I’m currently trying to find out if and how docker is verifying image integrity (especially while pulling).
An answer to this older SO question says docker is verifying each layer using Checksums. But i cannot reproduce the output of “Verifying Checksum”. I found some discussion on the net regarding this topic but no clear answer. The official docker documentation doesn’t have any information either.
This article suggests that using the digest of an image is verifying the layers. But this is not clearly confirmed by the official docker documentation.
The official docker documentation on docker content trust says that using signed images is verifying the content and the publisher of an image if content trust is enabled. It furthermore says that pulling an image using it’s digest works even if it is not signed and content trust is enabled.
According to this: The integrity of an image is only verified if content trust is enabled.
Is this correct?
This raises some questions:
- Is docker verifying images while pulling using tags if content trust is disabled?
- Is docker verifying images while pulling using digests if content trust is disabled?