Why isn't n8nio a Docker Verified Publisher and why isn't Docker Content Trust (DCT) being used?

This question has been asked, but not answered before here: How secure is n8n docker image for production?.

With over 100 million downloads of the N8N Docker Image from Docker Hub, as of May 2024 (https://hub.docker.com/u/n8nio), I think its very much (past) time to take extra steps to ensure trust of the published images in a way that can be verified. Similar to how on GitHub commits are currently signed.

In my opinion (working in cyber security) the following two measures should be taken:

• Docker Content Trust (DCT) should be implemented
• The publishing user ‘n8nio’ (https://hub.docker.com/u/n8nio), which is currently a ‘Community User’ should probably become a ‘Community Organization’ instead, and request to become a Docker Verified Publisher, see Join the Docker Verified Publisher Program | Docker or request the Docker-Sponsored Open Source Program: Docker-Sponsored Open Source Program | Docker Docs.

It looks like your topic is missing some important information. Could you provide the following if applicable.

• n8n version:
• Database (default: SQLite):
• n8n EXECUTIONS_PROCESS setting (default: own, main):
• Running n8n via (Docker, npm, n8n cloud, desktop app):
• Operating system:

Hey @v2E83W47zgfEs7kH,

Welcome to the community

That is a very good question, We did start to look into offical images last year and the Verified Publisher program but after obtaining more details decided it wasn’t right for us at the time and we may look into it again in the future.

With DCT I have raised it with the rest of the team as something to look into as it makes sense to have signed containers where possible like some of our commits as you have noticed.

Hi @Jon,
Thanks for your reply. Have you got any update or new information on the status of this? Thanks.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.