author Jonas Finnemann Jensen <jopsen@gmail.com>
Mon, 19 Dec 2016 11:31:56 +0100
changeset 326751 65eba2a420048e401fe5a91d5c567c6ff34084d9
child 326840 bb6cdad27a8b1f4bb8769e8e37cdd30838e695ba
permissions -rw-r--r--
Bug 1324414 - Reference prebuilt docker images by HASH. r=dustin This adds a HASH file next to the VERSION file in the image context folders for prebuilt docker images. And uses the HASH for referencing the image in the tasks created by the decision task. This way docker will validate the image hash when pulling it in production. Thus, attackers won't be able to inject code by compromising the remote docker registries we use to store prebuilt images. Further more, this makes validation of the Chain-Of-Trust artifacts easier as this eliminates the need for whitelists and hash validation. MozReview-Commit-ID: FD3B9MyeU9Q