However, I am unsure how we can validate the Docker images. The source code does not appear to indicate that the images are being signed, but I might be overlooking something
For context, the goal is to ensure that the images are not compromised and have confidence that regardless of proxies or setup, we fetch the images that are authored by your build process
Do we sign the images with tools like cosign? Should I place a feature request for it? Or what other alternatives do I have?
Aside from code signing, any provider of a Docker image should provide a checksum (I think the correct term is hash or digest) which you can re-calculate and compare after downloading the image. For example at swift - Official Image | Docker Hub you can see the "sha256:" below the "Digest" header at the right side.
Thank you for your suggestion. While your approach works, it still relies on manual steps, which can introduce errors and inconsistencies.
Additionally, the presence of an image digest in Docker Hub does not guarantee its integrity or safety. For example, if Docker Hub itself were compromised, malicious images could be distributed without detection.
I think that the only possible safeguard would be to store the digest for each tag somewhere in swift.org or GitHub, allowing users to compare it with the digest shown on Docker Hub. As far as I know, we don’t currently do this, and I haven’t found any references to such a process.