Code Signing Best Practices
Download this Code Signing Best Practices guide to improve your software and supply chain security.
68.57% of professional developers interviewed in 2022 named Docker their number one tool of choice for software development activities. With the advent of cloud computing and the need for developing applications faster than ever before, the way organizations develop and run their applications has changed.
The adoption of application containers like Docker has been skyrocketing, with the market anticipated to reach $14.14 billion by 2030. As a result, docker registries have become an essential part of any organization’s Agile software development strategy.
Want to successfully integrate Docker into your software development life cycle? You’ll need to fully understand what it is all about. In this article, you’ll learn:
Are you ready to explore the world of docker? Let’s get on with the motley.
Docker registry is a server-side platform used by software developers to create, store, manage, and distribute anywhere different reusable versions of Docker images. Docker images are standalone executables that include everything needed to run an application or service.
The images are then used as a template to instantiate (i.e., generate) a container (i.e., lightweight packages of application code and its dependencies) that will be utilized to run an application process or a service. Typically used to build containerization-based applications (i.e., apps comprised of independent components) and services, a Docker registry is a bit like a warehouse shelf filled with Docker images instead of goods.
Image caption: This is how a Docker registry relates to images and containers.
Each Docker registry is divided into sections (i.e., Docker repositories), just like a warehouse shelf is divided into different sections containing different products. Each Docker repository includes various versions (i.e., tags) of a single Docker image and a description.
Image source: Ubuntu Docker. The screenshot shows Ubuntu’s image description included in the official Ubuntu Docker repository.
Image source: Ubuntu Docker. These are the versions actually included in the official Ubuntu Docker repository.
According to Gartner, 65.9% of the money spent by organizations on traditional application software will be redirected to cloud-based products and services by 2025. With businesses shifting to cloud-native development and hybrid multi-cloud environments, Docker is becoming increasingly popular.
Anyone who has access to the Docker registry can upload an image, search for it, or download it. For example:
Why do you need it? Because it provides you application flexibility and portability. A Docker registry will also extremely simplify and automate your deployment process, even for the most complex applications.
Do you remember when we said that the Docker registry is like a warehouse shelf? Good. Now, think about the challenges a warehouse manager may face. At the beginning of my working career, I did work in a small warehouse. I can tell you that the issues you get are very similar to the issues you encounter in application development. For example:
Depending on the Docker registry type you choose, it may also protect application consumers from man-in-the-middle attacks and guarantee the integrity of your images.
Does it sound familiar? I bet it does. And guess what? The right Docker registry type will help you deal with these issues.
Moreover, it also:
Now that we know what benefits Docker registries offer, let’s find out how they work.
Before we get into the nitty-gritty of the different Docker registry types available, we have to first understand how a Docker registry works. Let’s say you’re a developer who wants to build a containerized application. To create a container, you’ll usually:
Image caption: The graphic shows the process developers follow to create a Docker image and upload it to a Docker registry.
That’s it. Now, other users can access the Docker registry and search and/or download the image you’ve just uploaded to use for their development project or to run as a container.
Image caption: The graphic shows how a Docker registry facilitates Docker image storage, search, and sharing.
The term “Docker registry” can sometimes be a bit confusing as it can be used to indicate two different (but also similar) things with the same purpose. If you noticed, up till now we’ve written Docker registry with a lowercase “r.” This is because we used the term to refer to any tool or service used to store and distribute container images, like those listed below:
And then, there is Docker Registry (with a capital R). This is Docker’s project official tool to store, manage and distribute images supported by DockerHub.
Hold your horses, though, because there’s more. Before plunging headlong to pick your favorite Docker registry, there’s still something you’ll have to consider: what kind of Docker registry features do you need?
There are three docker registry types and each one offers different features, just like the three caravels (i.e., Spanish or Portuguese sailing ships) used by Columbus to get to America:
Time to explore all of them, one by one, more in depth.
Did you know that more than 18 million developers are already using Docker to build their applications? This includes small businesses, freelance developers, and big corporations. They all have different needs addressed by one or another Docker Registry flavor. Which one is the right one for you? Read on to find it out.
