[requirement] Add DCT signature for images under eclipse-temurin of docker hub

[surite]

Hi team, I move from adoptopenjdk to eclipse-temurin, I do not see Docker Content Trust signature for images under eclipse-temurin of docker hub but existed in adoptopenjdk. Do you plan to add it?

[karianna]

@gdams Do you know what that is? :-)

[gdams]

These images are built by the official Docker Hub project. @tianon is there something that we need to do on our side here?

[tianon]

Unfortunately, it's completely outside all our collective control -- see docker-library/official-images#1516, docker-library/official-images#5874, docker-library/official-images#6838, nodejs/docker-node#1065, docker-library/postgres#822, redis/docker-library-redis#266, etc etc etc.

Honestly, it wouldn't surprise me if even the adoptopenjdk image signatures are outdated, which has a really disastrous failure mode that you just silently get outdated images without any kind of either warning or error that something is wrong.

That being said, I'm getting "No valid trust data for X" no matter which adoptopenjdk tag I try to pull, so I can't even show a good example from there. 😅

Here's a demonstration with hello-world:latest instead, which was updated very recently:

$ docker pull --disable-content-trust=false hello-world:latest
Pull (1 of 1): hello-world:latest@sha256:e7c70bb24b462baa86c102610182e3efcb12a04854e8c582838d92970a09f323
docker.io/library/hello-world@sha256:e7c70bb24b462baa86c102610182e3efcb12a04854e8c582838d92970a09f323: Pulling from library/hello-world
0e03bdcc26d7: Pull complete 
Digest: sha256:e7c70bb24b462baa86c102610182e3efcb12a04854e8c582838d92970a09f323
Status: Downloaded newer image for hello-world@sha256:e7c70bb24b462baa86c102610182e3efcb12a04854e8c582838d92970a09f323
Tagging hello-world@sha256:e7c70bb24b462baa86c102610182e3efcb12a04854e8c582838d92970a09f323 as hello-world:latest
docker.io/library/hello-world:latest

$ docker images hello-world:latest
REPOSITORY    TAG       IMAGE ID       CREATED         SIZE
hello-world   latest    bf756fb1ae65   21 months ago   13.3kB

$ docker pull --disable-content-trust=true hello-world:latest
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:393b81f0ea5a98a7335d7ad44be96fe76ca8eb2eaa76950eb8c989ebf2b78ec0
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest

$ docker images hello-world:latest
REPOSITORY    TAG       IMAGE ID       CREATED        SIZE
hello-world   latest    feb5d9fea6a5   23 hours ago   13.3kB

So frankly, it's hard for me to recommend relying on Docker Content Trust for anything important.

[ecki]

If not with dockers notary, maybe a different signature method or a dedicated notary instance? Those base images are important for the supply chain integrity. Also: document how the base layers are verified when building them.