After a long break due to the COVID-19 situation, we are back with our first online event just before Christmas!

This time, my colleague Philipp from SSE will give a talk on practical application of cryptography for signing and verifying Docker images in Kubernetes including a live demo of our open-source solution Connaisseur (GitHub).

So sign up, get your Christmas sweater, a cold or hot beverage and join us for this event!

Join via Microsoft Teams on December 3rd 2020 at 7pm.

Integrity of Docker Images - Signatures, Verification and a Tool for k8s (Philipp Belitz)

In modern software development, the introduction of containers and their orchestration have led to faster delivery, more flexible deployment and higher scalability and stability of applications. These packaged applications are distributed via images that serve as immutable starting snapshots for containers in the runtime environments.

Consequently, ensuring integrity and authenticity of images is of critical importance for the secure deployment of software. This can be achieved by adding signatures to guarantee authenticated and unaltered code. However, practical implementation of image signing and verification has remained a major challenge. This talk dives into current solutions and shortcomings for the two most popular containerization and orchestration engines, Docker and Kubernetes. It will touch on Docker Content Trust (DCT), Notary and The Update Framework (TUF) used for Docker image signing and introduce Connaisseur, a signature verification tool for Kubernetes. Live demo included ;-)

Get slides (pdf)

Full recording: