3

How can I list all of the Docker Content Trust root keys on my system?

I am setting up a CI process that will use the debian:stable-latest docker image to build my application's releases in ephemeral cloud instances. I want to make sure that every time my fresh build system does a docker pull debian:stable-latest, it doesn't just blindly TOFU the root public key used to sign debian's docker images--thus defeating the entire security model of DCT.

Before downloading a given docker image, how can I check to see if the system already has the image's root public key or not?

Michael Altfield
  • 826
  • 4
  • 19
  • See also https://devops.stackexchange.com/questions/13987/how-to-pin-public-root-key-when-downloading-an-image-with-docker-pull-docker-co/13988 – Michael Altfield Aug 27 '21 at 19:22

1 Answers1

2

To see what keys you already have on your system (happily/blindly/silently obtained with TOFU unless you put them there yourself), check $HOME/.docker/trust/tuf/docker.io/library

For example:

root@disp9131:~# export DOCKER_CONTENT_TRUST=1
root@disp9131:~#

root@disp9131:~# docker pull debian:stable-slim
Pull (1 of 1): debian:stable-slim@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d: Pulling from library/debian
696098ac4087: Pull complete 
Digest: sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Status: Downloaded newer image for debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Tagging debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d as debian:stable-slim
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian
root@disp9131:~# 

root@disp9131:~# docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537: Pulling from library/ubuntu
d72e567cc804: Pull complete 
0f3630e5ff08: Pull complete 
b6a83d81d1f4: Pull complete 
Digest: sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Status: Downloaded newer image for ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Tagging ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537 as ubuntu:latest
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian  ubuntu
root@disp9131:~#

WARNING! Note that docker content trust is disabled by default. Even after it's enabled, it will silently download and dumbly trust any root keys it obtains. Therefore, if you're using Docker on an ephemeral build system that launches fresh on every execution, then DCT is entirely security theater and will be vulnerable to MITM attacks on every run.

See Also

  1. https://docs-stage.docker.com/engine/security/trust/content_trust/
  2. https://github.com/docker/cli/issues/2752
  3. https://stackoverflow.com/questions/48277065/docker-trust-initialization
  4. https://stackoverflow.com/questions/63960217/how-to-list-all-of-the-known-root-keys-in-docker-docker-content-trust/64103579#64103579
Michael Altfield
  • 826
  • 4
  • 19