Last active
April 24, 2018 12:55
-
-
Save mbentley/8adbb67b18f73c8a9de5a803d2f0ae6b to your computer and use it in GitHub Desktop.
Docker Content Trust with the `docker trust` command
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The following commands assume that you already have a client bundle downloaded and extracted to the present working directory: | |
| # take your public key and add your user as a signer for the repository | |
| $ docker trust signer add --key cert.pem admin dtr.demo.dckr.org/admin/docker-whale | |
| Adding signer "admin" to dtr.demo.dckr.org/admin/docker-whale... | |
| Initializing signed repository for dtr.demo.dckr.org/admin/docker-whale... | |
| Enter passphrase for root key with ID a380e3a: | |
| Enter passphrase for new repository key with ID eceefed: | |
| Repeat passphrase for new repository key with ID eceefed: | |
| Successfully initialized "dtr.demo.dckr.org/admin/docker-whale" | |
| Successfully added signer: admin to dtr.demo.dckr.org/admin/docker-whale | |
| # verify that you see your user now listed as a signer | |
| $ docker trust inspect --pretty dtr.demo.dckr.org/admin/docker-whale | |
| No signatures for dtr.demo.dckr.org/admin/docker-whale | |
| List of signers and their keys for dtr.demo.dckr.org/admin/docker-whale | |
| SIGNER KEYS | |
| admin bbd3c0d3c18b | |
| Administrative keys for dtr.demo.dckr.org/admin/docker-whale | |
| Repository Key: eceefed415237e8596cd4a322456164b308e6c7ab66bb2c284d3f25e84134f5b | |
| Root Key: fa70c2302c2de59eae4035426f01209248783da7bc9779b071be167c96d0d3b0 | |
| # load your private key into your local storage so that it can be used by Docker to sign | |
| $ docker trust key load key.pem | |
| Loading key from "key.pem"... | |
| Enter passphrase for new signer key with ID bbd3c0d: | |
| Repeat passphrase for new signer key with ID bbd3c0d: | |
| Successfully imported key from key.pem | |
| # enable DCT on push | |
| $ export DOCKER_CONTENT_TRUST=1 | |
| # retag an image to push to DTR | |
| $ docker tag hello-world:latest dtr.demo.dckr.org/admin/docker-whale:latest | |
| # push the image and sign | |
| $ docker push dtr.demo.dckr.org/admin/docker-whale:latest | |
| The push refers to repository [dtr.demo.dckr.org/admin/docker-whale] | |
| f999ae22f308: Layer already exists | |
| latest: digest: sha256:8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b size: 524 | |
| Signing and pushing trust metadata | |
| Enter passphrase for signer key with ID bbd3c0d: | |
| Successfully signed dtr.demo.dckr.org/admin/docker-whale:latest | |
| # verify that the image tag is now showing as being signed | |
| $ docker trust inspect --pretty dtr.demo.dckr.org/admin/docker-whale | |
| Signatures for dtr.demo.dckr.org/admin/docker-whale | |
| SIGNED TAG DIGEST SIGNERS | |
| latest 8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b admin | |
| List of signers and their keys for dtr.demo.dckr.org/admin/docker-whale | |
| SIGNER KEYS | |
| admin bbd3c0d3c18b | |
| Administrative keys for dtr.demo.dckr.org/admin/docker-whale | |
| Repository Key: eceefed415237e8596cd4a322456164b308e6c7ab66bb2c284d3f25e84134f5b | |
| Root Key: fa70c2302c2de59eae4035426f01209248783da7bc9779b071be167c96d0d3b0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment