Docker Installation Info:
Client: Docker Engine - Community Version: 20.10.3 API version: 1.41 Go version: go1.13.15 Git commit: 48d30b5 Built: Fri Jan 29 14:33:13 2021 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.3 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: 46229ca Built: Fri Jan 29 14:31:25 2021 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.3 GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc: Version: 1.0.0-rc92 GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff docker-init: Version: 0.19.0 GitCommit: de40ad0
I am currently using the
dockerfile-maven-plugin to build docker images for my project. However we have an additional requirement to use Docker Content Trust (DCT). I noticed that after setting the DOCKER_CONTENT_TRUST variable to 1, it still wasn’t failing to pull image I knew to be unsigned.
The maven plugin interfaces directly with the Docker Engine API, calling the Create Image endpoint. I was assuming that the Docker Engine itself performs the “trust” steps, but that does appear to be the case.
I was wondering if there are any plans to add DCT logic to the Engine itself rather than only in the cli commands?
Here are steps to repeat what I’m seeing:
export DOCKER_CONTENT_TRUST=1 docker pull curlimages/curl:7.73.0 #This will fail since it's not a signed image curl --unix-socket /var/run/docker.sock -X POST "http://localhost/v1.41/images/create?fromImage=curlimages/curl:7.73.0" #this is a similar client call that docker pull performs under the hood, but it pulls image successfully