starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1651] [Security] Is it time to sign the Docker images ?? #1025

New issue
Closed
opened 2026-03-03 02:05:37 +03:00 by kerem · 6 comments
kerem commented 2026-03-03 02:05:37 +03:00
Owner
Copy link

Originally created by @williamdes on GitHub (Apr 30, 2021).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1651

Subject of the issue

Docker images when signed are more "secure" in the case of a security event because a non signed image could not be pulled if the previous one was signed.

Deployment environment

Docker

Steps to reproduce

docker pull vaultwarden/server:latest --disable-content-trust=false

Error: remote trust data does not exist for docker.io/vaultwarden/server: notary.docker.io does not have trust data for docker.io/vaultwarden/server

Expected behaviour

Have a signed image I can trust

Actual behaviour

No signed image

Troubleshooting data

All needed information can be found in official docs and in the GitHub action: https://github.com/sudo-bot/action-docker-sign

All the needed commands can be copied from https://github.com/sudo-bot/action-docker-sign/blob/main/action.yml

Is it easy to implement: Yes

Do you have to backup in a very safe place the repository and root keys, YES !!

Knowing nothing about DCT I implemented a GitHub action in a bunch of hours, I can provide help for the setup if needed

Originally created by @williamdes on GitHub (Apr 30, 2021). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1651 ### Subject of the issue Docker images when [signed](https://docs.docker.com/engine/security/trust/) are more "secure" in the case of a security event because a non signed image could not be pulled if the previous one was signed. ### Deployment environment Docker ### Steps to reproduce ``` docker pull vaultwarden/server:latest --disable-content-trust=false ``` ``` Error: remote trust data does not exist for docker.io/vaultwarden/server: notary.docker.io does not have trust data for docker.io/vaultwarden/server ``` ### Expected behaviour Have a signed image I can trust ### Actual behaviour No signed image ### Troubleshooting data All needed information can be found in official docs and in the GitHub action: https://github.com/sudo-bot/action-docker-sign All the needed commands can be copied from https://github.com/sudo-bot/action-docker-sign/blob/main/action.yml Is it easy to implement: Yes Do you have to backup in a very safe place the repository and root keys, YES !! Knowing nothing about DCT I implemented a GitHub action in a bunch of hours, I can provide help for the setup if needed
kerem closed this issue 2026-03-03 02:05:37 +03:00
kerem commented 2026-03-03 02:05:38 +03:00
Author
Owner
Copy link

@williamdes commented on GitHub (Apr 30, 2021):

You can find examples on https://github.com/sudo-bot/action-docker-sign#inspect-trust

<!-- gh-comment-id:830299246 --> @williamdes commented on GitHub (Apr 30, 2021): You can find examples on https://github.com/sudo-bot/action-docker-sign#inspect-trust
kerem commented 2026-03-03 02:05:38 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Apr 30, 2021):

As our images are getting built automatically by Docker Hub's infrastructure, enabling this would imply giving them the private signing key directly, so would this add any extra security in that case?

<!-- gh-comment-id:830335800 --> @dani-garcia commented on GitHub (Apr 30, 2021): As our images are getting built automatically by Docker Hub's infrastructure, enabling this would imply giving them the private signing key directly, so would this add any extra security in that case?
kerem commented 2026-03-03 02:05:38 +03:00
Author
Owner
Copy link

@williamdes commented on GitHub (Apr 30, 2021):

As our images are getting built automatically by Docker Hub's infrastructure, enabling this would imply giving them the private signing key directly, so would this add any extra security in that case?

Well, the auto-builds are not possible anymore with that option. The repository would need to build the images :/

<!-- gh-comment-id:830338301 --> @williamdes commented on GitHub (Apr 30, 2021): > As our images are getting built automatically by Docker Hub's infrastructure, enabling this would imply giving them the private signing key directly, so would this add any extra security in that case? Well, the auto-builds are not possible anymore with that option. The repository would need to build the images :/
kerem commented 2026-03-03 02:05:38 +03:00
Author
Owner
Copy link

@williamdes commented on GitHub (Apr 30, 2021):

Switching to Images build with GitHub actions using a named env with run approvers seems to be the solution to make the secrets protected :)

<!-- gh-comment-id:830390611 --> @williamdes commented on GitHub (Apr 30, 2021): Switching to Images build with GitHub actions using a named env with run approvers seems to be the solution to make the secrets protected :)
kerem commented 2026-03-03 02:05:38 +03:00
Author
Owner
Copy link

@williamdes commented on GitHub (May 8, 2021):

Do you think this could get implemented ?
I did add all the needed instructions for multi arch images on my repository

<!-- gh-comment-id:835430286 --> @williamdes commented on GitHub (May 8, 2021): Do you think this could get implemented ? I did add all the needed instructions for multi arch images on my repository
kerem commented 2026-03-03 02:05:38 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jun 21, 2021):

I'm going to move this to the discussions under Ideas, also to keep the issues for actual issues to the software.

<!-- gh-comment-id:865200932 --> @BlackDex commented on GitHub (Jun 21, 2021): I'm going to move this to the discussions under `Ideas`, also to keep the issues for actual issues to the software.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#1025
No description provided.