Ping a Specific Port

Question

Michael Altfield

Asked: 2020-09-29 07:20:18 +0800 CST2020-09-29 07:20:18 +0800 CST 2020-09-29 07:20:18 +0800 CST

How to list all of the known root keys in docker (Docker Content Trust)

772

How can I list all of the Docker Content Trust root keys on my system?

I am setting up a CI process that will use the debian:stable-latest docker image to build my application's releases in ephemeral cloud instances. I want to make sure that every time my fresh build system does a docker pull debian:stable-latest, it doesn't just blindly TOFU the root public key used to sign debian's docker images--thus defeating the entire security model of DCT.

Before downloading a given docker image, how can I check to see if the system already has the image's root public key or not?

1 Answers

Voted

Michael Altfield · Answer 1 · 2020-09-29T07:22:11+08:00

To see what keys you already have on your system (happily/blindly/silently obtained with TOFU unless you put them there yourself), check $HOME/.docker/trust/tuf/docker.io/library

For example:

root@disp9131:~# export DOCKER_CONTENT_TRUST=1
root@disp9131:~#

root@disp9131:~# docker pull debian:stable-slim
Pull (1 of 1): debian:stable-slim@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d: Pulling from library/debian
696098ac4087: Pull complete 
Digest: sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Status: Downloaded newer image for debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d
Tagging debian@sha256:89ff9e144a438f6bdf89fba6a1fdcb614b6d03bc14433bbb937088ca7c7a7b6d as debian:stable-slim
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian
root@disp9131:~# 

root@disp9131:~# docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537: Pulling from library/ubuntu
d72e567cc804: Pull complete 
0f3630e5ff08: Pull complete 
b6a83d81d1f4: Pull complete 
Digest: sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Status: Downloaded newer image for ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537
Tagging ubuntu@sha256:bc2f7250f69267c9c6b66d7b6a81a54d3878bb85f1ebb5f951c896d13e6ba537 as ubuntu:latest
root@disp9131:~# 

root@disp9131:~# ls $HOME/.docker/trust/tuf/docker.io/library
debian  ubuntu
root@disp9131:~#

WARNING! Note that docker content trust is disabled by default. Even after it's enabled, it will silently download and dumbly trust any root keys it obtains. Therefore, if you're using Docker on an ephemeral build system that launches fresh on every execution, then DCT is entirely security theater and will be vulnerable to MITM attacks on every run.

How to list all of the known root keys in docker (Docker Content Trust)

See Also

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?