Whether you are using a private image repository in-house or a public repository such as Docker Hub, it's important to know that you are only running the code that your developers have written. The potential for malicious code or man-in-the-middle attacks on downloads is an important factor in protecting your container images.
As such, both rkt and Docker support the ability to sign images and verify that the contents have not changed. Publishers can use keys to sign the images when they are pushed to the repositories, and users can verify the signature on the client side when downloading for use.
"Before executing a remotely fetched ACI, rkt will verify it based on attached signatures generated by the ACIcreator."
For more information, visit the following links:
- https://github.com/rkt/rkt/blob/master/Documentation/subcommands/trust.md
- https://github.com/rkt/rkt/blob/master/Documentation/signing-and-verification-guide.md
This is from the Docker documentation:
"Content trust gives you the ability to verify both the integrity and the publisher of all the data received from a registry over any channel. "
For more information, visit
https://docs.docker.com/engine/security/trust/content_trust/.
This is from the Docker Notary GitHub page:
"The Notary project comprises a server and a client for running and interacting with trusted collections."
For more information, visit https://github.com/docker/notary.