Hi, I’m currently experimenting with using balenaEngine in an edge product. One of our requirements is that we enforce container image signing and refuse to run untrusted images. Does balenaEngine support Docker Content Trust enforcement, like the upstream Docker engine does?
you should be able to follow the official docker docs on the trust subcommand: docker trust | Docker Docs
This command is experimental on the Docker client. It should not be used in production environments. To enable experimental features in the Docker CLI, edit the config.json and set
experimentaltoenabled.
Hey, thanks!
Related question: can I configure balenaEngine to only accept containers from one remote registry (and configure that registry as default)?
Any updates here? I see how we can sign dockers but not how we can enforce them.
I looked through the code & issues on https://github.com/balena-os/balena-engine and didn’t see anything obvious that suggests this is supported.
Complying with NIST Cyber Security guidelines for IoT requires authenticated updates.
Hi, you are correct, we currently don’t have any support on the balena-cloud/device -side to enforce signed images. I am following the development of notary v2 to keep on top of things there, since we do have some plans to integrate this eventually.
To get a better picture of your requirements, I assume you need both OS and application updates to be signed?