added this to the Sprint 38 milestone Nov 22, 2018
@renmaosheng renmaosheng modified the milestones: Sprint 38, Sprint 39 Dec 4, 2018
@zjs
Copy link
Member

zjs commented Dec 10, 2018

Summary of discussion: Implement Notary instead of this (if it's an either-or decision). The VCH should have a Notary client built in to verify integrity. See #4450.

@zjs zjs added the resolution/will-not-fix This issue is valid, but will not be fixed label Dec 10, 2018
@zjs zjs closed this as completed Dec 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/docker Support for the Docker operations area/security Management of security functionality and other issues that impact security component/imagec Epic Represents a ZenHub Epic kind/investigation A scoped effort to learn the answers to a set of questions which may include prototyping priority/p1 resolution/will-not-fix This issue is valid, but will not be fixed
Projects
None yet
Milestone
Sprint 39
Development

No branches or pull requests
7 participants
@zjs @gigawhitlocks @hickeng @renmaosheng @mdubya66 @mhagen-vmware @sgairo