[Security] Is it time to sign the Docker images ?? #2490

New Issue

MrUnknownDE · 2026-04-06T03:46:07+02:00

MrUnknownDE commented

2026-04-06 03:46:07 +02:00

Originally created by @williamdes on 4/30/2021

Subject of the issue

Docker images when signed are more "secure" in the case of a security event because a non signed image could not be pulled if the previous one was signed.

Deployment environment

Docker

Steps to reproduce

docker pull vaultwarden/server:latest --disable-content-trust=false

Error: remote trust data does not exist for docker.io/vaultwarden/server: notary.docker.io does not have trust data for docker.io/vaultwarden/server

Expected behaviour

Have a signed image I can trust

Actual behaviour

No signed image

Troubleshooting data

All needed information can be found in official docs and in the GitHub action: https://github.com/sudo-bot/action-docker-sign

All the needed commands can be copied from https://github.com/sudo-bot/action-docker-sign/blob/main/action.yml

Is it easy to implement: Yes

Do you have to backup in a very safe place the repository and root keys, YES !!

Knowing nothing about DCT I implemented a GitHub action in a bunch of hours, I can provide help for the setup if needed

*Originally created by @williamdes on 4/30/2021* ### Subject of the issue Docker images when [signed](https://docs.docker.com/engine/security/trust/) are more "secure" in the case of a security event because a non signed image could not be pulled if the previous one was signed. ### Deployment environment Docker ### Steps to reproduce ``` docker pull vaultwarden/server:latest --disable-content-trust=false ``` ``` Error: remote trust data does not exist for docker.io/vaultwarden/server: notary.docker.io does not have trust data for docker.io/vaultwarden/server ``` ### Expected behaviour Have a signed image I can trust ### Actual behaviour No signed image ### Troubleshooting data All needed information can be found in official docs and in the GitHub action: https://github.com/sudo-bot/action-docker-sign All the needed commands can be copied from https://github.com/sudo-bot/action-docker-sign/blob/main/action.yml Is it easy to implement: Yes Do you have to backup in a very safe place the repository and root keys, YES !! Knowing nothing about DCT I implemented a GitHub action in a bunch of hours, I can provide help for the setup if needed

MrUnknownDE closed this issue

2026-04-06 03:46:07 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#2490