Code integrity is extremely important, especially if you are running a cryptocurrency exchange.
Since HollaEx Kit is an open-source project, you can verify the code at any time by going to Github, but sometimes it's not enough. Internet is a wild jungle and you can't always trust what you download is what you intended to get.
Here's the way how you can check the image signature to check the image integrity
# To verity the integrity of a specific image
docker trust inspect --pretty hollaex/hollaex-kit:2.6.6
Signatures for hollaex/hollaex-kit:2.6.6
SIGNED TAG DIGEST SIGNERS
2.6.6 c4d328852f6a5ef863a51ee565e50ff07902aafef241fa9df34a0efa28fa5c78 bitholla-cicd
List of signers and their keys for hollaex/hollaex-kit:2.6.6
SIGNER KEYS
bitholla-cicd 2aa7f2853b76, 88ce8696c017, e5d3558d7565
kycfeel 1174213aeba1
Administrative keys for hollaex/hollaex-kit:2.6.6
Repository Key: bc606a961f2aea3a06d9af261ed57f9dfb57a35731535a180fe2b198356d4e93
Root Key: cfca4876cdd17155f797a1b5db695b9ea6c0de652359919ac421da1a42aa3c54
In order to enforce pulling ONLY the DCT signed images for extra security you can set the following command for docker:
export DOCKER_CONTENT_TRUST=1
is the savior in this context. It helps you to verify the image integrity. It has digital signatures signed by the issuers. By checking it, you can verify that the image is provided by the trustable issuers and that it has not been corrupted or tampered with.
