Currently, CopyBaseImagesCommand copies external base images into ACR without verifying their signatures:
|
private Task CopyImageAsync(string fromImage, string destinationRegistryName) |
|
{ |
|
fromImage = DockerHelper.NormalizeRepo(fromImage); |
|
|
|
string registry = DockerHelper.GetRegistry(fromImage) ?? DockerHelper.DockerHubRegistry; |
|
string srcImage = DockerHelper.TrimRegistry(fromImage, registry); |
|
|
|
ContainerRegistryImportSourceCredentials? importSourceCreds = null; |
|
if (Options.CredentialsOptions.Credentials.TryGetValue(registry, out RegistryCredentials? registryCreds)) |
|
{ |
|
importSourceCreds = new ContainerRegistryImportSourceCredentials(registryCreds.Password) |
|
{ |
|
Username = registryCreds.Username |
|
}; |
|
} |
|
|
|
return ImportImageAsync( |
|
destTagName: $"{Options.RepoPrefix}{fromImage}", |
|
destRegistryName: destinationRegistryName, |
|
srcTagName: srcImage, |
|
srcRegistryName: registry, |
|
sourceCredentials: importSourceCreds, |
|
copyReferrers: false); |
|
} |
We should verify the Notary v2 signature of each base image before importing it into the build registry. Not all upstream images have Notary v2 signatures, so verification should be opt-in and enabled wherever signatures are available.
Currently,
CopyBaseImagesCommandcopies external base images into ACR without verifying their signatures:docker-tools/src/ImageBuilder/Commands/CopyBaseImagesCommand.cs
Lines 82 to 105 in 6b2d022
We should verify the Notary v2 signature of each base image before importing it into the build registry. Not all upstream images have Notary v2 signatures, so verification should be opt-in and enabled wherever signatures are available.