Note: The earliest signed version is 2.3.1, if you enable signature verification using earlier versions, the docker daemon will not execute the containers.
Docker Content Trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.
We use Docker Content Trust to sign our docker images. Currently, content trust enforcement is disabled by default in the Docker Client. To enable it, set the
DOCKER_CONTENT_TRUST environment variable to
1 before pulling the images. This prevents users from working with tagged images unless they contain a signature.
$ export DOCKER_CONTENT_TRUST=1
To check the signatures that a given docker image has, you can execute the following command:
$ docker trust inspect --pretty continuumsecurity/iriusrisk-prod:tomcat8-2
SIGNED TAG DIGEST SIGNERS
tomcat8-2 3d2e482b82608d153a374df3357c0291589a61cc194ec4a9ca2381073a17f58e Continuum-Security
List of signers and their keys for continuumsecurity/iriusrisk-prod:tomcat8-2
Administrative keys for continuumsecurity/iriusrisk-prod:tomcat8-2
Repository Key: d0f212a5dae924c780ca76ada5b727ccc5dfb141f097d242b15fc465ffb7fe05
Root Key: 0e1cbdb524a679098767dd0bbff056f4945077e92c7c4f35b3d6a7fbb6aa984c