Skip to content

Instantly share code, notes, and snippets.

@shreyasssk
Last active May 2, 2024 08:21
Show Gist options
  • Save shreyasssk/89036b35df86813bb8f42d0cbb3c72cd to your computer and use it in GitHub Desktop.
Save shreyasssk/89036b35df86813bb8f42d0cbb3c72cd to your computer and use it in GitHub Desktop.
Docker Image Signing

Signing Docker Images

For this demo I will be using a simple hello-world docker image, and tag it as shreyasssk/signatures:1

This creates a digital signature.

$ docker trust key generate key1

This command creates a .pub key in the directory where the command was executed and the private key will be placed under ~/.docker/trust/private

To begin signing images, you should add your public key to the underlying Notary server. To do so, execute the following command:

$ docker trust signer add --key key1.pub key1 shreyasssk/signatures

This key1.pub key is only allowed to sign images for the repo we have specified, for this case it is shreyasssk/signatures. If you want to use the same key for different repo, repeat the same command as above with new repo as target.

Now that the pub key is added to the repo, we can finally sign our image:

$ docker trust sign shreyasssk/signatures:1

This command will sign the image and push it to Docker Hub.

Inspecting signed images:

We can fetch info from Docker Hub (Notary in Docker registry) about the signatures and signatories status of the repo by:

$ docker trust inspect --pretty shreyasssk/signatures

This command shows which tags on this repository are signed as well as the list of people with signatures attached to this repository (i.e. people who can sign images).

Working with Signed Images:

We can instruct Docker to work with signed images. To do so just prefix with the DOCKER_CONTENT_TRUST environmental variable:

$ DOCKER_CONTENT_TRUST=1 docker pull shreyasssk/signatures:1

This command pulls the image and verifies the signature before persisting it in local storage.

Trying to pull an image with no signature attached results in an error.

@goelvansh
Copy link

How did you setup underlying Notary server? And what if you don't want to use dockerhub but some other registry?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment