watchtower icon indicating copy to clipboard operation
watchtower copied to clipboard

Published 20 hours ago verified publisher icon containrrr

cosign support or other methods to verify integrity of container images

Open tob123 opened this issue 2 years ago • 1 comments
trafficstars

Is your feature request related to a problem? Please describe.

Hi,

The problem I have is that watchtower updates containers that have been built / released onprem (on harbror repositories) and during the process of image updating no signature check is done.

Describe the solution you'd like

I would like watchtower to support checking signatures created by cosign. Cosign supports all container repositories. see alsho here: https://github.com/sigstore/cosign

then, using docker compose based on your example to run multiple instances that would help a lot to start verifying images:

version: '3'

services:
  app-signed:
    image: myapps/some-app
    labels:
      - "com.centurylinklabs.watchtower.scope=signed"
  app:
    image: myapps/some-app-2
    labels:
      - "com.centurylinklabs.watchtower.scope=myscope"

  watchtower-sign:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --interval 30 --scope signed
    labels:
      - "com.centurylinklabs.watchtower.scope=signed"
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --interval 30 --scope myscope
    labels:
      - "com.centurylinklabs.watchtower.scope=myscope"

source: https://containrrr.dev/watchtower/running-multiple-instances/

Describe alternatives you've considered

I am aware there is docker content trust, but that appears to work only on docker hub (*).

(*) from what i see content trust is enabled on docker official images (for example postgres, mariadb) but many image publishers tend to not sign their image (including watchtower(?)) or there is no support for content trust(?) (google container registry)

Additional context

No response

tob123 avatar Sep 24 '23 20:09 tob123

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏

github-actions[bot] avatar Sep 24 '23 20:09 github-actions[bot]