How to use docker trust revoke command to remove image signatures

Introduction

In this lab, we will explore how to manage image signatures using Docker Content Trust, specifically focusing on the docker trust revoke command. We will begin by inspecting a signed image to understand how signatures are displayed and verified.

Following the inspection, we will learn how to revoke signatures from a specific signed tag of an image. We will then verify that the revocation was successful by inspecting the image again. Finally, we will demonstrate how to revoke signatures from all tags within a repository and confirm that all signatures have been removed. This lab provides practical experience in managing the trust associated with your Docker images.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL docker(("Docker")) -.-> docker/ContainerOperationsGroup(["Container Operations"]) docker(("Docker")) -.-> docker/ImageOperationsGroup(["Image Operations"]) docker/ContainerOperationsGroup -.-> docker/inspect("Inspect Container") docker/ImageOperationsGroup -.-> docker/pull("Pull Image from Repository") docker/ImageOperationsGroup -.-> docker/tag("Tag an Image") docker/ImageOperationsGroup -.-> docker/images("List Images") subgraph Lab Skills docker/inspect -.-> lab-555254{{"How to use docker trust revoke command to remove image signatures"}} docker/pull -.-> lab-555254{{"How to use docker trust revoke command to remove image signatures"}} docker/tag -.-> lab-555254{{"How to use docker trust revoke command to remove image signatures"}} docker/images -.-> lab-555254{{"How to use docker trust revoke command to remove image signatures"}} end

Inspect a signed image to see its signatures

In this step, we will learn how to inspect a signed Docker image to view its signatures. Docker Content Trust allows you to verify the integrity and publisher of images. When an image is signed, it means the publisher has cryptographically signed the image, and you can verify this signature to ensure the image hasn't been tampered with.

First, we need to enable Docker Content Trust. This is done by setting the DOCKER_CONTENT_TRUST environment variable to 1.

export DOCKER_CONTENT_TRUST=1

Now, let's pull a signed image. We will use the docker/trusttest image, which is specifically designed for testing Docker Content Trust.

docker pull docker/trusttest:latest

When you pull a signed image with Docker Content Trust enabled, Docker verifies the signature. If the signature is valid, the pull will succeed. If the signature is invalid or missing, the pull will fail.

To inspect the signatures of a signed image, we use the docker trust inspect command followed by the image name.

docker trust inspect docker/trusttest:latest

This command will output information about the image's signatures, including the signers and their keys. You should see details about the signatures associated with the latest tag of the docker/trusttest image. This output confirms that the image is signed and shows who signed it.

Revoke signatures from a specific signed tag

In this step, we will learn how to revoke signatures from a specific tag of a signed Docker image. Revoking a signature means invalidating the existing signature for a particular image tag. This is useful if a key is compromised or if you need to remove a specific version of an image from being trusted.

To revoke signatures from a specific tag, we use the docker trust revoke command followed by the image name and tag. We will revoke the signature for the latest tag of the docker/trusttest image.

docker trust revoke docker/trusttest:latest

When you run this command, you will be prompted to confirm the revocation. Type y and press Enter to proceed.

Are you sure you want to revoke signature for docker/trusttest:latest? (y/n) y

After confirming, Docker will revoke the signature for the specified tag. This action updates the trust data for the image in the registry.

Inspect the image again to verify the revocation

In this step, we will inspect the image again to verify that the signature for the latest tag has been successfully revoked. After revoking the signature in the previous step, the trust data for this specific tag should be removed or marked as invalid.

We will use the same docker trust inspect command as before to check the signatures for the docker/trusttest:latest image.

docker trust inspect docker/trusttest:latest

This time, the output should indicate that there are no signatures for the latest tag. You might see information about other tags if they exist and are signed, but the section for latest should show no valid signatures. This confirms that the revocation was successful.

If you try to pull the docker/trusttest:latest image with DOCKER_CONTENT_TRUST=1 enabled after revoking the signature, the pull should fail because the image is no longer trusted for that specific tag.

Revoke signatures from all tags in a repository

In this step, we will learn how to revoke signatures from all tags within a specific Docker image repository. This is useful when you need to completely remove trust for an entire repository, perhaps due to a security incident or a decision to no longer use images from that source.

To revoke signatures from all tags in a repository, we use the docker trust revoke command followed by the repository name, without specifying a tag. We will revoke all signatures for the docker/trusttest repository.

docker trust revoke docker/trusttest

When you run this command, you will be prompted to confirm that you want to revoke signatures for all tags in the repository. Type y and press Enter to proceed.

Are you sure you want to revoke all signatures for docker/trusttest? (y/n) y

After confirming, Docker will revoke the signatures for all tags associated with the docker/trusttest repository. This action effectively removes the trust data for the entire repository in the registry.

Inspect the repository to verify all signatures are removed

In this final step, we will inspect the docker/trusttest repository again to verify that all signatures have been successfully removed from all its tags. After revoking all signatures in the previous step, the trust data for the entire repository should be gone.

We will use the docker trust inspect command, this time specifying only the repository name without any tag.

docker trust inspect docker/trusttest

The output of this command should now indicate that there are no signatures found for the docker/trusttest repository. This confirms that the revocation of all signatures was successful.

This concludes the lab on revoking Docker image signatures using Docker Content Trust. You have learned how to revoke signatures for a specific tag and for an entire repository.

Summary

In this lab, we learned how to manage image signatures using Docker Content Trust. We began by enabling Docker Content Trust and pulling a signed image (docker/trusttest:latest) to understand how Docker verifies signatures during the pull process. We then used the docker trust inspect command to view the signatures associated with the image, confirming its signed status and identifying the signers.

Subsequently, we explored how to revoke signatures. We learned to use the docker trust revoke command to remove signatures from a specific image tag (docker/trusttest:latest) and verified the revocation by inspecting the image again. Finally, we extended this knowledge to revoke signatures from all tags within a repository and confirmed the complete removal of signatures through inspection. This lab provided practical experience in inspecting and revoking Docker image signatures, essential skills for maintaining the integrity and trustworthiness of container images.