Docker Community Forums

Share and learn in the Docker community.

Docker Content trust

(Nitishs) #1

Hi Guys,

I have few doubts regarding docker content trust. Please someone answer the following:

  1. Where is the location of the all the keys on the client side ?
    2.If a signed image needs to be pulled across 10-100 machines, then do I need to copy the repository keys on all machines or anything else needs to be done.

  2. Is docker content trust available for private repositories now ?

  3. Is it good to have a public repository to use Docker Content trust for my startup project ?

  4. Can anyone share an example of how signed docker images can be pulled across different machines ?

Appreciate the responses.

(Nitishs) #2

Hello Guys!

Any help would be appreciated. Thanks.

(Jeff Anderson) #3
  1. ~/.docker/trust holds your keys.
    1.2. content trust is determined by the docker client. if I set DOCKER_CONTENT_TRUST=1 anywhere I do pulls, then it will pretty much always just pull the appropriate content without any additional user intervention. It’s really just the push that has the passphrase typing step.
  2. You can sign your private repositories. The Docker Hub allows you to sign content for anything that you can get a token for. The major gap at the moment isn’t public vs private, but automated builds. Since you don’t push automated builds, you can’t generate the trust data for them (yet)
  3. You can sign any image that you want. Having a signed image allows your users to authenticate the origin of your content. If it is appropriate to make your repository public, then make it public. Otherwise, make it private if you don’t want the public to be able to access it.
  4. machine1: DOCKER_CONTENT_TRUST=1 docker pull ubuntu:14.04, machine2: DOCKER_CONTENT_TRUST=1 docker pull ubuntu:14.04. essentially you just turn on content trust and pull.

During pull with content trust enabled, docker connects to the notary service and asks for the public key that is associated with the image you are trying to pull. This is a trust on first use model that is similar to what you see the first time you connect to an ssh server. Since notary itself is serving up those public keys over https, it will automatically mark that public key as trusted (instead of making the user type yes like with ssh). At that point, that key will be used to verify signatures for that repository going forward.

Hopefully this helps!


(Nitishs) #4

Thanks Jeff . It helped a lot.

One more question is that ,is it possible to use content trust for images in private registries that are there on some server other than the docker hub ? I mean to say about the images on private registries ?

(Jeff Anderson) #5

It is possible to run notary alongside a private registry. I haven’t found a good guide on doing this with the open source registry, but the latest major release of Docker Trusted Registry (1.4.x) has experimental support for notary integration and it works.

Basically the Docker engine will look under /v2/namespace/repo/_trust/tuf/ to try to contact notary.

I expect that guides and documentation detailing how this can be done will start popping up at some point in the very near future.


(Nitishs) #6

Thanks Jeff for the information.You are awesome :).