If you’d rather skim the content and base your choice on a high-level overview, then check out our summary table:
Docker Public Characteristics | Docker Public Registry | Docker Private Registry | Docker Trusted Registry |
Image Types |
|
|
|
Limits |
|
|
|
Features |
|
|
|
Security Level |
|
|
|
Access Level |
|
|
|
Ideal for |
|
|
|
|
|
|
|
This is the first type of Docker registry I played with during my career. It’s easy to use and it doesn’t cost a penny. Ideal for small businesses and individuals with limited budgets, anyone can upload or download images for free.
The downsides? Like all free products, there are a bunch:
However, if you’re a start-up or a small organization, with the right precautions, standardized and open-source images offered by a Docker public registry can still be a decent alternative to more expensive solutions. They’ll also enable you to share them with all your teams and communities without worrying too much about access.
Just remember to download only trusted images and scan them for vulnerabilities before using them. Don’t forget that DockerHub’s free Autobuild service was abused to mine cryptocurrencies. Bad guys are everywhere!
Did you ever have to slow down or even delay an application deployment project because of security concerns, like 67% of enterprises interviewed by RedHat? If you’re looking for a more secure environment, a few extra features, and privacy without breaking the bank, then a Docker private registry may be the right choice for you.
Among its features, a Docker private registry includes:
Image caption: The SSL/TLS certificate can protect your Docker registry from man-in-the-middle attacks.
As organizations are shifting their development processes to the cloud, concerns about cloud security are steadily growing. According to a Cybersecurity Insiders report, 95% of organizations’ security professionals are moderately to extremely concerned about cloud security.
Who could blame them, when 84% of open-source codebases scanned in 2022 contained at least one vulnerability? That’s why validating the integrity and authenticity of all images pulled from Docker registries has become essential.
How can you do that? In our previous point, among the security features we listed, we mentioned the possibility of uploading signed images to the Docker private Registry. The Docker Trusted Registry (DTR), Docker’s image storage solution for enterprises, takes this to another level.
In fact, it allows you to store and download digitally signed images only, guaranteeing their authenticity and protecting them from unauthorized modification. As a result, application consumers are, in turn, protected by man-in-the-middle attacks.
To go back to our warehouse example, the Docker trusted Registry is a bit like those heavily guarded warehouses. Nothing gets in or out without being identified (image signature) and checked for anomalies first.
Why is it important? When a developer pushes their image to a Docker registry, the image with all its version layers (sometimes controlled by other developers or teams), is made available to everyone who has access to the registry.
So, how can users downloading the image be sure that it has not been tampered with, and that it is really coming from a trusted source? How can you validate the security of the images throughout the whole software development life cycle? This is where the digital signature comes in.
There are several ways to sign an image. But, in general, before uploading the image to the Docker trusted Registry, the developer uses a tool of their choice (e.g., the Docker Content Trust [DCT] tool, Harbor, or JFrog Artifactory) to:
Now the image is ready to be uploaded to the DTR.
Image caption: The graphic shows the Docker Image signing process.
What happens when a user downloads the signed image? The signature is validated by decrypting the digest with the public key (usually fetched from a signature store or a local directory) and comparing the hashes. If they match, the signature is valid, and the image integrity hasn’t been compromised since it was signed.
Does all this sound familiar? Yup, essentially the same PKI-based process used by code signing and .exe file signing.
Check this short video showing an example of how a signed image is uploaded to DTR:
Do your security policies require images to be signed by multiple parties or more than once during the SDLC? “Don’t worry, be happy” like Bob McFerry sang. Each image can have multiple signatures, from the same signer or multiple signers. Bye-bye risky or suspicious images!
Did we answer the question, “What is a Docker Registry?” In layman’s terms, a Docker Registry is a great way to effectively create, manage and distribute container/Docker images. It enables developers and organizations to achieve super-fast software delivery without compromising on automation, and, in some cases, security.
Docker registries come in different flavors. By using the Docker public Registry, smaller businesses, and individuals can take advantage of standardized, easily accessible, and open-source images. While corporations and big enterprises in need of a more secure environment can keep their proprietary images private by investing in a Docker private registry.
Last but not least, Docker registries facilitate automation, streamline collaboration and processes through other platforms integration (e.g., GitHub and BitBucket). And with containerization quickly replacing the traditional development environment, Docker registries have become something organizations can’t do without.