Remove Notary and Content Trust

This commit removes Notary and Content Trust. Notary v1 is due to be replaced with Notary v2 soon. There is no clean migration path from one to the other. For now, this removes all signing from LinuxKit. We will look to add this back once a new Notary alternative becomes available. Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
2025-09-06 01:11:23 +00:00 · 2021-03-19 15:14:28 +00:00
parent 1f93eab506
commit 561ce6f4be
171 changed files with 126 additions and 29608 deletions
--- a/docs/security.md
+++ b/docs/security.md
@@ -50,8 +50,6 @@ and namespaced separately from the host as appropriate.
 LinuxKit's build process heavily leverages Docker images for packaging. Of note, all intermediate build images
 are referenced by digest to ensures reproducibility across LinuxKit builds. Tags are mutable, and thus subject to override
 (intentionally or maliciously) - referencing by digest mitigates classes of registry poisoning attacks in LinuxKit's buildchain.
-Certain images, such as the kernel image, will be signed by LinuxKit maintainers using [Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/),
-which guarantees authenticity, integrity, and freshness of the image.

 Moreover, LinuxKit's build process leverages [Alpine Linux's](https://alpinelinux.org/) hardened userspace tools such as
 Musl libc, and compiler options that include `-fstack-protector` and position-independent executable output. Go binaries