Docker Community Forums

Share and learn in the Docker community.

[Resolved] Multiple signatures on single image tag during CI/CD workflow?


(Flsouenedis) #1

Hi!

Recently I read this interesting blog article about Docker image signature with Docker Trusted Registry: https://blog.docker.com/2016/11/image-signing-policy-docker-datacenter/

As far as I can understand, Docker EE can be configured to allow images that match all the signatures of several given teams. E.g. 1 first signature at image build, plus 1 signature after QA tests.

Indeed, this can be configured in the Docker Content Trust admin UI.

However, what is unclear to me is: how can a single Docker image tag hold several signatures? I could not see any practical example about this use case.
I only saw people dealing with docker push at every step of the CI/CD pipeline, but each time on a different tag (e.g. myrepo/project1:build, then myrepo/project1:qa).
But like this, at the end, no tag is able to match the all the criteria configured in Docker Content Trust!

I tried with multiple docker push applied on the same tag, then I experimented some delegation with notary, but it did not seem to succeed.

How is it possible to do this with docker and/or notary?

Thanks!


(Flsouenedis) #2

This is a self-reply after I experimented with the help of Docker people.

Actually, starting with Docker EE 2.1, it is possible to sign an image without pull/push by using new docker trust commands.
It may have been possible with earlier versions of Docker EE too, but with much more efforts. I did not try this “old method”.