I have many Docker images to maintain (mostly personal projects) but I have no way of verifying the authenticity of my images. To add an extra layer of security, I decided to POC the use of Cosign.
There are many alternatives, but some require the maintenance of a key management server or are just less popular than Cosign.
| FROM rockylinux/rockylinux:9 | |
| ENV HTTP_PROXY "http://proxy.infra.dgfip:3128" | |
| ENV HTTPS_PROXY "http://proxy.infra.dgfip:3128" | |
| RUN [ ! -f /usr/sbin/init ] && dnf -y install systemd; | |
| RUN ([ -d /lib/systemd/system/sysinit.target.wants ] && cd /lib/systemd/system/sysinit.target.wants/ && for i in *; do [ $i == \ | |
| systemd-tmpfiles-setup.service ] || rm -f $i; done); \ | |
| rm -f /lib/systemd/system/multi-user.target.wants/*;\ |
I hereby claim:
To claim this, I am signing this object: