From 754bbf7a25a8dda49b5d08ef0d0443bbf5af0e36 Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Sun, 7 Apr 2024 13:41:34 -0500 Subject: new repository --- ...ence%2Fcommandline%2Ftrust_inspect%2Findex.html | 359 +++++++++++++++++++++ 1 file changed, 359 insertions(+) create mode 100644 devdocs/docker/engine%2Freference%2Fcommandline%2Ftrust_inspect%2Findex.html (limited to 'devdocs/docker/engine%2Freference%2Fcommandline%2Ftrust_inspect%2Findex.html') diff --git a/devdocs/docker/engine%2Freference%2Fcommandline%2Ftrust_inspect%2Findex.html b/devdocs/docker/engine%2Freference%2Fcommandline%2Ftrust_inspect%2Findex.html new file mode 100644 index 00000000..fc6829e2 --- /dev/null +++ b/devdocs/docker/engine%2Freference%2Fcommandline%2Ftrust_inspect%2Findex.html @@ -0,0 +1,359 @@ +

docker trust inspect


Return low-level information about keys and signatures

Usage

$ docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...]
+

Refer to the options section for an overview of available OPTIONS for this command.

Description

docker trust inspect provides low-level JSON information on signed repositories. This includes all image tags that are signed, who signed them, and who can sign new tags.

For example uses of this command, refer to the examples section below.

Options

Name, shorthand Default Description
--pretty Print the information in a human friendly format

Examples

Get low-level details about signatures for a single image tag

Use the docker trust inspect to get trust information about an image. The following example prints trust information for the alpine:latest image:

$ docker trust inspect alpine:latest
+

The output is in JSON format, for example:

[
+  {
+    "Name": "alpine:latest",
+    "SignedTags": [
+      {
+        "SignedTag": "latest",
+        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+        "Signers": [
+          "Repo Admin"
+        ]
+      }
+    ],
+    "Signers": [],
+    "AdministrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+            {
+                "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+            }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+            {
+                "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+            }
+        ]
+      }
+    ]
+  }
+]
+

The SignedTags key will list the SignedTag name, its Digest, and the Signers responsible for the signature.

AdministrativeKeys will list the Repository and Root keys.

If signers are set up for the repository via other docker trust commands, docker trust inspect includes a Signers key:

$ docker trust inspect my-image:purple
+

The output is in JSON format, for example:

[
+  {
+    "Name": "my-image:purple",
+    "SignedTags": [
+      {
+        "SignedTag": "purple",
+        "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557",
+        "Signers": [
+          "alice",
+          "bob",
+          "carol"
+        ]
+      }
+    ],
+    "Signers": [
+      {
+        "Name": "alice",
+        "Keys": [
+            {
+                "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3"
+            },
+            {
+                "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8"
+            }
+        ]
+      },
+      {
+        "Name": "bob",
+        "Keys": [
+            {
+                "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba"
+            }
+        ]
+      },
+      {
+        "Name": "carol",
+        "Keys": [
+            {
+                "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9"
+            },
+            {
+                "ID": "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606"
+            }
+        ]
+      }
+    ],
+    "AdministrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+            {
+                "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44"
+            }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+            {
+                "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f"
+            }
+        ]
+      }
+    ]
+  }
+]
+

If the image tag is unsigned or unavailable, docker trust inspect does not display any signed tags.

$ docker trust inspect unsigned-img
+
+No signatures or cannot access unsigned-img
+

However, if other tags are signed in the same image repository, docker trust inspect reports relevant key information:

$ docker trust inspect alpine:unsigned
+

The output is in JSON format, for example:

[
+  {
+    "Name": "alpine:unsigned",
+    "Signers": [],
+    "AdministrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+          {
+            "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+          }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+          {
+            "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+          }
+        ]
+      }
+    ]
+  }
+]
+

Get details about signatures for all image tags in a repository

If no tag is specified, docker trust inspect will report details for all signed tags in the repository:

$ docker trust inspect alpine
+

The output is in JSON format, for example:

[
+  {
+    "Name": "alpine",
+    "SignedTags": [
+      {
+        "SignedTag": "3.5",
+        "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "3.6",
+        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "edge",
+        "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "latest",
+        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+        "Signers": [
+          "Repo Admin"
+        ]
+      }
+    ],
+    "Signers": [],
+    "AdministrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+          {
+            "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+          }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+          {
+            "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+          }
+        ]
+      }
+    ]
+  }
+]
+

Get details about signatures for multiple images

docker trust inspect can take multiple repositories and images as arguments, and reports the results in an ordered list:

$ docker trust inspect alpine notary
+

The output is in JSON format, for example:

