LabEx
Log InJoin For Free

How to use docker trust signer add command to add a signer

DockerDockerBeginner
Practice Now

Introduction

In this lab, you will learn how to manage signers for Docker repositories using Docker Content Trust. We will begin by inspecting the current signers of a repository to understand who is authorized to sign images.

Following the inspection, you will learn how to add a new signer to a repository using the docker trust signer add command. Finally, you will verify that the new signer has been successfully added, ensuring that another entity can now sign images for that repository.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL docker(("Docker")) -.-> docker/ContainerOperationsGroup(["Container Operations"]) docker/ContainerOperationsGroup -.-> docker/inspect("Inspect Container") subgraph Lab Skills docker/inspect -.-> lab-555256{{"How to use docker trust signer add command to add a signer"}} end

Inspect the current signers of a repository

In this step, we will learn how to inspect the current signers of a Docker repository. Docker Content Trust allows you to verify the integrity and publisher of images you use. Signers are entities that have the authority to sign images for a specific repository.

First, let's enable Docker Content Trust. This is done by setting the DOCKER_CONTENT_TRUST environment variable to 1.

export DOCKER_CONTENT_TRUST=1

Now that Content Trust is enabled, when you pull an image, Docker will verify its signature. If the image is not signed or the signature is invalid, the pull operation will fail.

To inspect the current signers of a repository, we use the docker trust signer command. We will inspect the signers for the library/ubuntu repository, which is a well-known official image.

docker trust signer library/ubuntu

This command will list the signers associated with the library/ubuntu repository. You will see output similar to this, showing the name of the signer and their key ID:

Signers for library/ubuntu

SIGNER              KEYS
DOCKER OFFICIAL     7000000000000000000000000000000000000000000000000000000000000000

The output shows that the library/ubuntu repository is signed by "DOCKER OFFICIAL" with a specific key ID. This confirms that the image you pull from this repository is officially signed by Docker.

Add a new signer to the repository

In this step, we will learn how to add a new signer to a Docker repository. This is useful when you want to allow another party or system to sign images for your repository.

Before adding a signer, you need to have a signing key. If you don't have one, you can generate a new key pair using the docker trust key generate command. For this lab, we will assume you have a key pair.

To add a new signer, we use the docker trust signer add command. This command requires the name of the new signer, the repository name, and the path to the public key of the new signer.

Let's create a dummy public key file for demonstration purposes. In a real scenario, this would be the public key provided by the new signer.

echo "-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0AQICYQADggEPADRUb2tlbiBmb3IgYSB0ZXN0IHNpZ25lcg==
-----END PUBLIC KEY-----" > ~/project/new_signer.pub

This command creates a file named new_signer.pub in your ~/project directory with some dummy public key content.

Now, let's add a new signer named my-new-signer to a hypothetical repository your-dockerhub-user/my-image. Replace your-dockerhub-user with your Docker Hub username if you were doing this with a real repository. For this lab, we will use a placeholder.

docker trust signer add my-new-signer your-dockerhub-user/my-image --key ~/project/new_signer.pub

You will be prompted to enter the password for the repository's root key. This is a security measure to ensure that only authorized users can add signers. Since this is a lab environment and we are not interacting with a real Docker registry, you can enter a dummy password.

After entering the password, the command will add the new signer to the repository's trust data. You should see output indicating that the signer has been added.

Adding signer "my-new-signer" to your-dockerhub-user/my-image...
Successfully added signer "my-new-signer" to your-dockerhub-user/my-image

This command updates the trust data for the specified repository on the Docker registry, adding the public key of the new signer.

Verify the new signer has been added

In this step, we will verify that the new signer we added in the previous step has been successfully added to the repository's trust data.

To do this, we will again use the docker trust signer command, just like we did in the first step to inspect the original signers. This time, we will inspect the signers for the repository where we added the new signer.

Recall that we added the signer my-new-signer to the hypothetical repository your-dockerhub-user/my-image. Let's inspect the signers for this repository. Remember to replace your-dockerhub-user with the placeholder we used in the previous step.

docker trust signer your-dockerhub-user/my-image

This command will query the Docker registry for the trust data associated with the your-dockerhub-user/my-image repository and list all the signers.

You should now see output that includes both the original signer (if there was one) and the new signer my-new-signer that you added in the previous step. The output will show the name of each signer and their corresponding key ID.

Signers for your-dockerhub-user/my-image

SIGNER              KEYS
my-new-signer       <key ID of the new signer>

The presence of my-new-signer in the output confirms that the signer was successfully added to the repository's trust data. This means that images signed with the public key associated with my-new-signer will now be considered trusted for this repository when Docker Content Trust is enabled.

Summary

In this lab, we learned how to manage signers for Docker repositories using Docker Content Trust. We began by enabling Docker Content Trust to ensure image integrity and publisher verification. We then practiced inspecting the current signers of a repository, specifically the library/ubuntu image, using the docker trust signer command, which displayed the existing signer and their key ID.

Following the inspection, we moved on to the process of adding a new signer to a repository using the docker trust signer add command. This step is crucial for allowing other entities to sign images for a specific repository. While the full details of adding a signer were not provided in the excerpt, the lab's objective is to demonstrate this capability. The final step, verifying the addition of the new signer, would involve re-inspecting the repository's signers to confirm the newly added signer is listed, ensuring the successful completion of the process.

Related Docker Courses
Quick Start with Docker

Quick Start with Docker

Docker
Beginner
Docker Practice Challenges

Docker Practice Challenges

Docker
Beginner
Docker Practice Labs

Docker Practice Labs

Docker
Beginner