summaryrefslogtreecommitdiff
path: root/devdocs/docker/engine%2Fsecurity%2Ftrust%2Ftrust_automation%2Findex.html
diff options
context:
space:
mode:
authorCraig Jennings <c@cjennings.net>2024-04-07 13:41:34 -0500
committerCraig Jennings <c@cjennings.net>2024-04-07 13:41:34 -0500
commit754bbf7a25a8dda49b5d08ef0d0443bbf5af0e36 (patch)
treef1190704f78f04a2b0b4c977d20fe96a828377f1 /devdocs/docker/engine%2Fsecurity%2Ftrust%2Ftrust_automation%2Findex.html
new repository
Diffstat (limited to 'devdocs/docker/engine%2Fsecurity%2Ftrust%2Ftrust_automation%2Findex.html')
-rw-r--r--devdocs/docker/engine%2Fsecurity%2Ftrust%2Ftrust_automation%2Findex.html48
1 files changed, 48 insertions, 0 deletions
diff --git a/devdocs/docker/engine%2Fsecurity%2Ftrust%2Ftrust_automation%2Findex.html b/devdocs/docker/engine%2Fsecurity%2Ftrust%2Ftrust_automation%2Findex.html
new file mode 100644
index 00000000..fbdbd7ea
--- /dev/null
+++ b/devdocs/docker/engine%2Fsecurity%2Ftrust%2Ftrust_automation%2Findex.html
@@ -0,0 +1,48 @@
+<h1>Automation with content trust</h1>
+
+<p>It is very common for Docker Content Trust to be built into existing automation systems. To allow tools to wrap Docker and push trusted content, there are environment variables that can be passed through to the client.</p> <p>This guide follows the steps as described <a href="../index#signing-images-with-docker-content-trust">here</a> so please read that and understand its prerequisites.</p> <p>When working directly with the Notary client, it uses its <a href="https://github.com/theupdateframework/notary/blob/master/docs/reference/client-config/#environment-variables-optional" target="_blank" rel="noopener" class="_">own set of environment variables</a>.</p> <h2 id="add-a-delegation-private-key">Add a delegation private key</h2> <p>To automate importing a delegation private key to the local Docker trust store, we need to pass a passphrase for the new key. This passphrase will be required everytime that delegation signs a tag.</p> <div class="highlight"><pre class="highlight" data-language="">$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="mypassphrase123"
+
+$ docker trust key load delegation.key --name jeff
+Loading key from "delegation.key"...
+Successfully imported key from delegation.key
+</pre></div> <h2 id="add-a-delegation-public-key">Add a delegation public key</h2> <p>If you initialising a repository at the same time as adding a Delegation public key, then you will need to use the local Notary Canonical Root Key’s passphrase to create the repositories trust data. If the repository has already been initiated then you only need the repositories passphrase.</p> <div class="highlight"><pre class="highlight" data-language=""># Export the Local Root Key Passphrase if required.
+$ export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="rootpassphrase123"
+
+# Export the Repository Passphrase
+$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="repopassphrase123"
+
+# Initialise Repo and Push Delegation
+$ docker trust signer add --key delegation.crt jeff registry.example.com/admin/demo
+Adding signer "jeff" to registry.example.com/admin/demo...
+Initializing signed repository for registry.example.com/admin/demo...
+Successfully initialized "registry.example.com/admin/demo"
+Successfully added signer: registry.example.com/admin/demo
+</pre></div> <h2 id="sign-an-image">Sign an image</h2> <p>Finally when signing an image, we will need to export the passphrase of the signing key. This was created when the key was loaded into the local Docker trust store with <code class="language-plaintext highlighter-rouge">$ docker trust key load</code>.</p> <div class="highlight"><pre class="highlight" data-language="">$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="mypassphrase123"
+
+$ docker trust sign registry.example.com/admin/demo:1
+Signing and pushing trust data for local image registry.example.com/admin/demo:1, may overwrite remote trust data
+The push refers to repository [registry.example.com/admin/demo]
+428c97da766c: Layer already exists
+2: digest: sha256:1a6fd470b9ce10849be79e99529a88371dff60c60aab424c077007f6979b4812 size: 524
+Signing and pushing trust metadata
+Successfully signed registry.example.com/admin/demo:1
+</pre></div> <h2 id="build-with-content-trust">Build with content trust</h2> <p>You can also build with content trust. Before running the <code class="language-plaintext highlighter-rouge">docker build</code> command, you should set the environment variable <code class="language-plaintext highlighter-rouge">DOCKER_CONTENT_TRUST</code> either manually or in a scripted fashion. Consider the simple Dockerfile below.</p> <div class="highlight"><pre class="highlight" data-language=""># syntax=docker/dockerfile:1
+FROM docker/trusttest:latest
+RUN echo
+</pre></div> <p>The <code class="language-plaintext highlighter-rouge">FROM</code> tag is pulling a signed image. You cannot build an image that has a <code class="language-plaintext highlighter-rouge">FROM</code> that is not either present locally or signed. Given that content trust data exists for the tag <code class="language-plaintext highlighter-rouge">latest</code>, the following build should succeed:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker build -t docker/trusttest:testing .
+Using default tag: latest
+latest: Pulling from docker/trusttest
+
+b3dbab3810fc: Pull complete
+a9539b34a6ab: Pull complete
+Digest: sha256:d149ab53f871
+</pre></div> <p>If content trust is enabled, building from a Dockerfile that relies on tag without trust data, causes the build command to fail:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker build -t docker/trusttest:testing .
+unable to process Dockerfile: No trust data for notrust
+</pre></div> <h2 id="related-information">Related information</h2> <ul> <li><a href="../trust_delegation/index">Delegations for content trust</a></li> <li><a href="../index">Content trust in Docker</a></li> <li><a href="../trust_key_mng/index">Manage keys for content trust</a></li> <li><a href="../trust_sandbox/index">Play in a content trust sandbox</a></li> </ul>
+<p><a href="https://docs.docker.com/search/?q=trust">trust</a>, <a href="https://docs.docker.com/search/?q=security">security</a>, <a href="https://docs.docker.com/search/?q=docker">docker</a>, <a href="https://docs.docker.com/search/?q=documentation">documentation</a>, <a href="https://docs.docker.com/search/?q=automation">automation</a></p>
+<div class="_attribution">
+ <p class="_attribution-p">
+ &copy; 2019 Docker, Inc.<br>Licensed under the Apache License, Version 2.0.<br>Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries.<br>Docker, Inc. and other parties may also have trademark rights in other terms used herein.<br>
+ <a href="https://docs.docker.com/engine/security/trust/trust_automation/" class="_attribution-link">https://docs.docker.com/engine/security/trust/trust_automation/</a>
+ </p>
+</div>
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 05:10:19 +0000