I am using docker 1.11 that has content trust in-built but I want to see a working case. As I understand, notary service sends the image public key over https to the docker pull client. However, I want to see this trust in action that is claimed in the docs https://docs.docker.com/engine/security/trust/content_trust/ (under pull images section). I am trying out these 2 options but none of these seem to be checking the trust/signature:
I am doing docker push for an image to a public docker repository with DOCKER_CONTENT_TRUST=1 and it correctly asks to me setup the root and repository keys. So I would believe these are signed in the repository. However, when I do docker pull for these images, I am able to pull both with and without enabling content trust while doing the pull on another machine. Is this a valid case ? Shall I be able to pull signed images without enabling content trust on pulling side ?
Next, I do docker push for an image to public repo DOCKER_CONTENT_TRUST=0 (trust disabled) and it correctly pushes the image without creating any keys. On another host however, I am able to pull the images from the repository again both with and without enabling content trust. Is this valid ? If I did not push with trust, how come I am able to pull with trust ?
Someone help explain.