Page 1 of 1

Verifying docker image provenance of Centos 7

Posted: 2020/07/14 08:56:07
by williamhargrove
I have a question on how to go about verifying the provenance of the centos:7 image available on docker hub.(https://hub.docker.com/layers/centos/li ... xt=explore). As this is a docker topic, I have also cross posted a version of this question to the Docker forum, but have posted here to reach a different audience.

I would like to know how I can go about proving a chain of trust from the centos.org project though to what is published into docker hub and to what appears in the SHA above, akin to how you can follow a certificate chain within TLS. I appreciate that Centos images are marked up as ‘Docker Official Images’, but that doesn’t give me a line of provenance to follow to verify where the contents of the image has actually come from.

For instance, from https://github.com/CentOS/sig-cloud-ins ... Dockerfile there is a line which adds 'centos-7-x86_64-docker.tar.xz' - where does that archive come from and how is it created?

I have looked into Docker Content Trust (DCT), but I’ve not been able to match the SHA’s up between the various steps – and I am not sure this is even an approach that would lead me to the answer of my question.

I’d be interested to hear what approaches people would use to answer this question.

Thanks.