locked
Signed Docker Images for Windows Images RRS feed

  • Question

  • I apologize if this is not the correct location for this question, but I didn't see a better category.\

    When pulling down docker images, if I enable Docker Content Trust to verify the authenticity of base images

    $Env:DOCKER_CONTENT_TRUST=1


    I noticed that the official Microsoft Images don't appear to be signed.  Is there any reason why the images cannot be signed?  Otherwise, are there any plans to support the signing of the official images published by Microsoft?

    Examples:

    docker pull mcr.microsoft.com/windows/nanoserver:1809
    Error: remote trust data does not exist for mcr.microsoft.com/windows/nanoserver: mcr.microsoft.com does not have trust data for mcr.microsoft.com/windows/nanoserver
    
    docker pull mcr.microsoft.com/windows/servercore:ltsc2019
    Error: remote trust data does not exist for mcr.microsoft.com/windows/servercore: mcr.microsoft.com does not have trust data for mcr.microsoft.com/windows/servercore
    
    docker pull mcr.microsoft.com/windows
    Using default tag: latest
    Error: remote trust data does not exist for mcr.microsoft.com/windows: mcr.microsoft.com does not have trust data for mcr.microsoft.com/windows
    
    docker pull mcr.microsoft.com/dotnet/core/aspnet:2.2
    Error: remote trust data does not exist for mcr.microsoft.com/dotnet/core/aspnet: mcr.microsoft.com does not have trust data for mcr.microsoft.com/dotnet/core/aspnet
    Friday, May 24, 2019 4:36 PM

All replies

  • Great question! I am working offline to find the answer. Will update once I hear back. 
    Friday, May 24, 2019 8:03 PM
  • Thanks for the patience while I looked into this. 

    We are aware the Windows images are not signed. This was originally due to a limitation in ACR that prevented being able to pull signed images. 

    We recently announced the ability to pull signed images into ACR. 

    https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust

    That being said, there is still some work being done before we are able to sign our images and to where it won't cause issues. 

    So work is being done to have the images signed but we do not have an ETA on when that work will be completed. 

    Can you share more about your use case? Is not having MSFT signed images a blocker for you or your company? Can you please elaborate on this scenario and I will be sure to forward it to the ACR team so they can add that info during their planning meetings. 

    Monday, June 3, 2019 9:32 PM