Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How can I verify the authenticity of an image pulled from docker hub? #147

Closed
logicReasoner opened this issue Jan 3, 2022 · 2 comments
Closed

Comments

@logicReasoner
Copy link

logicReasoner commented Jan 3, 2022

For example, I pull `--arch amd64 --tls-verify=true debian:bookworm-20211220

Copying blob 9aa4f47c6909 done
Copying config 0b63fd0343 done
Storing signatures
0b63fd03430d8e3ba5bbe108ef16ea978c934a378c865a83af2a040eae9cf174`

Then for that image 0b63fd03430d locally, I get the following two digests:
docker.io/library/debian@sha256:3baade3697056cfb82c7e9592d8e1b40eacfebc90e1fe36d39892745822c0f10 docker.io/library/debian@sha256:630147f5e4964acc91557e8c049c3e8460777954a1956cc8c27c5563311e497c
How do I compare the above two digests to the SHA256 checksums that I see on https://docker.debian.net/?
The SHA256 (rootfs.tar.xz) for amd64 reported on that site is 23f6b075419a6380920282137cf07359ba5f2725f16cd8c803c454b07127d126

Also, I'd like to do the same for the slim amd64 release. Locally, I get the following two digests for bookworm-20211220-slim:
docker.io/library/debian@sha256:302ff7cde82ce20eb79ee3d8685a9e3e3a683cae5f86851e821153223cca7def
docker.io/library/debian@sha256:e4699bbf9229fd14a848864ec4eb400582f7bf8127a874df6b43e019230b6a3a

P.S. Just to mention that I can find the above output digests on https://hub.docker.com/_/debian?tab=tags&name=bookworm-20211220 but I wanted to verify them also against https://...debian.net in order to be doubly sure. I hope that makes sense.

@tianon
Copy link
Contributor

tianon commented Jan 3, 2022

Unfortunately, this isn't as trivial to verify as I'd like it to be -- due to various technical details, the bits that get pushed to Docker Hub have a very slightly different checksum than the generated bits (in part due to compression differences, but also some minor extraction/ordering differences).

Here's what I'd recommend for reproducing the checksums from https://docker.debian.net from an image pulled from Docker Hub:

$ # these instructions assume you've got https://github.com/debuerreotype/debuerreotype checked out and you're in the directory
$ docker pull debian:bookworm-20211220
$ docker create --name temp debian:bookworm-20211220
$ dir="$(mktemp -d)"
$ trap 'sudo rm -rf "$dir"' EXIT
$ docker export --output "$dir/rootfs.tar" temp
$ docker rm temp
$ # now we need to extract the tarball so we have an expanded rootfs -- I'm going to use "sudo" to preserve permissions, but "fakeroot" or similar could also be used
$ sudo mkdir -p "$dir/rootfs"
$ sudo tar --extract --directory "$dir/rootfs" --file "$dir/rootfs.tar"
$ # fix a few Docker-modified files; https://github.com/debuerreotype/debuerreotype/blob/32f390b0eff8eeb01fdec135ddc6eab06850c826/scripts/debuerreotype-init#L181 + https://github.com/debuerreotype/debuerreotype/blob/32f390b0eff8eeb01fdec135ddc6eab06850c826/scripts/debuerreotype-init#L186-L190
$ echo debuerreotype | sudo tee "$dir/rootfs/etc/hostname"
$ echo -e '# https://1.1.1.1 (privacy-focused, highly-available DNS service)\nnameserver 1.1.1.1\nnameserver 1.0.0.1' | sudo tee "$dir/rootfs/etc/resolv.conf"
$ sudo chmod 0644 "$dir/rootfs/etc/hostname" "$dir/rootfs/etc/resolv.conf"
$ # recreate appropriate epoch file for debuerreotype
$ stat --format '%Y' "$dir/rootfs/etc/apt/sources.list" | sudo tee "$dir/rootfs/debuerreotype-epoch"
$ sudo ./scripts/debuerreotype-tar --exclude='./.docker*' --exclude='./etc/hosts' --exclude='./etc/mtab' "$dir/rootfs" "$dir/rootfs.tar.xz"
$ sha256sum "$dir/rootfs.tar.xz"

@logicReasoner
Copy link
Author

@tianon Thank you for the step by step commands list. It has helped me confirm the SHA256 checksum (23f6b0754...) of the non-slim image.
I've also run ./scripts/debuerreotype-slimify "$dir/rootfs", then I archived it the same way as above and got the following SHA256 for the slim rootfs.tar.xz: f63d450e3bc776315d55e530920951314cf44782c89226ea13b66109ab6da4f4

P.S. The above commands work also with podman for those of us who use it instead of docker.
P.S.2 For future reference, the following two excludes used with the debuerreotype-tar command seem to be unnecessary: --exclude='./.docker*' --exclude='./etc/mtab' in this particular case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants