Docker Content Trust
Docker Content Trust (DCT) allows docker image tags to be cryptographically signed. This allows users to verify the integrity and the publisher of docker data provided by the registry. DCT is enforced at two levels: by the docker client (supported by Docker Community and Enterprise) and by the docker engine (Enterprise only).
Docker Content Trust is not directly handled by NXRM3. You can use Docker Notary in conjuction with NXRM3 to publish and manage trusted Docker content.
Docker Notary Service
Docker Notary can be obtained in binary form the release page on github: https://github.com/theupdateframework/notary/releases. Please refer to the Docker documentation to install and configure Notary.
Docker Content Trust is configured by setting the following environment variables:
export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://<notary-server-hostname>
With these variables set, docker will enforce content trust and use your notary service to store trust information.
The docker client requires a valid HTTPS certificate. If you use a certificate signed by another certificate authority (a self-signed certificate for example), place the certificate in
With DCT enabled, docker images will be automatically signed on push. A sample output could look like this:
$ docker push nexus.example.com:18079/hello-world:test The push refers to repository [nexus.example.com:18079/hello-world] test: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524 Signing and pushing trust metadata
Pulling a docker image by tag will automatically validate the signature. For example:
$ docker pull nexus.example.com:18079/hello-world:test-unsigned Error: remote trust data does not exist for nexus.example.com:18079/hello-world: nexus.example.com:18079 does not have trust data for nexus.example.com:18079/hello-world $ docker pull nexus.example.com:18079/hello-world:test-unsigned test: Pulling from hello-world Digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a Status: Image is up to date for nexus.example.com:18079/hello-world:test nexus.example.com:18079/hello-world:test