Signed Images from the Red Hat Container Catalog

As a follow-up to my introduction of simple signing, I’m excited to announce that Red Hat is now serving signatures for Red Hat Container Catalog Images!

In May, Red Hat announced the Container Health Index, providing an aggregate safety rating for container images in our public registry. As part of our commitment to delivering trusted content, we are now serving signed images. This means that customers can now configure a Red Hat Enterprise Linux host to cryptographically verify that images have come from Red Hat when they are pulled onto the system. This is a significant step in advancing the security of container hosts, providing assurance of provenance and integrity and enabling non-repudiation. Non-repudiation simply means that the signer cannot deny their signature—a key security principle for digital transactions.

Continue reading “Signed Images from the Red Hat Container Catalog”

Container Image Signing

Red Hat engineers have been working to more securely distribute container images. In this post we look at where we’ve come from, where we need to go, and how we hope to get there.

History

When the Docker image specification was introduced it did not have a cryptographic verification model. The most significant reason (for not having one) was the lack of a reliable checksum hash of image content. Two otherwise identical images could have different checksum values. Without a consistent tarsum mechanism, cryptographic verification would be very challenging. With Docker version 1.10, checksums are more consistent and could be used as a stable reference for

Continue reading “Container Image Signing”