[GH-ISSUE #805] Docker image should be verifiable/reproducible #561

New issue

Closed

opened 2026-03-03 01:30:33 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 01:30:33 +03:00

Owner

Originally created by @yegle on GitHub (Jan 6, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/805

Subject of the issue

It looks like the docker image was uploaded directly by some CI system. There's no build log that I can validate, and there's no way to reproduce the image. Given we entrust you with the passwords, I would feel more comfortable if the image can be verifiable or even reproducible.

It would be great if

At minimum, use Docker automated build, so that we can verify the result image is built from the Github repo (provide we trust Docker the company will not maliciously change the log or replace the image).
Even better, if we can somehow make the image reproducible. One way to do it is https://github.com/bazelbuild/rules_docker.
Also consider include GPG signature files in the result image.

Originally created by @yegle on GitHub (Jan 6, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/805 ### Subject of the issue It looks like the docker image was uploaded directly by some CI system. There's no build log that I can validate, and there's no way to reproduce the image. Given we entrust you with the passwords, I would feel more comfortable if the image can be verifiable or even reproducible. It would be great if 1. At minimum, use Docker automated build, so that we can verify the result image is built from the Github repo (provide we trust Docker the company will not maliciously change the log or replace the image). 2. Even better, if we can somehow make the image reproducible. One way to do it is https://github.com/bazelbuild/rules_docker. 3. Also consider include GPG signature files in the result image.

kerem closed this issue

2026-03-03 01:30:33 +03:00

kerem commented

2026-03-03 01:30:34 +03:00

Author

Owner

@dani-garcia commented on GitHub (Jan 6, 2020):

The docker builds are built using the docker autobuild feature each time a commit to this repo is made, and you can see the link between each image and the commit that it's using in the builds tab: https://hub.docker.com/r/bitwardenrs/server/builds. As you say this would require trusting docker of course.

I'd love to make either the image or at least the binary reproducible, but I'm not sure what that would require exactly, at the moment each commit has all dependencies pinned in the Cargo.lock file and the rust version also pinned in the rust-toolchain file, and there isn't anything in our source code that makes the build not reproducible, but I haven't tested.

I don't think GPG signing images is possible without sending my private key to docker which is obviously not going to happen, but all my commits to the repo are indeed signed by me.

@dani-garcia commented on GitHub (Jan 6, 2020): The docker builds are built using the docker autobuild feature each time a commit to this repo is made, and you can see the link between each image and the commit that it's using in the builds tab: https://hub.docker.com/r/bitwardenrs/server/builds. As you say this would require trusting docker of course. I'd love to make either the image or at least the binary reproducible, but I'm not sure what that would require exactly, at the moment each commit has all dependencies pinned in the Cargo.lock file and the rust version also pinned in the rust-toolchain file, and there isn't anything in our source code that makes the build not reproducible, but I haven't tested. I don't think GPG signing images is possible without sending my private key to docker which is obviously not going to happen, but all my commits to the repo are indeed signed by me.

kerem commented

2026-03-03 01:30:34 +03:00

Author

Owner

@yegle commented on GitHub (Jan 6, 2020):

Ah, I think I clicked on the "Builds" link but it took a while to load and I assumed it's an empty page.

In that case, I think I'm happy with the status quo.

@yegle commented on GitHub (Jan 6, 2020): Ah, I think I clicked on the "Builds" link but it took a while to load and I assumed it's an empty page. In that case, I think I'm happy with the status quo.