What you just described cannot be done. You can’t verify it, because its not signed.

Checksums are not for security. You need signatures. I’m not making claims that aren’t clearly documented.

Yeah, that’s the insecurity I’m talking about.

If you want to know how to implement this properly, look at apt. Its a known issue in docker; they just haven’t prioritized the fix yet (DCT)

Hahahahahaha good luck.

I think that has the same problems, no? Or does podman do signature verification on all the layers it downloads from the container registry?

Yes. It predates aws lol

Doker pull is insecure

It’s the download that’s not verified

Matomo*

What’s the advantages over awstats?

Docker is a security risk. Is it possible to install securely?