Bug 39194 – Sign Docker images and scripts

Bug 39194 - Sign Docker images and scripts


Summary:	Sign Docker images and scripts

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Docker
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:
Keywords:	interim-2

Depends on:	39590 39591
Blocks:	39671
	Show dependency tree / graph

Reported:	2015-08-17 09:41 CEST by Stefan Gohmann
Modified:	2015-11-17 12:11 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2015-08-17 09:41:15 CEST

The Docker images and all used scripts are cryptographically signed, for example the pre-installation script. The signature is verified during the installation. If the signature is invalid, an error message is shown and the installation is aborted.

Comment 1 Arvid Requate

2015-08-20 12:35:32 CEST

Docker 1.8 introduces signing and verification of images via asymmetric crypto.

This is part of a broader attempt to implement a framework for secure software updates: http://theupdateframework.com/ (TUF)

One of the components of TUF is a software component "notary" which is available under Apache license: http://blog.docker.com/2015/08/content-trust-docker-1-8/ 
[12:03] <arvid> stefan: Signung und verification geht anscheinend über eine neue Softwarekomponente "notary":
* https://github.com/docker/notary/blob/master/ROADMAP.md
* http://blog.docker.com/2015/08/content-trust-docker-1-8/
* https://github.com/docker/notary/blob/master/README.md
* https://www.youtube.com/watch?v=at72dhg-SZY&feature=youtu.be&t=4873
* https://docs.docker.com/security/trust/content_trust/

It attempts to be "platform&transport-agnostic"



I guess it's downloadable as container, but the description is still pre-alpha:
* https://hub.docker.com/r/distribution/notary_notaryserver/
* https://hub.docker.com/r/distribution/notary_notarysigner/

Comment 2 Arvid Requate

2015-10-22 20:20:45 CEST

Fixed, see Bug 39591 for details

Comment 3 Stefan Gohmann

2015-10-27 07:46:26 CET

I've installed a new UCS 4.1 system. I was unable to switch to our Test App Center:

-----------------------------------------------------------------------------
root@master491:~# univention-app update
Downloading "https://appcenter-test.software-univention.de/meta-inf/4.1/index.json.gz"...
Downloading "https://appcenter-test.software-univention.de/meta-inf/4.1/index.json.gz.gpg"...
Downloading "https://appcenter-test.software-univention.de/meta-inf/categories.ini"...
Downloading "https://appcenter-test.software-univention.de/meta-inf/rating.ini"...
gpg: Signature made Mon 26 Oct 2015 04:17:53 PM EDT using RSA key ID 6B8BFD3C
gpg: BAD signature from "Univention Corporate Server 4.x <packages@univention.de>"

Signature verification for /var/cache/univention-appcenter/.index.json.gz failed
root@master491:~#
-----------------------------------------------------------------------------

I'm sure it worked already, so I guess something or someone broke it.

Comment 4 Arvid Requate

2015-10-27 12:57:21 CET

Yes, somebody refactored the code and gunzipped the signed file before checking the signature. Fixed.

Comment 5 Stefan Gohmann

2015-10-29 08:57:44 CET

I've added a first test script: 80_docker/59_app_center_signature

It tests various modification:
 - no pgp file available
 - the index.json was modified
 - the ini file was modified

These tests were successful. I've also modified an inst script. While modifying the ini file, the App was no longer available because the hash was not valid. I think that's right. 
The App was still available after the inst file was modified:
Checksum for owncloud8-docker_20150917.inst should be u'68512ce46f443653d18f6d14b9b67325' but was '91ca715e08842f6a44840c77729c8df1'! Rather removing this file...

I think the App should also be no longer available in this scenario.

Comment 6 Stefan Gohmann

2015-10-29 14:02:23 CET

(In reply to Stefan Gohmann from comment #5)
> I've added a first test script: 80_docker/59_app_center_signature
> 
> It tests various modification:
>  - no pgp file available
>  - the index.json was modified
>  - the ini file was modified
> 
> These tests were successful. I've also modified an inst script. While
> modifying the ini file, the App was no longer available because the hash was
> not valid. I think that's right. 
> The App was still available after the inst file was modified:
> Checksum for owncloud8-docker_20150917.inst should be
> u'68512ce46f443653d18f6d14b9b67325' but was
> '91ca715e08842f6a44840c77729c8df1'! Rather removing this file...
> 
> I think the App should also be no longer available in this scenario.

Moved to → Bug #39671.

Comment 7 Stefan Gohmann

2015-10-30 15:10:24 CET

OK, the test script (80_docker/59_app_center_signature) checks only the app center files, not the docker files. I've uploaded a new Docker image, afterwards I got a traceback: Bug #39676

Comment 8 Stefan Gohmann

2015-11-17 12:11:25 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".