Signed images

[shykes]

Docker should support signing images after building them. This allows for a "chain of trust" where the content and origin of an image can be verified cryptographically regardless of how the image was distributed.

[patcito]

👍

[shykes]

A few notes and a micro-spec:

• Docker images carry with them an optional signature. The signature is embedded in the image format, not in the registry download protocol.
• Docker can be provided a private key to use when building
• Docker can be provided multiple public keys to trust
• Docker can be configured to either issue a warning when downloading or running untrusted images, or flat-out refuse to run them.

My current idea is to use regular GPG keys, and upgrade the image format to carry a GPG signature of its content. I see 2 options to upgrade the format:

1. An incremental upgrade to the current layer format. We add a signature file at a standard path in the layer. This doesn't break reverse compatibility: old implementation see an extra regular file; new implementation interpret it as a signature.

2. A switch to an existing format which already supports signature. The most obvious candidate here is git packfiles, which support GPG signature. Using git is already being considered for other reasons, so we could peg image signature to that format upgrade. The downside is introducing fragmentation with 2 different image formats - existing docker installations could no longer use images in the new format (and as of the current version, would not be able to gracefully inform the user of the situation).

[shykes]

A few more notes: the GPG signature offered by git is insufficient, because it relies on SHA1 which is cryptographically insufficient. The git authors have emphasized several times that git hashes should not be relied on for strong cryptography.

So whatever we use, it should probably be based on SHA256.

Since we cannot piggyback on git's signature facility (unless it supports a SHA256 extension, which doesn't seem to be the case), we are free to choose our favorite signature mechanism: namely 1) pgp or 2) x509 certs.

[jamtur01]

Can't we just use GPG standalone? Why would we use PGP? Or is that a typo? Also let's steer clear of x509 certificates. They can generate a lot of confusion for people, c.f. Puppet.

[aidenbell]

+1 for this. GPG would seem like the way to go, something like how yum in fedora handles it (asking if you want to import the key etc). Seems sketchy to not have a signing mechanism when you're essentially trusting something to be your OS/userland layer.

[jdef]

+1 for GPG signing

[wking]

On Mon, Jan 06, 2014 at 11:36:20AM -0800, James Turnbull wrote:

Can't we just use GPG standalone?

This makes the most sense to me. Signing an image, and then stuffing
the signature into the image itself sounds like a headache. Having
hashed data (for the signature) and unhashed data (the signature
itself) in the same space (like RFC 4880's signature packets 1) is
annoying. Also:

Earlier, Solomon Hykes:

1. An incremental upgrade to the current layer format. We add a
   signature file at a standard path in the layer. This doesn't break
   reverse compatibility: old implementation see an extra regular file;
   new implementation interpret it as a signature.

This is going to make it hard to have several signatures on the same
image (e.g., my old key expired and I want to resign that important
image). How about distributing detached signatures on request with
each image? Then you can shell out to GPG (or use GPGME) for signing
and verification without mucking about with the image format. You'll
have to extend the registry API to distribute the sigs, but that
sounds saner than extending the image. How about:

GET /v1/images/(image_id)/signatures
Returns:
[(signature-hash-1), (signature-hash-2), …]
PUT /v1/images/(image_id)/signature
GET /v1/images/(image_id)/signature/(signature-hash)
DELETE /v1/images/(image_id)/signature/(signature-hash)

The signature hashing is just collision-avoidance, so you don't need
crypographic security. Use whichever hash you like. Signing and
verification happens in GPG (or other OpenPGP implementation), so the
signer and verifier can work out the cryptographic parts of the
exchange between themselves. The registry just acts as a go-between.

[ewindisch]

Earlier, Solomon Hykes:

1. An incremental upgrade to the current layer format. We add a
   signature file at a standard path in the layer. This doesn't break
   reverse compatibility: old implementation see an extra regular file;
   new implementation interpret it as a signature.

This is going to make it hard to have several signatures on the same
image (e.g., my old key expired and I want to resign that important
image).

While it is possible to use "detached" signature packets, an OpenPGP
message may technically be constructed having multiple signature packets.
Although to be honest, I'm not sure how well implementations deal with it
as section 11.3 of RFC4880 provides an example of a Signed Message which
includes only a single signature packet. Still, there is nothing that
prevents an implementation from supporting the inclusion and verification
of multiple signatures.

Note in such a scenario, the signed data itself must be included in the
OpenPGP message. That might be acceptable if we signed hashes, for instance.

Regards,
Eric Windisch

[wking]

On Tue, Jan 28, 2014 at 10:45:16AM -0800, Eric Windisch wrote:

Note in such a scenario, the signed data itself must be included in
the OpenPGP message. That might be acceptable if we signed hashes,
for instance.

So you can have a single OpenPGP message with several signature
packets if you get everyone to agree on which hash to use? I don't
see why you'd want to make that decision in Docker itself, when you
could offload it to the clients and their local OpenPGP implementation
/ configuration. Even if you can reach a consensus today, offloading
hash selection future-proofs your API as the “safe hash” goalposts
shift in the future.

[ewindisch]

On Tue, Jan 28, 2014 at 2:03 PM, W. Trevor King notifications@github.comwrote:

On Tue, Jan 28, 2014 at 10:45:16AM -0800, Eric Windisch wrote:

Note in such a scenario, the signed data itself must be included in
the OpenPGP message. That might be acceptable if we signed hashes,
for instance.

