Docker Content Trust (DCT)

Shriraj Shakunt — Sat, 21 May 2022 08:23:15 +0000

Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.

Prerequisites

Latest Docker desktop
Docker hub account
Docker contrainer image ## Documentation Refer the DCT Documentation here

Deployment

Make a docker repository for your images

Go to Docker Hub and sign in with your docker hub account
Click on Create repository and name it "test"
It should look something like this.

Do Docker login in your CLI with

Docker login

Enter your credentials and you are ready to go.

To Sign a docker image we have first generate a key...

To generate a key run this command in your CLI

  docker trust key generate signature

This "Signature" is the name you will give to your key and it will be saved in your working directory with the .pub extension
After running this command you will be asked to enter and repeat a passphrase.

To make a signer and add it to your repository run this command

docker trust signer add --key signature.pub [signer's name] [your repository's name]

The repository name will be something like this --> example/test
You have to enter and repeat passphrase for root key and repository.

Signing and Pushing images to the repository

First let's commit our container image.

 docker commit [Image ID] [Repository Name]

You can find the image ID from

docker ps

Let's push an unsigned image for reference -First tag the image as unsigned-image

 docker image tag [Image ID] [Repository Name]:unsigned-image

Now push the image with

 docker push [Repository Name]:unsigned-image

Now sign the tag and sign the same image. Tag the image with

docker image tag [Image ID] [Repository Name]:signed-image

Sign the image with

docker trust sign [Repository Name]:signed-image

You have to again enter the passphrase

For the the further imformation about the signed image run

docker trust inspect --pretty [Repository Name]:signed-image

Push the signed image with

docker push [Repository Name]:signed-image

The push refers to repository [docker.io/shakunt/test]
059ff50d778b: Layer already exists
c4e64d78638e: Layer already exists
5f70bf18a086: Layer already exists
0cd0f4e90e0c: Layer already exists
e4a7f8c5002b: Layer already exists
7cc0623bd7a8: Layer already exists
f1859b30ca6b: Layer already exists
6a35d52a66fd: Layer already exists
fbd7d5451c69: Layer already exists
4fc242d58285: Layer already exists
trust-image-signed: digest: sha256:f6274d55e7ae079737180c7cb5----7387fb6a87297ef486edbc1bb16f4d0 size: 2409

Setting up trust environment and pulling the signed and unsigned images

To set up the trust environment run

export DOCKER_CONTENT_TRUST=1

Let's pull the images

unsigned image

docker pull [Repository Name]:unsigned-image
No valid trust data for unsigned-image

Signed image

docker pull [Repository Name]:signed-image
Pull (1 of 1): shakunt/test:signed-image@sha256:f6274d55e7ae079737180c7cb5b02f386edbc1bb16f4d0
docker.io/shakunt/test@sha256:f6274d55e7ae079737180c7cb5b02f3767387fb6a87bb16f4d0: Pulling from shakunt/test
Digest: sha256:f6274d55e7ae079737180c77fb6a87297ef486edbc1bb16f4d0
Status: Image is up to date for shakunt/test@sha256:f6274d551bb16f4d0
Tagging shakunt/test@sha256:f6274d55e7ae079732f3767387fb6a87297ef486edbc1bb16f4d0 as shakunt/test:signed-image
docker.io/shakunt/test:signed-image

Thank u, Hope this post helped you!

DEV Community: Shriraj Shakunt