I have a question on how to go about verifying the provenance of an image, using centos:7 as an example (https://hub.docker.com/layers/centos/library/centos/7/images/sha256-c2f1d5a9c0a81350fa0ad7e1eee99e379d75fe53823d44b5469eb2eb6092c941?context=explore).
I would like to get a picture of how I can go about proving a chain of trust from the centos.org project though to what is published into docker hub and to what appears in the SHA above, akin to how you can follow a certificate chain within TLS. I appreciate that Centos images are marked up as ‘Docker Official Images’, but that doesn’t give me a line of provenance to follow to verify where the contents of the image has actually come from.
I have looked into Docker Content Trust (DCT), but I’ve not been able to match the SHA’s up between the various steps – and I am not sure this is even an approach that would lead me to the answer of my question.
I’d be interested to hear what approaches people would use to answer this question. Thanks.