Docker images should be signed utilizing docker content trust and digests should be published

[css-inverso]

What feature do you want to see added?

The problem:

There is no way to verify the images published were actually build by jenkinsci.

We use digest-pinning to verify our images based upon jenkins/inbound-agent are based off the intended image. There was a new image uploaded last friday that updated the tag we use (jenkins/inbound-agent:4.11.2-4-jdk11). We are unable to verify if that change was "legimate".

Proposed solution:

Sign the published images using docker content trust. That way at least the origin can be verified. Additionally posting the digests at the release tag would probably be nice to manually verify a source as the builds aren't publicly accessible or publishing a buildinfo in artifactory.

Questions:

Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?

Upstream changes

No response

[timja]

Why are there more than one builds per release? In my opinion there should only be one build and therefore one digest for the image we use. I would like to know why it was updated as a change should increase the version?

Likely this issue: jenkins-infra/helpdesk#2