Home Explore Blog CI



docker
1st chunk of `content/manuals/engine/security/trust/trust_automation.md`
5e44654332dc7e6a502d7724958d1593561378c44b712503000000010000084d
---
description: Automating content push pulls with trust
keywords: trust, security, docker, documentation, automation
title: Automation with content trust
---

It is very common for Docker Content Trust to be built into existing automation
systems. To allow tools to wrap Docker and push trusted content, there are 
environment variables that can be passed through to the client. 

This guide follows the steps as described in
[Signing images with Docker Content Trust](index.md#signing-images-with-docker-content-trust). Make sure you understand and follow the prerequisites.

When working directly with the Notary client, it uses its [own set of environment variables](https://github.com/theupdateframework/notary/blob/master/docs/reference/client-config.md#environment-variables-optional).

## Add a delegation private key

To automate importing a delegation private key to the local Docker trust store, we 
need to pass a passphrase for the new key. This passphrase will be required 
everytime that delegation signs a tag. 

```console
$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="mypassphrase123"

$ docker trust key load delegation.key --name jeff
Loading key from "delegation.key"...
Successfully imported key from delegation.key
```

## Add a delegation public key

If you initialize a repository at the same time as adding a delegation
public key, then you will need to use the local Notary Canonical Root Key's 
passphrase to create the repositories trust data. If the repository has already 
been initiated then you only need the repositories passphrase. 

```console
# Export the Local Root Key Passphrase if required.
$ export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="rootpassphrase123"

# Export the Repository Passphrase
$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="repopassphrase123"

# Initialize Repo and Push Delegation
$ docker trust signer add --key delegation.crt jeff registry.example.com/admin/demo
Adding signer "jeff" to registry.example.com/admin/demo...
Initializing signed repository for registry.example.com/admin/demo...
Successfully initialized "registry.example.com/admin/demo"
Title: Automating Docker Content Trust
Summary
This section describes how to automate Docker Content Trust within existing automation systems. It details how to load a delegation private key by passing a passphrase and how to add a delegation public key, which may require the local Notary Canonical Root Key's passphrase if initializing a repository.