Docker Community Forums

Share and learn in the Docker community.

Docker content trust - does not seem work as expected


(Radiatejava) #1

I am using docker 1.11 that has content trust in-built but I want to see a working case. As I understand, notary service sends the image public key over https to the docker pull client. However, I want to see this trust in action that is claimed in the docs https://docs.docker.com/engine/security/trust/content_trust/ (under pull images section). I am trying out these 2 options but none of these seem to be checking the trust/signature:

  1. I am doing docker push for an image to a public docker repository with DOCKER_CONTENT_TRUST=1 and it correctly asks to me setup the root and repository keys. So I would believe these are signed in the repository. However, when I do docker pull for these images, I am able to pull both with and without enabling content trust while doing the pull on another machine. Is this a valid case ? Shall I be able to pull signed images without enabling content trust on pulling side ?

  2. Next, I do docker push for an image to public repo DOCKER_CONTENT_TRUST=0 (trust disabled) and it correctly pushes the image without creating any keys. On another host however, I am able to pull the images from the repository again both with and without enabling content trust. Is this valid ? If I did not push with trust, how come I am able to pull with trust ?

Someone help explain.

Thanks.


(Radiatejava) #2

Guys, anyone help me explain in which case docker pull really enforces signature check ? I want to see the situation in which content trust is enabled on pull side and it fails if the image is not signed. How can we see this enforcement in action ? Or is this a bug in docker ?


(Radiatejava) #3

I found the answer. Image signature check is enforced only when unsigned docker images are pushed to the hub but pull is done with content trust enabled.