Docker Community Forums

Share and learn in the Docker community.

How to sign an image?

I am attempting to sign a docker image with Azure Container Registry. I am running into trouble with actually using the certificates. My truncated certificate, downloaded with private key, looks like this:

-----BEGIN CERTIFICATE-----
MIIGzaaaaaaaawgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
…+aa==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIaaaaaaUGIJmjoleit1YSaaaEImrKNxE8W
i1+…7Rq
-----END RSA PRIVATE KEY-----

When I try to use it I run into a few errors that don’t make sense to me.
docker trust key load .\qa-wildcard-mccloudplatform.pem --name ralph.compton
error message:

key name “ralph.compton” must start with lowercase alphanumeric characters and can include “-” or “_” after the first character

docker trust key load .\qa-wildcard-mccloudplatform.pem --name ralph
error message:

Loading key from “.\qa-wildcard-mccloudplatform.pem”…
error importing key from .\qa-wildcard-mccloudplatform.pem: provided file .\qa-wildcard-mccloudplatform.pem is not a supported private key - to add a signer’s public key use docker trust signer add

I copied just the private portion without the header and footer into a file named, qa-wildcard-mccloudplatform-private.pem, and tried with the following line:
docker trust key load .\qa-wildcard-mccloudplatform-private.pem --name ralph
error message:

Loading key from “.\qa-wildcard-mccloudplatform-private.pem”…
error importing key from .\qa-wildcard-mccloudplatform-private.pem: provided file .\qa-wildcard-mccloudplatform-private.pem is not a supported private key - to add a signer’s public key use docker trust signer add

I think the problem is that I don’t know what a key is even supposed to look like. I have tried certificates in PFX and PEM format. None of them seem to work. The documentation assumes a lot of knowledge about this topic.

Docker provides packages that easily configure Docker on any macOS, Windows, or Linux system.

  1. Log in to a registry. …
  2. Pull the official Nginx image. …
  3. Run the container locally. …
  4. Create an alias of the image. …
  5. Push the image to your registry. …
  6. Pull the image from your registry. …
  7. Start the Nginx container. …
  8. Remove the image (optional)

What I am trying to do is sign a docker image which I have built. Documentation on image signing starts here, Docker Content Trust, but is incomplete.