Content Trust Operations and Testing with Malicious Images

/ # docker tag docker/trusttest sandboxregistry:5000/test/trusttest:latest 3. Enable content trust. / # export DOCKER_CONTENT_TRUST=1 4. Identify the trust server. / # export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443 This step is only necessary because the sandbox is using its own server. Normally, if you are using the Docker Public Hub this step isn't necessary. 5. Pull the test image. / # docker pull sandboxregistry:5000/test/trusttest Using default tag: latest Error: remote trust data does not exist for sandboxregistry:5000/test/trusttest: notaryserver:4443 does not have trust data for sandboxregistry:5000/test/trusttest You see an error, because this content doesn't exist on the `notaryserver` yet. 6. Push and sign the trusted image. / # docker push sandboxregistry:5000/test/trusttest:latest The push refers to a repository [sandboxregistry:5000/test/trusttest] 5f70bf18a086: Pushed c22f7bc058a9: Pushed latest: digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 size: 734 Signing and pushing trust metadata You are about to create a new root signing key passphrase. This passphrase will be used to protect the most sensitive key in your signing system. Please choose a long, complex passphrase and be careful to keep the password and the key file itself secure and backed up. It is highly recommended that you use a password manager to generate the passphrase and keep it safe. There will be no way to recover this key. You can find the key in your config directory. Enter passphrase for new root key with ID 27ec255: Repeat passphrase for new root key with ID 27ec255: Enter passphrase for new repository key with ID 58233f9 (sandboxregistry:5000/test/trusttest): Repeat passphrase for new repository key with ID 58233f9 (sandboxregistry:5000/test/trusttest): Finished initializing "sandboxregistry:5000/test/trusttest" Successfully signed "sandboxregistry:5000/test/trusttest":latest Because you are pushing this repository for the first time, Docker creates new root and repository keys and asks you for passphrases with which to encrypt them. If you push again after this, it only asks you for repository passphrase so it can decrypt the key and sign again. 7. Try pulling the image you just pushed: / # docker pull sandboxregistry:5000/test/trusttest Using default tag: latest Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926: Pulling from test/trusttest Digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 Status: Downloaded newer image for sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 Tagging sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 as sandboxregistry:5000/test/trusttest:latest ### Test with malicious images What happens when data is corrupted and you try to pull it when trust is enabled? In this section, you go into the `sandboxregistry` and tamper with some data. Then, you try and pull it. 1. Leave the `trustsandbox` shell and container running. 2. Open a new interactive terminal from your host, and obtain a shell into the `sandboxregistry` container.

This section details how to enable content trust, identify the trust server, and push a signed image to the sandbox registry, requiring the creation of root and repository keys with associated passphrases. It demonstrates pulling the image after pushing it. Finally, it sets the stage for testing with malicious images by showing how to access the sandbox registry container to tamper with data.