roadmap
roadmap copied to clipboard
docker
Sign official images with sigstore/cosign
Tell us about your request It would be helpful to support sigstore/cosign to verify official images from Docker. This could be done in addition to other signing solutions to give users the flexibility to use their own preferred signing solution.
Which service(s) is this request for? Docker Official Images (DOI).
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Verify the authenticity of official images. This can only be done by Docker.
Are you currently working around the issue? Using images other than DOI or using DOI images without verifying their authenticity.
Additional context I'll open similar issues for other signing tools.
Related with: https://github.com/docker/roadmap/issues/269 cc @dentrax
duplicates with: https://github.com/docker/roadmap/issues/269 cc @dentrax
@developer-guy I meant to link that one too. I wouldn't say a duplicate, but certainly related. #269 is asking to add signing capabilities to docker build. I'm asking for Docker Official Images to be signed, which could be done by calling cosign in their build pipeline.
Hey 👋 any updates here?
This is currently the 8th highest 👍 'ed issue on the roadmap (103), with https://github.com/docker/roadmap/issues/269 coming in at number 6 (115).
#561 has 6, #563 has 13. It seems the people want images signed with Sigstore.
Is there a reason Docker still isn't signing its official images, or enabling their users to more easily sign and verify images with Sigstore?
This should not be assigned to me. I no longer work at Docker. Some other PM will have to take ownership.
Considering the deprecation of DCT and Docker's own recommendation to use sigstore (cosign), this seems worth a polite reminder.
https://www.docker.com/blog/retiring-docker-content-trust/