Docker Content Trust (DCT)

Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.

Prerequisites

• Latest Docker desktop
• Docker hub account
• Docker contrainer image## DocumentationRefer the DCT Documentationhere

Deployment

Make a docker repository for your images

• Go to Docker Hub and sign in with your docker hub account
• Click on Create repository and name it "test"
• It should look something like this.

Do Docker login in your CLI with

Docker login 

• Enter your credentials and you are ready to go.

To Sign a docker image we have first generate a key...

To generate a key run this command in your CLI

  docker trust key generate signature

• This "Signature" is the name you will give to your key and it will be saved in your working directory with the .pub extension
• After running this command you will be asked to enter and repeat a passphrase.

To make a signer and add it to your repository run this command

docker trust signer add --key signature.pub [signer's name] [your repository's name]

• The repository name will be something like this --> example/test
• You have to enter and repeat passphrase for root key and repository.

Signing and Pushing images to the repository

• First let's commit our container image.

 docker commit [Image ID] [Repository Name]

• You can find the image ID from

docker ps

• Let's push an unsigned image for reference-First tag the image as unsigned-image

 docker image tag [Image ID] [Repository Name]:unsigned-image

• Now push the image with

 docker push [Repository Name]:unsigned-image

• Now sign the tag and sign the same image.Tag the image with

docker image tag [Image ID] [Repository Name]:signed-image

Sign the image with

docker trust sign [Repository Name]:signed-image

• You have to again enter the passphrase

For the the further imformation about the signed image run

docker trust inspect --pretty [Repository Name]:signed-image

Push the signed image with

docker push [Repository Name]:signed-imageThe push refers to repository [docker.io/shakunt/test]059ff50d778b: Layer already existsc4e64d78638e: Layer already exists5f70bf18a086: Layer already exists0cd0f4e90e0c: Layer already existse4a7f8c5002b: Layer already exists7cc0623bd7a8: Layer already existsf1859b30ca6b: Layer already exists6a35d52a66fd: Layer already existsfbd7d5451c69: Layer already exists4fc242d58285: Layer already existstrust-image-signed: digest: sha256:f6274d55e7ae079737180c7cb5----7387fb6a87297ef486edbc1bb16f4d0 size: 2409

Setting up trust environment and pulling the signed and unsigned images

To set up the trust environment run

export DOCKER_CONTENT_TRUST=1

Let's pull the images

• unsigned image

docker pull [Repository Name]:unsigned-imageNo valid trust data for unsigned-image

• Signed image

docker pull [Repository Name]:signed-imagePull (1 of 1): shakunt/test:signed-image@sha256:f6274d55e7ae079737180c7cb5b02f386edbc1bb16f4d0docker.io/shakunt/test@sha256:f6274d55e7ae079737180c7cb5b02f3767387fb6a87bb16f4d0: Pulling from shakunt/testDigest: sha256:f6274d55e7ae079737180c77fb6a87297ef486edbc1bb16f4d0Status: Image is up to date for shakunt/test@sha256:f6274d551bb16f4d0Tagging shakunt/test@sha256:f6274d55e7ae079732f3767387fb6a87297ef486edbc1bb16f4d0 as shakunt/test:signed-imagedocker.io/shakunt/test:signed-image

Thank u, Hope this post helped you!