DEV Community

Cover image for Docker Content Trust (DCT)
Shriraj Shakunt
Shriraj Shakunt

Posted on

Docker Content Trust (DCT)

Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.

Prerequisites

  • Latest Docker desktop
  • Docker hub account
  • Docker contrainer image ## Documentation Refer the DCT Documentation here

Deployment

Make a docker repository for your images

  • Go to Docker Hub and sign in with your docker hub account
  • Click on Create repository and name it "test"
  • It should look something like this.

docker create repo

Do Docker login in your CLI with

Docker login 
Enter fullscreen mode Exit fullscreen mode
  • Enter your credentials and you are ready to go.

To Sign a docker image we have first generate a key...

To generate a key run this command in your CLI

  docker trust key generate signature
Enter fullscreen mode Exit fullscreen mode
  • This "Signature" is the name you will give to your key and it will be saved in your working directory with the .pub extension
  • After running this command you will be asked to enter and repeat a passphrase.

To make a signer and add it to your repository run this command

docker trust signer add --key signature.pub [signer's name] [your repository's name]
Enter fullscreen mode Exit fullscreen mode
  • The repository name will be something like this --> example/test
  • You have to enter and repeat passphrase for root key and repository.

Signing and Pushing images to the repository

  • First let's commit our container image.
 docker commit [Image ID] [Repository Name]
Enter fullscreen mode Exit fullscreen mode
  • You can find the image ID from
docker ps
Enter fullscreen mode Exit fullscreen mode
  • Let's push an unsigned image for reference -First tag the image as unsigned-image
 docker image tag [Image ID] [Repository Name]:unsigned-image
Enter fullscreen mode Exit fullscreen mode
  • Now push the image with
 docker push [Repository Name]:unsigned-image
Enter fullscreen mode Exit fullscreen mode
  • Now sign the tag and sign the same image. Tag the image with
docker image tag [Image ID] [Repository Name]:signed-image
Enter fullscreen mode Exit fullscreen mode

Sign the image with

docker trust sign [Repository Name]:signed-image
Enter fullscreen mode Exit fullscreen mode
  • You have to again enter the passphrase

For the the further imformation about the signed image run

docker trust inspect --pretty [Repository Name]:signed-image
Enter fullscreen mode Exit fullscreen mode

Push the signed image with

docker push [Repository Name]:signed-image

The push refers to repository [docker.io/shakunt/test]
059ff50d778b: Layer already exists
c4e64d78638e: Layer already exists
5f70bf18a086: Layer already exists
0cd0f4e90e0c: Layer already exists
e4a7f8c5002b: Layer already exists
7cc0623bd7a8: Layer already exists
f1859b30ca6b: Layer already exists
6a35d52a66fd: Layer already exists
fbd7d5451c69: Layer already exists
4fc242d58285: Layer already exists
trust-image-signed: digest: sha256:f6274d55e7ae079737180c7cb5----7387fb6a87297ef486edbc1bb16f4d0 size: 2409
Enter fullscreen mode Exit fullscreen mode

Setting up trust environment and pulling the signed and unsigned images

To set up the trust environment run

export DOCKER_CONTENT_TRUST=1
Enter fullscreen mode Exit fullscreen mode

Let's pull the images

  • unsigned image
docker pull [Repository Name]:unsigned-image
No valid trust data for unsigned-image
Enter fullscreen mode Exit fullscreen mode
  • Signed image
docker pull [Repository Name]:signed-image
Pull (1 of 1): shakunt/test:signed-image@sha256:f6274d55e7ae079737180c7cb5b02f386edbc1bb16f4d0
docker.io/shakunt/test@sha256:f6274d55e7ae079737180c7cb5b02f3767387fb6a87bb16f4d0: Pulling from shakunt/test
Digest: sha256:f6274d55e7ae079737180c77fb6a87297ef486edbc1bb16f4d0
Status: Image is up to date for shakunt/test@sha256:f6274d551bb16f4d0
Tagging shakunt/test@sha256:f6274d55e7ae079732f3767387fb6a87297ef486edbc1bb16f4d0 as shakunt/test:signed-image
docker.io/shakunt/test:signed-image
Enter fullscreen mode Exit fullscreen mode

Thank u, Hope this post helped you!

Instagram LinkedIn Twitter
Dev to

Discussion (0)