Verifying image integrity

rocketromano · March 22, 2020, 11:25am

Hello community,

I’m currently trying to find out if and how docker is verifying image integrity (especially while pulling).

An answer to this older SO question says docker is verifying each layer using Checksums. But i cannot reproduce the output of “Verifying Checksum”. I found some discussion on the net regarding this topic but no clear answer. The official docker documentation doesn’t have any information either.

This article suggests that using the digest of an image is verifying the layers. But this is not clearly confirmed by the official docker documentation.

The official docker documentation on docker content trust says that using signed images is verifying the content and the publisher of an image if content trust is enabled. It furthermore says that pulling an image using it’s digest works even if it is not signed and content trust is enabled.

According to this: The integrity of an image is only verified if content trust is enabled.

Is this correct?

This raises some questions:

Is docker verifying images while pulling using tags if content trust is disabled?
Is docker verifying images while pulling using digests if content trust is disabled?

Greetings
Rocket Romano

Topic		Replies	Views
Verifying the digest of an image General docker	1	2684	May 5, 2016
Docker content trust - does not seem work as expected General	2	1285	June 7, 2016
Docker Content Trust - Checking Base images signed metadata General docker , build	0	672	April 6, 2018
Pulling signed images General	2	839	May 2, 2023
Docker Content trust General	5	1651	December 3, 2015

Verifying image integrity

Related topics