Docker Community Forums

Share and learn in the Docker community.

Docker Content Trust Only Works From CLI not Engine API

Hi,

Docker Installation Info:

Client: Docker Engine - Community
 Version:           20.10.3
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        48d30b5
 Built:             Fri Jan 29 14:33:13 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.3
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       46229ca
  Built:            Fri Jan 29 14:31:25 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

I am currently using the dockerfile-maven-plugin to build docker images for my project. However we have an additional requirement to use Docker Content Trust (DCT). I noticed that after setting the DOCKER_CONTENT_TRUST variable to 1, it still wasn’t failing to pull image I knew to be unsigned.

The maven plugin interfaces directly with the Docker Engine API, calling the Create Image endpoint. I was assuming that the Docker Engine itself performs the “trust” steps, but that does appear to be the case.

I was wondering if there are any plans to add DCT logic to the Engine itself rather than only in the cli commands?

Here are steps to repeat what I’m seeing:

export DOCKER_CONTENT_TRUST=1
docker pull curlimages/curl:7.73.0  #This will fail since it's not a signed image
curl --unix-socket /var/run/docker.sock   -X POST "http://localhost/v1.41/images/create?fromImage=curlimages/curl:7.73.0"  #this is a similar client call that docker pull performs under the hood, but it pulls image successfully