Should tags be signed in addition to digests? #43
Comments
|
Based on the JSON example shown here I would say there is no need for that, as the references to tags are attached to the digest already. Secondly most tags will shift from digest to digest based on your releasing strategy. e.g. If I today release an image
Then on next release some of these tags will shift to the new release.
In general only the Not an expert though, but thought at least my reasoning would help in the discussion here. |
|
@marcofranssen just to verify, if you were to pull This also goes back to the TUF requirements of avoiding replay attacks where an old image can be presented as the current "v1" image. |
|
Tags only are not suitable for signing since a tag can point to any manifests. Instead, digests are suitable for signing since The tags are optionally signed for information only along with the digest. |
|
@shizhMSFT I wouldn't suggest that we stop signing digests, indeed we need that. However in notary v1 today, we only sign tags, with the indication that tag x currently points to digest y. From there, the manifest content itself is secure since changing that would modify the digest. My concern if we only sign the digests is that users pulling a tag may receive a different image than intended. And if that different image digest was also signed, notary wouldn't indicate any MitM attack happened. |
|
@sudo-bmitch what about the sliding versions? my |
|
@marcofranssen you would need to resign the |
|
@sudo-bmitch agree, so what you are opting for is to make the tag signatures mandatory as opposed to optional to prevent the MitM example you gave earlier where my |
|
@marcofranssen Right now it's not even an option we specify. So this issue is asking if we "should" or "must" have tag signatures, or leave it undefined as it is today. I'm leaning towards any implementation "must" have the ability to sign tags, and then users could decide if they want to disable that feature on the client (enabled for security by default). |
|
IMHO it absolutely must be possible for the user to rely on signatures to confirm that if the user asks for |
|
One option mentioned in today's call that I want to capture here is we can sign the full reference (registry, repository, and tag), and that clients can specify in their configuration that a local mirror is being used for an upstream registry. By having that client side mirror definition, a signature for We may be able to get more complex with the mirror definition to handle more use cases, but I'm sure there will be exceptions where the image name and tag get changed. When that happens, there are a few options I can come up with:
Happy to consider other possibilities to bridge the gap between needing to know that the tag you pulled is correct without breaking the ability to copy images between repositories. (cc @samuelkarp) |
That’s what GitHub.com/containers/image implements, both as a transparent mirror mechanism where users refer to the upstream names ( https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md#remapping-and-mirroring-registries ) and mirrors are a transparent infrastructure concern, and as a signature policy mapping where users refer to the mirror locations but upstream names may be accepted ( https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md#signedby This does mean that in order to introduce a new mirror/location, clients’ configuration must be updated to recognize/use it; OTOH it also allows all other parts of the ecosystem (CLI, K8s pod specs) to just use existing container image references as the only input without having to manually provide a trusted key / configuration stanza ID or other expression of what was intended / what image is acceptable. |
|
I think that the ability to sign tags in addition to digests should absolutely be part of this effort, so that we don't remove functionality that exists in Notary v1. In a similar vein, users should be able to access the most recent version of a tag, say |
|
As we talked in the slack message I do have a concern around resigning a particular tag. Like the following scenario:
Now we would have 2 images signed for the same tag. This could cause some sort of an issue because maybe we if the prior image as some sort of security vulnerability we might not want to keep that signature. Should we only allow 1 signature per tag? |
|
That wouldn’t help: some threat models include malicious/compromised registries / image delivery mechanisms, and once the old signature exists, we must assume the attacker keeps a copy; i.e. a registry-side enforcement of “single signature per tag” would not prevent an attacker from using the old signature with the old image (and a client-side enforcement does not work all that well in cloud-native deployments where the on-demand-scaled consumers don’t keep global state to notice existence the two signatures.) The signature would have to somehow be revoked, using a mechanism that works even assuming a malicious network in the middle preventing communication; probably using a recent “this is still valid” timestamp that expires quickly, something like TUF — and the associated outages if the “this is still valid” timestamps can’t be generated or delivered. Revocation is a difficult trade-off vs. availability. In practice, the signer can establish its own policy of not creating duplicate signatures (and forcing a tag update to |
Yes, this is one of the scenarios that TUF is designed to address that is not covered with just adding signatures to artifacts. The mechanism also works for other revocation scenarios. |
While it's common to deploy a locally built image with a unique tag, when pulling in upstream images, the reverse of depending on a mutable tag is more common in my experience. This allows security updates to be applied without individually updating the usage of every upstream image+tag in every manifest and Dockerfile. This is best solved with a TUF like solution (and can't be solved with only registry APIs since the registry could be malicious or MitM). |
|
Not sure but I feel like tag signing feels like a best effort action. That can give some confidence in the images being used but at the same time can be deceiving. Because even if a tag is signed it might be outdated or would require extra mechanisms to ensure that we are running the latest signed tag. |
|
I wouldn't call this best effort since we already solved this in notary v1 with TUF. The risk of running a stale tag was based on the timeout on the snapshot signature, which was kept intentionally short. But doing this in v2 on the registry instead of a dedicated notary server makes TUF a more difficult fit, liking moving that snapshot process to an external service and needing to resolve possible race conditions with multiple signers modifying the targets signature simultaneously. And if we support something like TUF, that will cause issues for the image and signature copying use cases. We're left with three options:
|
I opened a pr about copying TUF targets metadata between registries, and would appreciate any feedback. I think that solving image copying will be easier than re-inventing tag signing. |
I think we've come to a consensus we need a way to say a It's also fair to say we need to protect from rollback
However, I'd suggest we also need to account for:
How we achieve this flexibility is the interesting thing for consuming public content. This solution must be flexible enough to support these scenarios, as the breaking change is the most common issue. Actual security attacks are few and far between. They're critical when they happen, and I think we all agree we must have a solution. The solution just can't lock a user to be forced to use the latest version of something that isn't actually compatible with their environment. And, we can't require a customer to change their deployment from Keeping this issue active, which reflects some of the challenges associated with Scenario 7.1 I'm torn on creating a new work-item/issue for tag signing, linking to this one, or re-title this one. |
|
With 7.1 merged, and the Tag Signing design issue opened, I think this one is ready to be closed. Let move the rest of the discussion over to #63 |
Most of the requirements and sample implementation work in nv2 has focused on signing the manifest by digest. That has a significant feature of image portability, allowing images to be retagged, or copied to another repository or registry, while maintaining the same signing data.
Do we also want the ability to also sign tags, indicating the
acmerockets/heavylifter:1.5currently has a specific sha digest? That would prevent a malicious actor from replacing the1.5tag reference with an older but still signed and trusted digest. If we were to sign tags, would it just be the1.5being signed or the fullacmerockets/heavylifter:1.5. The full reference prevents portability but avoids the risk that another repository's image, e.g.acmerockets/bottlerocket:1.5, is sent as1.5.The text was updated successfully, but these errors were encountered: