Docker Content Trust feature enables your environment to run only with signed images. In this way, Docker Content Trust ensures that the docker pulls only signed containers from the docker registry. Once enabled, Docker Content Trust is active for all docker pull operations.
Notary
The notary is a docker wrapper and implements security. Docker includes the notary client, but you may also use the standalone client. In general, the notary signs a combination of docker image and image tag to a globally unique name (GUN). In this way, the same docker image may have a signed and an unsigned image tag. Usually, the “latest” tag is not approved, but a “1.0” may be signed.
Backup the registry root certificate
The root certificate is essential. With this in mind, backup the root certificate. Losing the root certificate is very difficult to recover. It requires intervention from Docker support and any image consumer.
Let Docker content trust generate signing key
At first, we generate a signing certificate. In this way, use the OpenSSL command or the docker builtin trust command.
Generate signing key
docker trust key generate markus --dir ~/.docker/trustlet notary list the known keys
> notary -d ~/.docker/trust key list
ROLE GUN KEY ID LOCATION
---- --- ------ --------
root 3f0904bc90c6c59615f6a33e6fc9c52888edf8507996b894a062089853b973d1 /home/markus/.docker/trust/private
targets ...io/bfblog/hugo-builder 5e280613a387e119289e6ee76ddf22007de490015c414d0c8d3361b81f483bc6 /home/markus/.docker/trust/private
targets docker.io/mbreuer/bfblog d6da936cfd9d640779531948c73d975f9b1054c92f1f1012bdca5fd31c95ece3 /home/markus/.docker/trust/private
Signing the image with docker content trust
Use the previously generated certificate to authorize docker images. This operation creates a new target key in the notary. The root certificate is required to sign custom certificates.
Add sign key
docker trust signer add --key ~/.docker/trust/markus.pub markus docker.io/bfblog/hugo-builder:1.0sign docker image
docker trust sign bfblog/hugo-builder:1.0> docker push docker.io/bfblog/hugo-builder:1.0
The push refers to repository [docker.io/bfblog/hugo-builder]
4d98f37de4bd: Pushed
a1e90fc58ee7: Pushed
afd71c0d32a1: Pushed
50644c29ef5a: Pushed
1.0: digest: sha256:eada2ba665e331e891614c794148c1b11ec94ffc04a3bd99b72783d9d9657557 size: 1159
Signing and pushing trust metadata
Enter passphrase for markus key with ID 62eb0ea:
Successfully signed docker.io/bfblog/hugo-builder:1.0
Inspect the Docker image
In the hope that all is fine, we inspect the Docker image. Together with the “docker trust inspect” subcommand, we take a look into the docker image.
> docker trust inspect --pretty docker.io/bfblog/hugo-builder:1.0
Signatures for docker.io/bfblog/hugo-builder:1.0
SIGNED TAG DIGEST SIGNERS
1.0 eada2ba665e331e891614c794148c1b11ec94ffc04a3bd99b72783d9d9657557 bfblog, markus
List of signers and their keys for docker.io/bfblog/hugo-builder:1.0
SIGNER KEYS
bfblog 62eb0ea63278
markus 62eb0ea63278
Administrative keys for docker.io/bfblog/hugo-builder:1.0
Repository Key: 5e280613a387e119289e6ee76ddf22007de490015c414d0c8d3361b81f483bc6
Root Key: 991cc042eea01d60257ab4d36a0f6f1ca0eb441c5cbc15f1ecd69defb0d49253
Conclusion
For further information, refer to Docker documentation. If you are interested in more Docker topics? In that case, you may take a look at my other docker posts.
Interested in more postings?
New: OKD Docker Image is stuck – Operation not possible
Openshift and also OKD Docker image is stuck when loading. A severe bug in the CRI-O engine causes stuck the OKD Docker images in an invalid and unusable state. There are discussions about timeouts while loading the images from the docker registry or too long...
Windows Subsystem for Linux and Minikube
The Windows Subsystem for Linux is the seamless integration of Linux into Windows. Use Windows natively and quickly issue a Linux command. Apply a Linux command to the Windows file system without having to start a virtual machine. As a result, Linux is always...
New: Openshift OKD causes image layer not known problems
The POD fails to start, and referrers to the image layer not known. The "layer not known" issue may affect one or more cluster nodes. In effect, there is a corrupt docker image on the local disk cache. The layer not known problem still exists, even after a node or...
The Docker daemon configuration files
Where are the Docker daemon configuration files located? How to restart the Docker daemon after applying changes to the configuration? How to change and activate the Docker configuration? These are frequently asked questions. But changes to the Docker configuration...
Docker, networks, subnets and IP address pools
Docker uses default address pools to create subnets. For most use cases, the shipped defaults fit. But sometimes they cause conflicts with existing networks or subnets. Overlapping networks may conflict with existing systems. Or a large number of docker networks...
Docker networks and subnets
Docker uses default address pools to create subnets. For most use cases, the shipped docker subnet defaults fit. But sometimes the docker subnets cause conflicts with existing networks or subnets. Overlapping networks may conflict with existing systems. Or a large...
Software containerization with docker reviewed
Docker software containerization reviewed Putting Software into containers seems to be state of the art. But what are the benefits? Are there any drawbacks? Most people have heard about docker technology. And not less have used docker. But we are looking towards more...
Docker process virtualization
Docker is a lightweight framework for virtualizing application processes. Instead of emulating a computer hardware that still needs an operating system to run applications, Docker takes a different approach. Docker is able to pretend an operating system environment to...
Recent Comments