starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-09 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Docker image should be verifiable/reproducible #1858

New Issue
Closed
opened 2025-10-09 17:33:15 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2025-10-09 17:33:15 +03:00
Owner
Copy Link

Originally created by @yegle on GitHub.

Subject of the issue

It looks like the docker image was uploaded directly by some CI system. There's no build log that I can validate, and there's no way to reproduce the image. Given we entrust you with the passwords, I would feel more comfortable if the image can be verifiable or even reproducible.

It would be great if

  1. At minimum, use Docker automated build, so that we can verify the result image is built from the Github repo (provide we trust Docker the company will not maliciously change the log or replace the image).
  2. Even better, if we can somehow make the image reproducible. One way to do it is https://github.com/bazelbuild/rules_docker.
  3. Also consider include GPG signature files in the result image.
Originally created by @yegle on GitHub. ### Subject of the issue It looks like the docker image was uploaded directly by some CI system. There's no build log that I can validate, and there's no way to reproduce the image. Given we entrust you with the passwords, I would feel more comfortable if the image can be verifiable or even reproducible. It would be great if 1. At minimum, use Docker automated build, so that we can verify the result image is built from the Github repo (provide we trust Docker the company will not maliciously change the log or replace the image). 2. Even better, if we can somehow make the image reproducible. One way to do it is https://github.com/bazelbuild/rules_docker. 3. Also consider include GPG signature files in the result image.
OVERLORD commented 2025-10-09 17:33:19 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

The docker builds are built using the docker autobuild feature each time a commit to this repo is made, and you can see the link between each image and the commit that it's using in the builds tab: https://hub.docker.com/r/bitwardenrs/server/builds. As you say this would require trusting docker of course.

I'd love to make either the image or at least the binary reproducible, but I'm not sure what that would require exactly, at the moment each commit has all dependencies pinned in the Cargo.lock file and the rust version also pinned in the rust-toolchain file, and there isn't anything in our source code that makes the build not reproducible, but I haven't tested.

I don't think GPG signing images is possible without sending my private key to docker which is obviously not going to happen, but all my commits to the repo are indeed signed by me.

@dani-garcia commented on GitHub: The docker builds are built using the docker autobuild feature each time a commit to this repo is made, and you can see the link between each image and the commit that it's using in the builds tab: https://hub.docker.com/r/bitwardenrs/server/builds. As you say this would require trusting docker of course. I'd love to make either the image or at least the binary reproducible, but I'm not sure what that would require exactly, at the moment each commit has all dependencies pinned in the Cargo.lock file and the rust version also pinned in the rust-toolchain file, and there isn't anything in our source code that makes the build not reproducible, but I haven't tested. I don't think GPG signing images is possible without sending my private key to docker which is obviously not going to happen, but all my commits to the repo are indeed signed by me.
OVERLORD commented 2025-10-09 17:33:19 +03:00
Author
Owner
Copy Link

@yegle commented on GitHub:

Ah, I think I clicked on the "Builds" link but it took a while to load and I assumed it's an empty page.

In that case, I think I'm happy with the status quo.

@yegle commented on GitHub: Ah, I think I clicked on the "Builds" link but it took a while to load and I assumed it's an empty page. In that case, I think I'm happy with the status quo.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1858
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?