For this demo I will be using a simple hello-world docker image, and tag it as shreyasssk/signatures:1
This creates a digital signature.
$ docker trust key generate key1
This command creates a .pub key in the directory where the
command was executed and the private key will be placed under
~/.docker/trust/private
To begin signing images, you should add your public key to the underlying Notary server. To do so, execute the following command:
$ docker trust signer add --key key1.pub key1 shreyasssk/signatures
This key1.pub key is only allowed to sign images for the repo we have specified,
for this case it is shreyasssk/signatures
.
If you want to use the same key for different repo, repeat the same command as above
with new repo as target.
Now that the pub key is added to the repo, we can finally sign our image:
$ docker trust sign shreyasssk/signatures:1
This command will sign the image and push it to Docker Hub.
We can fetch info from Docker Hub (Notary in Docker registry) about the signatures and signatories status of the repo by:
$ docker trust inspect --pretty shreyasssk/signatures
This command shows which tags on this repository are signed as well as the list of people with signatures attached to this repository (i.e. people who can sign images).
We can instruct Docker to work with signed images. To do so just prefix with the
DOCKER_CONTENT_TRUST
environmental variable:
$ DOCKER_CONTENT_TRUST=1 docker pull shreyasssk/signatures:1
This command pulls the image and verifies the signature before persisting it in local storage.
Trying to pull an image with no signature attached results in an error.
How did you setup underlying Notary server? And what if you don't want to use dockerhub but some other registry?