[
+  {
+    "Name": "alpine",
+    "SignedTags": [
+      {
+        "SignedTag": "3.5",
+        "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "3.6",
+        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "edge",
+        "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "integ-test-base",
+        "Digest": "3952dc48dcc4136ccdde37fbef7e250346538a55a0366e3fccc683336377e372",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "latest",
+        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+        "Signers": [
+          "Repo Admin"
+        ]
+      }
+    ],
+    "Signers": [],
+    "AdministrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+          {
+            "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+          }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+          {
+            "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+          }
+        ]
+      }
+    ]
+  },
+  {
+    "Name": "notary",
+    "SignedTags": [
+      {
+        "SignedTag": "server",
+        "Digest": "71f64ab718a3331dee103bc5afc6bc492914738ce37c2d2f127a8133714ecf5c",
+        "Signers": [
+          "Repo Admin"
+        ]
+      },
+      {
+        "SignedTag": "signer",
+        "Digest": "a6122d79b1e74f70b5dd933b18a6d1f99329a4728011079f06b245205f158fe8",
+        "Signers": [
+          "Repo Admin"
+        ]
+      }
+    ],
+    "Signers": [],
+    "AdministrativeKeys": [
+      {
+        "Name": "Root",
+        "Keys": [
+          {
+            "ID": "8cdcdef5bd039f4ab5a029126951b5985eebf57cabdcdc4d21f5b3be8bb4ce92"
+          }
+        ]
+      },
+      {
+        "Name": "Repository",
+        "Keys": [
+          {
+            "ID": "85bfd031017722f950d480a721f845a2944db26a3dc084040a70f1b0d9bbb3df"
+          }
+        ]
+      }
+    ]
+  }
+]
+

Formatting

You can print the inspect output in a human-readable format instead of the default JSON output, by using the --pretty option:

Get details about signatures for a single image tag

$ docker trust inspect --pretty alpine:latest
+
+SIGNED TAG          DIGEST                                                             SIGNERS
+latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+
+Administrative keys for alpine:latest:
+Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:       a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+

The SIGNED TAG is the signed image tag with a unique content-addressable DIGEST. SIGNERS lists all entities who have signed.

The administrative keys listed specify the root key of trust, as well as the administrative repository key. These keys are responsible for modifying signers, and rotating keys for the signed repository.

If signers are set up for the repository via other docker trust commands, docker trust inspect --pretty displays them appropriately as a SIGNER and specify their KEYS:

$ docker trust inspect --pretty my-image:purple
+
+SIGNED TAG          DIGEST                                                              SIGNERS
+purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               47caae5b3e61, a85aab9d20a4
+bob                 034370bcbd77, 82a66673242c
+carol               b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key:       40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+

However, if other tags are signed in the same image repository, docker trust inspect reports relevant key information.

$ docker trust inspect --pretty alpine:unsigned
+
+No signatures for alpine:unsigned
+
+
+Administrative keys for alpine:unsigned:
+Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:       a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+

Get details about signatures for all image tags in a repository

$ docker trust inspect --pretty alpine
+
+SIGNED TAG          DIGEST                                                             SIGNERS
+2.6                 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b   (Repo Admin)
+2.7                 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a   (Repo Admin)
+3.1                 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8   (Repo Admin)
+3.2                 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7   (Repo Admin)
+3.3                 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7   (Repo Admin)
+3.4                 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9   (Repo Admin)
+3.5                 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308   (Repo Admin)
+3.6                 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+edge                79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b   (Repo Admin)
+latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+
+Administrative keys for alpine:
+Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:       a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+

Here’s an example with signers that are set up by docker trust commands:

$ docker trust inspect --pretty my-image
+
+SIGNED TAG          DIGEST                                                              SIGNERS
+red                 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943    alice
+blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
+green               cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139    alice, bob
+yellow              9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba    carol
+purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
+orange              d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c    alice
+
+List of signers and their keys for my-image:
+
+SIGNER              KEYS
+alice               47caae5b3e61, a85aab9d20a4
+bob                 034370bcbd77, 82a66673242c
+carol               b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key:       40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+

Parent command

Command Description
docker trust Manage trust on Docker images
Command Description
docker trust inspect Return low-level information about keys and signatures
docker trust key Manage keys for signing Docker images
docker trust revoke Remove trust for an image
docker trust sign Sign an image
docker trust signer Manage entities who can sign Docker images
+

+ © 2019 Docker, Inc.
Licensed under the Apache License, Version 2.0.
Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries.
Docker, Inc. and other parties may also have trademark rights in other terms used herein.
+ https://docs.docker.com/engine/reference/commandline/trust_inspect/ +

+
-- cgit v1.2.3