Docker Content Trust

by | Jul 18, 2020 | Docker

Docker Content Trust feature enables your environment to run only with signed images. In this way, Docker Content Trust ensures that the docker pulls only signed containers from the docker registry. Once enabled, Docker Content Trust is active for all docker pull operations.

Notary

The notary is a docker wrapper and implements security. Docker includes the notary client, but you may also use the standalone client. In general, the notary signs a combination of docker image and image tag to a globally unique name (GUN). In this way, the same docker image may have a signed and an unsigned image tag. Usually, the “latest” tag is not approved, but a “1.0” may be signed.

Backup the registry root certificate

The root certificate is essential. With this in mind, backup the root certificate. Losing the root certificate is very difficult to recover. It requires intervention from Docker support and any image consumer.

Let Docker content trust generate signing key

At first, we generate a signing certificate. In this way, use the OpenSSL command or the docker builtin trust command.

Generate signing key

docker trust key generate markus --dir ~/.docker/trust

In this example, we store the key in the docker directory. Use the notary command to take a look into the docker directory and list the known certificates.

let notary list the known keys

> notary -d ~/.docker/trust key listROLE       GUN                          KEY ID                                                              LOCATION ----       ---                          ------                                                              -------- root                                    3f0904bc90c6c59615f6a33e6fc9c52888edf8507996b894a062089853b973d1    /home/markus/.docker/trust/private targets    ...io/bfblog/hugo-builder    5e280613a387e119289e6ee76ddf22007de490015c414d0c8d3361b81f483bc6    /home/markus/.docker/trust/private targets    docker.io/mbreuer/bfblog     d6da936cfd9d640779531948c73d975f9b1054c92f1f1012bdca5fd31c95ece3    /home/markus/.docker/trust/private

Signing the image with docker content trust

Use the previously generated certificate to authorize docker images. This operation creates a new target key in the notary. The root certificate is required to sign custom certificates.

Add sign key

docker trust signer add --key ~/.docker/trust/markus.pub markus docker.io/bfblog/hugo-builder:1.0

Now, the signer is known to the notary. As a result, you may sign the docker image on the local workstation. In this way, you have a locally approved docker image.

sign docker image

docker trust sign bfblog/hugo-builder:1.0

As an alternative, use docker push to deploy docker image to docker registry. In consequence, the docker integrated notary client does the same. But in contrast, the docker images become published to the Docker registry.

> docker push docker.io/bfblog/hugo-builder:1.0 The push refers to repository [docker.io/bfblog/hugo-builder] 4d98f37de4bd: Pushed a1e90fc58ee7: Pushed afd71c0d32a1: Pushed 50644c29ef5a: Pushed 1.0: digest: sha256:eada2ba665e331e891614c794148c1b11ec94ffc04a3bd99b72783d9d9657557 size: 1159 Signing and pushing trust metadata Enter passphrase for markus key with ID 62eb0ea: Successfully signed docker.io/bfblog/hugo-builder:1.0

Inspect the Docker image

In the hope that all is fine, we inspect the Docker image. Together with the “docker trust inspect” subcommand, we take a look into the docker image.

> docker trust inspect --pretty docker.io/bfblog/hugo-builder:1.0Signatures for docker.io/bfblog/hugo-builder:1.0SIGNED TAG          DIGEST                                                             SIGNERS 1.0                 eada2ba665e331e891614c794148c1b11ec94ffc04a3bd99b72783d9d9657557   bfblog, markusList of signers and their keys for docker.io/bfblog/hugo-builder:1.0SIGNER              KEYS bfblog              62eb0ea63278 markus              62eb0ea63278Administrative keys for docker.io/bfblog/hugo-builder:1.0Repository Key:	5e280613a387e119289e6ee76ddf22007de490015c414d0c8d3361b81f483bc6 Root Key:	991cc042eea01d60257ab4d36a0f6f1ca0eb441c5cbc15f1ecd69defb0d49253

Conclusion

For further information, refer to Docker documentation. If you are interested in more Docker topics? In that case, you may take a look at my other docker posts.

0 Comments

Leave a Reply

Explore Articles That Align With Your Interests

Overprovisioned Host System – A Nightmare

Overprovisioned host systems in virtualized environments often cause performance issues. Steal Time is a reliable indicator for identifying such bottlenecks. This article explains how to monitor Steal Time using top, the impact of high values, and how monitoring tools...

Why Event-Driven Architecture?

What is event-driven architecture? What are the advantages of event-driven architecture, and when should I use it? What advantages does it offer, and what price do I pay? In the following, we will look at what constitutes an event-driven architecture and how it...

On-Premise? IaaS vs. PaaS vs. SaaS?

,

What does it mean to run an application in the cloud? What types of clouds are there, and what responsibilities can they take away from me? Or conversely, what does it mean not to go to the cloud? To clarify these questions, we first need to identify the...