So you can have a single OpenPGP message with several signature
packets if you get everyone to agree on which hash to use?

Not necessarily. I was just saying it isn't so black and white. Everyone
could agree on the hash algorithm for that individual image (and if they
don't agree, they don't sign), or have several hashes per image. However,
I'd like to avoid complexity and this path might be too far away from that
goal. I agree detached signatures are preferable.

I'm thinking not just of signatures for verifying downloads/uploads to the
registry, but of local images and those that have been exported.

What I'd like to avoid is making the transport of and glue around verifying
those signatures overly complex. Back to Solomon's "#1" suggestion, I agree
that you can't sign the image and stuff data back into it. That simply
doesn't work. You can wrap everything (ala a ful OpenPGP message) or you
can ship the data along side it.

Technically, you could sign a tar and then extend it with the signature at
the end, then infer the originally signed tar by truncating the file... but
again, we're getting into complexity. That WOULD satisfy the backwards
compatibility requirement, but would make verification and signing a bit
messy.

Even if you can reach a consensus today, offloading

hash selection future-proofs your API as the "safe hash" goalposts
shift in the future.

As long as OpenPGP supports those goalposts ;-)

Regards,
Eric Windisch

[wking]

On Tue, Jan 28, 2014 at 01:41:59PM -0800, Eric Windisch wrote:

I'm thinking not just of signatures for verifying downloads/uploads
to the registry, but of local images and those that have been
exported.

You store local signatures (downloaded and locally-created) in
/var/lib/docker/signatures/(signature-hash) and keep an image-side
index (which signatures go with this image) in JSON in an image's
directory (/var/lib/docker/graph/(image-hash)/signatures?).

What I'd like to avoid is making the transport of and glue around
verifying those signatures overly complex.

I think the API I floated above for communicating with the registry is
fairly simple, as is local storage. Are there other kinds of
transport besides local ↔ registry?

[ewindisch]

On Tue, Jan 28, 2014 at 4:56 PM, W. Trevor King notifications@github.comwrote:

On Tue, Jan 28, 2014 at 01:41:59PM -0800, Eric Windisch wrote:

I'm thinking not just of signatures for verifying downloads/uploads
to the registry, but of local images and those that have been
exported.

You store local signatures (downloaded and locally-created) in
/var/lib/docker/signatures/(signature-hash) and keep an image-side
index (which signatures go with this image) in JSON in an image's
directory (/var/lib/docker/graph/(image-hash)/signatures?).

Will there be so many signatures per image that we couldn't just have a
single JSON or other file that contained the image's signatures directly?

The index/signature-file split seems excessive. The only advantage I see is
that the gpg command-line tool could access the files directly, something
of limited use since the signature hashes couldn't be easily mapped to the
images by end-users.

What I'd like to avoid is making the transport of and glue around
verifying those signatures overly complex.

I think the API I floated above for communicating with the registry is
fairly simple, as is local storage. Are there other kinds of
transport besides local ↔ registry?

Image "save" will create a file export for a repository which could be
transported by SSH, USB stick, whatever; then imported.

Regards,
Eric Windisch

[wking]

On Tue, Jan 28, 2014 at 02:11:56PM -0800, Eric Windisch wrote:

The index/signature-file split seems excessive. The only advantage I
see is that the gpg command-line tool could access the files
directly, something of limited use since the signature hashes
couldn't be easily mapped to the images by end-users.

Good point. Packing into JSON sounds better.

Image "save" will create a file export for a repository which could
be transported by SSH, USB stick, whatever; then imported.

So attach the JSON signature file to a known location in the saved
file, and then pull it back out during load's unpacking. Maybe that's
what @shykes was suggesting originally, and I just got confused
between layers and saved bundles?

[skull-squadron]

GPG cryptographic signatures >= SHA256 hashes

GPG WoT done right (similar to how Linux devs work) really requires in-person signing / exchanging of keys. Since that's too much trouble for most people, curating a "ca bundle" of trusted keys or key ids is the next best thing. Also, probably will want a separate --homedir so it doesn't muck with the user's keychain. Underlying detached signatures are the way to go. To do that, a meta container (say a .dock - a plain tar containing metadata.json container.txz container.txz.asc etc.) would help at the expense of breakage and benefit of "future proof" extensibility. This is similar to how both .debs and .rpms are organized. I've BTDTBTTS (see 👕) on this with another commercial project in the evil empire and this worked well.

@ewindisch @wking Also don't get too fancy trying to over-engineer by over-optimizing it such that regular nix tools can't operate on it. The format should be very accessible so third-party devs / companies can build compatible packages easily. Otherwise, such a development decision may quickly alienate ops people that have far more experience than you or I do managing many more systems in production and that might have an idea what scales and what won't. Accessible = more commercial adoption of Docker in enterprise environments that have money to keep Docker, pun intended, afloat.

* Yes, there are a few sysadmins with more than 40 years of experience that have administered vast swats of boxes with crunchy business gunk that see the benefit of supporting 12factors-like architectures.

In fact, a bold move would be to eventually make it into an RFC... that's not only free PR but shows commitment to open standards. cc @shykes