Recently I read this interesting blog article about Docker image signature with Docker Trusted Registry: https://blog.docker.com/2016/11/image-signing-policy-docker-datacenter/
As far as I can understand, Docker EE can be configured to allow images that match all the signatures of several given teams. E.g. 1 first signature at image build, plus 1 signature after QA tests.
Indeed, this can be configured in the Docker Content Trust admin UI.
However, what is unclear to me is: how can a single Docker image tag hold several signatures? I could not see any practical example about this use case.
I only saw people dealing with
docker push at every step of the CI/CD pipeline, but each time on a different tag (e.g.
But like this, at the end, no tag is able to match the all the criteria configured in Docker Content Trust!
I tried with multiple
docker push applied on the same tag, then I experimented some delegation with
notary, but it did not seem to succeed.
How is it possible to do this with