Hi,
Docker Installation Info:
Client: Docker Engine - Community
Version: 20.10.3
API version: 1.41
Go version: go1.13.15
Git commit: 48d30b5
Built: Fri Jan 29 14:33:13 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.3
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 46229ca
Built: Fri Jan 29 14:31:25 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0
I am currently using the dockerfile-maven-plugin to build docker images for my project. However we have an additional requirement to use Docker Content Trust (DCT). I noticed that after setting the DOCKER_CONTENT_TRUST variable to 1, it still wasn’t failing to pull image I knew to be unsigned.
The maven plugin interfaces directly with the Docker Engine API, calling the Create Image endpoint. I was assuming that the Docker Engine itself performs the “trust” steps, but that does appear to be the case.
I was wondering if there are any plans to add DCT logic to the Engine itself rather than only in the cli commands?
Here are steps to repeat what I’m seeing:
export DOCKER_CONTENT_TRUST=1
docker pull curlimages/curl:7.73.0 #This will fail since it's not a signed image
curl --unix-socket /var/run/docker.sock -X POST "http://localhost/v1.41/images/create?fromImage=curlimages/curl:7.73.0" #this is a similar client call that docker pull performs under the hood, but it pulls image successfully