Skip to content

Instantly share code, notes, and snippets.

@antojoseph
Created December 6, 2023 23:09
Show Gist options
  • Save antojoseph/62f064db7ba78c4462bda50d81eed360 to your computer and use it in GitHub Desktop.
Save antojoseph/62f064db7ba78c4462bda50d81eed360 to your computer and use it in GitHub Desktop.
image signing with dockerhub
❯ docker login
Log in with your Docker ID or email address to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com/ to create one.
You can log in with your password or a Personal Access Token (PAT). Using a limited-scope PAT grants better security and is required for organizations using SSO. Learn more at https://docs.docker.com/go/access-tokens/
Username: blocksek
Password:
Login Succeeded
❯ docker push blocksek/test
Using default tag: latest
The push refers to repository [docker.io/blocksek/test]
a703f3546758: Pushed
7867afa7f35d: Pushed
latest: digest: sha256:775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38 size: 735
❯ docker trust sign blocksek/test:latest
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID d2ba168:
Repeat passphrase for new root key with ID d2ba168:
Enter passphrase for new repository key with ID c99694f:
Repeat passphrase for new repository key with ID c99694f:
Enter passphrase for new blocksek key with ID 6f4eeeb:
Repeat passphrase for new blocksek key with ID 6f4eeeb:
Created signer: blocksek
Finished initializing signed repository for blocksek/test:latest
Signing and pushing trust data for local image blocksek/test:latest, may overwrite remote trust data
The push refers to repository [docker.io/blocksek/test]
a703f3546758: Layer already exists
7867afa7f35d: Layer already exists
latest: digest: sha256:775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38 size: 735
Signing and pushing trust metadata
Enter passphrase for blocksek key with ID 6f4eeeb:
Successfully signed docker.io/blocksek/test:latest
❯ export DOCKER_CONTENT_TRUST=1
❯ docker pull blocksek/test:latest
Pull (1 of 1): blocksek/test:latest@sha256:775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38
docker.io/blocksek/test@sha256:775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38: Pulling from blocksek/test
Digest: sha256:775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38
Status: Image is up to date for blocksek/test@sha256:775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38
Tagging blocksek/test@sha256:775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38 as blocksek/test:latest
docker.io/blocksek/test:latest
What's Next?
View a summary of image vulnerabilities and recommendations → docker scout quickview blocksek/test:latest
❯ docker trust inspect blocksek/test:latest
[
{
"Name": "blocksek/test:latest",
"SignedTags": [
{
"SignedTag": "latest",
"Digest": "775f0cb42cb1fb931831f2327019c399313d7a507d16651064a055fffba41b38",
"Signers": [
"blocksek"
]
}
],
"Signers": [
{
"Name": "blocksek",
"Keys": [
{
"ID": "6f4eeeb47fc718b8e115444b885581fcb85ad52fca7b179968b68544edd94bcf"
}
]
}
],
"AdministrativeKeys": [
{
"Name": "Root",
"Keys": [
{
"ID": "827e505f3d0aac236efd57e7b37c78e637849f16c198e3ca5242ba966d484178"
}
]
},
{
"Name": "Repository",
"Keys": [
{
"ID": "c99694fcec572146ea2246b445f4a8b9fbe7346751107b498f216d0a0c16a4d8"
}
]
}
]
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment