Skip to main content

Docker Content Trust

Docker Content Trust (DCT) allows docker image tags to be cryptographically signed. This allows users to verify the integrity and the publisher of docker data provided by the registry. DCT is enforced at two levels: by the docker client (supported by Docker Community and Enterprise) and by the docker engine (Enterprise only).

Docker Content Trust is not directly handled by Nexus Repository. You can use Docker Notary in conjunction with Nexus Repository to publish and manage trusted Docker content.

Docker Notary Service

Docker Notary can be obtained in binary form the release page on github: https://github.com/theupdateframework/notary/releases. Please refer to the Docker documentation to install and configure Notary.

Client Configuration

Docker Content Trust is configured by setting the following environment variables:

export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://<notary-server-hostname>

With these variables set, docker will enforce content trust and use your notary service to store trust information.

Note

The docker client requires a valid HTTPS certificate. If you use a certificate signed by another certificate authority (a self-signed certificate for example), place the certificate in $HOME/.docker/tls/<notary-server-hostname>/ca.crt

With DCT enabled, docker images will be automatically signed on push. A sample output could look like this:

$ docker push nexus.example.com:18079/hello-world:test
The push refers to repository [nexus.example.com:18079/hello-world]
test: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524
Signing and pushing trust metadata

Pulling a docker image by tag will automatically validate the signature. For example:

$ docker pull nexus.example.com:18079/hello-world:test-unsigned
Error: remote trust data does not exist for nexus.example.com:18079/hello-world: nexus.example.com:18079 does not have trust data for nexus.example.com:18079/hello-world

$ docker pull nexus.example.com:18079/hello-world:test-unsigned
test: Pulling from hello-world
Digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
Status: Image is up to date for nexus.example.com:18079/hello-world:test
nexus.example.com:18079/hello-world:test