-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I verify the authenticity of an image pulled from docker hub? #147
Comments
Unfortunately, this isn't as trivial to verify as I'd like it to be -- due to various technical details, the bits that get pushed to Docker Hub have a very slightly different checksum than the generated bits (in part due to compression differences, but also some minor extraction/ordering differences). Here's what I'd recommend for reproducing the checksums from https://docker.debian.net from an image pulled from Docker Hub: $ # these instructions assume you've got https://github.com/debuerreotype/debuerreotype checked out and you're in the directory
$ docker pull debian:bookworm-20211220
$ docker create --name temp debian:bookworm-20211220
$ dir="$(mktemp -d)"
$ trap 'sudo rm -rf "$dir"' EXIT
$ docker export --output "$dir/rootfs.tar" temp
$ docker rm temp
$ # now we need to extract the tarball so we have an expanded rootfs -- I'm going to use "sudo" to preserve permissions, but "fakeroot" or similar could also be used
$ sudo mkdir -p "$dir/rootfs"
$ sudo tar --extract --directory "$dir/rootfs" --file "$dir/rootfs.tar"
$ # fix a few Docker-modified files; https://github.com/debuerreotype/debuerreotype/blob/32f390b0eff8eeb01fdec135ddc6eab06850c826/scripts/debuerreotype-init#L181 + https://github.com/debuerreotype/debuerreotype/blob/32f390b0eff8eeb01fdec135ddc6eab06850c826/scripts/debuerreotype-init#L186-L190
$ echo debuerreotype | sudo tee "$dir/rootfs/etc/hostname"
$ echo -e '# https://1.1.1.1 (privacy-focused, highly-available DNS service)\nnameserver 1.1.1.1\nnameserver 1.0.0.1' | sudo tee "$dir/rootfs/etc/resolv.conf"
$ sudo chmod 0644 "$dir/rootfs/etc/hostname" "$dir/rootfs/etc/resolv.conf"
$ # recreate appropriate epoch file for debuerreotype
$ stat --format '%Y' "$dir/rootfs/etc/apt/sources.list" | sudo tee "$dir/rootfs/debuerreotype-epoch"
$ sudo ./scripts/debuerreotype-tar --exclude='./.docker*' --exclude='./etc/hosts' --exclude='./etc/mtab' "$dir/rootfs" "$dir/rootfs.tar.xz"
$ sha256sum "$dir/rootfs.tar.xz" |
@tianon Thank you for the step by step commands list. It has helped me confirm the SHA256 checksum ( P.S. The above commands work also with |
For example, I pull `--arch amd64 --tls-verify=true debian:bookworm-20211220
Copying blob 9aa4f47c6909 done
Copying config 0b63fd0343 done
Storing signatures
0b63fd03430d8e3ba5bbe108ef16ea978c934a378c865a83af2a040eae9cf174`
Then for that image
0b63fd03430d
locally, I get the following two digests:docker.io/library/debian@sha256:3baade3697056cfb82c7e9592d8e1b40eacfebc90e1fe36d39892745822c0f10 docker.io/library/debian@sha256:630147f5e4964acc91557e8c049c3e8460777954a1956cc8c27c5563311e497c
How do I compare the above two digests to the SHA256 checksums that I see on https://docker.debian.net/?
The
SHA256 (rootfs.tar.xz)
foramd64
reported on that site is23f6b075419a6380920282137cf07359ba5f2725f16cd8c803c454b07127d126
Also, I'd like to do the same for the slim amd64 release. Locally, I get the following two digests for
bookworm-20211220-slim
:docker.io/library/debian@sha256:302ff7cde82ce20eb79ee3d8685a9e3e3a683cae5f86851e821153223cca7def
docker.io/library/debian@sha256:e4699bbf9229fd14a848864ec4eb400582f7bf8127a874df6b43e019230b6a3a
P.S. Just to mention that I can find the above output digests on
https://hub.docker.com/_/debian?tab=tags&name=bookworm-20211220
but I wanted to verify them also againsthttps://...debian.net
in order to be doubly sure. I hope that makes sense.The text was updated successfully, but these errors were encountered: