Adding Signer and Signing Docker Image

standing up a self-hosted environment can be found [here](/engine/security/trust/deploying_notary/). To sign a Docker Image you will need a delegation key pair. These keys can be generated locally using `$ docker trust key generate` or generated by a certificate authority. First we will add the delegation private key to the local Docker trust repository. (By default this is stored in `~/.docker/trust/`). If you are generating delegation keys with `$ docker trust key generate`, the private key is automatically added to the local trust store. If you are importing a separate key, you will need to use the `$ docker trust key load` command. ```console $ docker trust key generate jeff Generating key for jeff... Enter passphrase for new jeff key with ID 9deed25: Repeat passphrase for new jeff key with ID 9deed25: Successfully generated and loaded private key. Corresponding public key available: /home/ubuntu/Documents/mytrustdir/jeff.pub ``` Or if you have an existing key: ```console $ docker trust key load key.pem --name jeff Loading key from "key.pem"... Enter passphrase for new jeff key with ID 8ae710e: Repeat passphrase for new jeff key with ID 8ae710e: Successfully imported key from key.pem ``` Next we will need to add the delegation public key to the Notary server; this is specific to a particular image repository in Notary known as a Global Unique Name (GUN). If this is the first time you are adding a delegation to that repository, this command will also initiate the repository, using a local Notary canonical root key. To understand more about initiating a repository, and the role of delegations, head to [delegations for content trust](trust_delegation.md). ```console $ docker trust signer add --key cert.pem jeff registry.example.com/admin/demo Adding signer "jeff" to registry.example.com/admin/demo... Enter passphrase for new repository key with ID 10b5e94: ``` Finally, we will use the delegation private key to sign a particular tag and push it up to the registry. ```console $ docker trust sign registry.example.com/admin/demo:1 Signing and pushing trust data for local image registry.example.com/admin/demo:1, may overwrite remote trust data The push refers to repository [registry.example.com/admin/demo] 7bff100f35cb: Pushed 1: digest: sha256:3d2e482b82608d153a374df3357c0291589a61cc194ec4a9ca2381073a17f58e size: 528 Signing and pushing trust metadata Enter passphrase for signer key with ID 8ae710e: Successfully signed registry.example.com/admin/demo:1 ``` Alternatively, once the keys have been imported an image can be pushed with the `$ docker push` command, by exporting the DCT environmental variable. ```console $ export DOCKER_CONTENT_TRUST=1 $ docker push registry.example.com/admin/demo:1 The push refers to repository [registry.example.com/admin/demo:1] 7bff100f35cb: Pushed 1: digest: sha256:3d2e482b82608d153a374df3357c0291589a61cc194ec4a9ca2381073a17f58e size: 528

After setting up the keys, add the delegation public key to the Notary server using `$ docker trust signer add`. This action is specific to an image repository in Notary, identified by its Global Unique Name (GUN). Adding a delegation for the first time will initiate the repository with a local Notary canonical root key. Next, use the delegation private key to sign a specific tag and push it to the registry with `$ docker trust sign`. Alternatively, exporting `DOCKER_CONTENT_TRUST=1` allows you to push with `$ docker push`, automatically signing the image.