DCT Keys and their Relationships

3rd chunk of `content/manuals/engine/security/trust/_index.md`

850c5e7bf17d6b7aec58bc2eb752878a1708105f7514db140000000100000332



To the consumer who has not enabled DCT, nothing about how they work with Docker
images changes. Every image is visible regardless of whether it is signed or
not.

### Docker Content Trust Keys

Trust for an image tag is managed through the use of signing keys. A key set is
created when an operation using DCT is first invoked. A key set consists
of the following classes of keys:

- An offline key that is the root of DCT for an image tag
- Repository or tagging keys that sign tags
- Server-managed keys such as the timestamp key, which provides freshness
	security guarantees for your repository

The following image depicts the various signing keys and their relationships:

Title: DCT Keys and their Relationships

Summary

For consumers without DCT enabled, there is no difference in how they work with Docker images; all images are visible regardless of signing. DCT utilizes signing keys, creating a key set consisting of an offline root key, repository tagging keys, and server-managed timestamp keys. The offline key creates tagging keys, tagging keys allow pushing and pulling, and timestamp keys reside on the server and ensure the repository is fresh.