Home Explore Blog CI



docker
2nd chunk of `content/manuals/engine/security/trust/trust_automation.md`
26322e0428bd5d4c6d4bc5734e1b89e5ac8fdac69b8b9f020000000100000c0c
$ docker trust key load delegation.key --name jeff
Loading key from "delegation.key"...
Successfully imported key from delegation.key
```

## Add a delegation public key

If you initialize a repository at the same time as adding a delegation
public key, then you will need to use the local Notary Canonical Root Key's 
passphrase to create the repositories trust data. If the repository has already 
been initiated then you only need the repositories passphrase. 

```console
# Export the Local Root Key Passphrase if required.
$ export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="rootpassphrase123"

# Export the Repository Passphrase
$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="repopassphrase123"

# Initialize Repo and Push Delegation
$ docker trust signer add --key delegation.crt jeff registry.example.com/admin/demo
Adding signer "jeff" to registry.example.com/admin/demo...
Initializing signed repository for registry.example.com/admin/demo...
Successfully initialized "registry.example.com/admin/demo"
Successfully added signer: registry.example.com/admin/demo
```

## Sign an image

Finally when signing an image, we will need to export the passphrase of the 
signing key. This was created when the key was loaded into the local Docker 
trust store with `$ docker trust key load`.

```console
$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="mypassphrase123"

$ docker trust sign registry.example.com/admin/demo:1
Signing and pushing trust data for local image registry.example.com/admin/demo:1, may overwrite remote trust data
The push refers to repository [registry.example.com/admin/demo]
428c97da766c: Layer already exists
2: digest: sha256:1a6fd470b9ce10849be79e99529a88371dff60c60aab424c077007f6979b4812 size: 524
Signing and pushing trust metadata
Successfully signed registry.example.com/admin/demo:1
```

## Build with content trust

You can also build with content trust. Before running the `docker build` command, 
you should set the environment variable `DOCKER_CONTENT_TRUST` either manually or 
in a scripted fashion. Consider the simple Dockerfile below.

```dockerfile
# syntax=docker/dockerfile:1
FROM docker/trusttest:latest
RUN echo
```

The `FROM` tag is pulling a signed image. You cannot build an image that has a
`FROM` that is not either present locally or signed. Given that content trust
data exists for the tag `latest`, the following build should succeed:

```console
$  docker build -t docker/trusttest:testing .
Using default tag: latest
latest: Pulling from docker/trusttest

b3dbab3810fc: Pull complete
a9539b34a6ab: Pull complete
Digest: sha256:d149ab53f871
```

If content trust is enabled, building from a Dockerfile that relies on tag 
without trust data, causes the build command to fail:

```console
$  docker build -t docker/trusttest:testing .
unable to process Dockerfile: No trust data for notrust
```

## Related information

* [Delegations for content trust](trust_delegation.md)
* [Content trust in Docker](index.md)
* [Manage keys for content trust](trust_key_mng.md)
* [Play in a content trust sandbox](trust_sandbox.md)
Title: Signing Images and Building with Docker Content Trust
Summary
This section guides you through signing images by exporting the passphrase of the signing key and shows you how to build with content trust by enabling the `DOCKER_CONTENT_TRUST` environment variable. When building, the `FROM` tag must reference a signed image or one present locally.