How do I verify (or find) the official container images?

There is a lot of information about how to verify that an ISO download is both official and contains exactly the data it should. That information is easy to find, served on the same page as the download links themselves, and authenticated by being on an official Fedora https URL.

However, I have tried hard to find the same kind of information for the podman/docker images, and have not been able to find it.

Here is what I was able to find, with a lot of searching:

  • Various forum posts that strongly imply (but mostly do not directly state) that the ā€œfedora/ā€ namespace on both docker hub and quay.io / registry.fedoraproject.org are the true, official base imagesā€¦ but there is no easy way to fully authenticate these posts.
  • Docker images ā€” Fedora Developer Portal - an old page from ~2016 (Fedora 23) that actually clearly states that the Fedora project owns the fedora namespace on Docker.
  • Some Fedora subprojectsā€™ documentation pages imply (but again, do not state!) that the ā€œfedoraā€ namespace is the official one - e.g. NeuroFedora has a page titled ā€œUsing containersā€ that shows pulling ā€œfedora:latestā€ and describes it as ā€œthe base Fedora containerā€.
  • There is this page: Verify your Downloaded Image - but it looks infrequently updated. It does link to a recent-looking checksums file that contains sha256 sums for base images with current-looking version numbers; however, these checksums do not match anything in the output of ā€œpodman image inspectā€ or ā€œskopeo image inspectā€.
  • Various Red Hat pages strongly imply that all images in quay.io are signed, and it looks as if Red Hat may provide a way to confirm the signing key fingerprints, but Iā€™ve found nothing similar for Fedora. And while there are indeed various hashes in the output of ā€œimage inspectā€, there is nothing that looks like a signing key fingerprint, so nothing to match back to Fedora keeps you safe | The Fedora Project .

Iā€™m 99% certain that the images under the fedora namespace are probably safe, but Iā€™m not able to distinguish between these two cases:

  • The images under that namespace are created by the same people responsible for publishing the ISOs, or by a similar team that uses the same level of security.

or

  • The container images are a lower-priority project maintained by an unofficial group of volunteers, who donā€™t have the time/resources to develop a really rigorous set of security practices.

All it would take to satisfy me on this would be one sentence on the ā€œGet Fedoraā€ pages: ā€œWe own the ā€˜fedoraā€™ namespace on Docker Hub and quay.io, and all images published under that namespace are official builds.ā€ Can anyone here both confirm that thatā€™s true, and edit those pages?

Welcome to Fedora @fhowe

Your second statement is incorrect.

Please do read carefully the initial page of quay.io:

Build & deploy new containers easily

Use Quay.io to automate your container builds, with integration to GitHub, Bitbucket, and more. Robot accounts allow you to lock down automated access and audit each deployment.

It takes the code from official sources, which are just committed by official members. However as on every opensource project, everyone can propose a pull request to integrate in to the source, while confirmed again by official members.

As the block-quote below states, Deploying the containers is totally automated and audit each deployment.

The brand Fedora is owned by RH and means to be their Open Source Project for the community.
Everything gets the necessary attentions and is under control of RH.

Here the link how Fedora is organized: Fedoraā€™s Mission and Foundations :: Fedora Docs

1 Like

Aha - thank you; the ownership of the brand (and presumably associated trademarks), and the fact that quay.io is owned by Red Hat, does indeed fill in all the gaps for me. I had not through to approach it from that angle :slight_smile:

So, to summarize (in case anyone lands here from similar searches to mine in future), to authenticate the Fedora images on quay.io, follow this path:

Initial assumption: We assume that both https:// www . redhat . com/ and https:// docs . fedoraproject . org/ are trusted.

Therefore, if you trust the verification methods for the Fedora ISO downloads, you can trust the images on quay . io because:

  • Starting from an secure connection to fedoraproject . org , find the branding and trademark guidelines: docs . fedoraproject . org /en-US/legal/trademarks/ , specifically: ā€œRed Hat retains and reserves all rights to the Fedora Trademarks and their useā€
  • and from the Red Hat side, this is corroborated by: https:// www . redhat . com/en/about/brand/standards/trademarks
  • Next, we can establish from https:// www . redhat . com/en/technologies/cloud-computing/quay that Red Hat owns and administers quay . io

Red Hat, being a for-profit corporation, is assumed to aggressively defend their trademarks (and there is evidence that they do, fairly consistently). Thus, from the above, we can assume that Red Hat would strongly protect use of the Fedora name on any properties they own, of which quay . io is one.

Therefore, all images under the Fedora namespace on quay . io are as safe as the Fedora ISO images.

(URLs obfuscated to avoid tripping new user link limits.)

2 Likes