Introduction
In this lab, you will learn how to manage signers for Docker repositories using the docker trust signer remove command. We will begin by inspecting the current signers of a repository to understand the existing trust relationships.
Following the inspection, you will practice removing a signer from a single repository and then verify the successful removal. Finally, you will learn how to remove a signer from multiple repositories simultaneously and confirm the changes. This lab will provide hands-on experience with managing content trust in Docker.
Inspect current signers of a repository
In this step, we will learn how to inspect the current signers of a Docker repository. Docker Content Trust allows you to verify the integrity and the publisher of all the images you use. When content trust is enabled, Docker ensures that images you pull are signed.
First, let's enable Docker Content Trust. You can do this by setting the DOCKER_CONTENT_TRUST environment variable to 1.
export DOCKER_CONTENT_TRUST=1
Now that content trust is enabled, when you interact with images, Docker will check for signatures. To inspect the signers of a repository, you can use the docker trust inspect command followed by the repository name.
Let's inspect the signers for the ubuntu repository.
docker trust inspect ubuntu
You should see output similar to this, showing the signers and their keys:
No signatures for ubuntu
This output indicates that there are currently no signatures for the ubuntu repository. This is expected for many official images unless they have explicitly enabled content trust and signing.
Let's try inspecting a repository that is known to have signatures, like docker/trusttest. We need to pull the image first to ensure we have the necessary metadata.
docker pull docker/trusttest
Now, inspect the signers for docker/trusttest.
docker trust inspect docker/trusttest
You should see output listing the signers and their keys, indicating that this repository has been signed. The output will show information about the Targets and Releases signers.
Signers of docker/trusttest:
ROLE KEYS
---- ----
Releases 0a0d52c692a8b3459f3422732222222222222222222222222222222222222222: docker/trusttest
Signatures for docker/trusttest:
SIGNER KEYS
------ ----
Releases 0a0d52c692a8b3459f3422732222222222222222222222222222222222222222: docker/trusttest
This output confirms that the docker/trusttest repository has been signed and lists the keys associated with the signers.
Remove a signer from a single repository
In this step, we will learn how to remove a signer from a single Docker repository using Docker Content Trust. This is useful when a signer's key is compromised or a user is no longer authorized to sign images for a specific repository.
To remove a signer, we use the docker trust signer remove command. This command requires the name of the signer to remove and the repository from which to remove them.
Let's remove the Releases signer from the docker/trusttest repository. Remember from the previous step that docker/trusttest has a Releases signer.
docker trust signer remove Releases docker/trusttest
When you run this command, you will be prompted to confirm the removal. Type y and press Enter to proceed.
Removing signer "Releases" from docker/trusttest. Are you sure you want to continue? (y/n): y
After confirming, the signer will be removed from the specified repository. You should see output indicating the successful removal.
Successfully removed signer "Releases" from docker/trusttest
This command removes the association of the Releases signer's public key with the docker/trusttest repository in the trust data stored in the notary server. It does not delete the signer's key itself, only its authorization to sign for this specific repository.
Verify the signer removal
In this step, we will verify that the signer was successfully removed from the repository. We can do this by using the docker trust inspect command again, just like we did in the first step.
We expect that after removing the Releases signer from docker/trusttest in the previous step, running docker trust inspect docker/trusttest should no longer show Releases as a signer.
Let's inspect the signers for docker/trusttest again.
docker trust inspect docker/trusttest
Observe the output carefully. You should now see that the Releases signer is no longer listed under the Signers section for docker/trusttest.
Signers of docker/trusttest:
ROLE KEYS
---- ----
Targets 0a0d52c692a8b3459f3422732222222222222222222222222222222222222222: docker/trusttest
Signatures for docker/trusttest:
SIGNER KEYS
------ ----
Releases 0a0d52c692a8b3459f3422732222222222222222222222222222222222222222: docker/trusttest
Notice that while the Releases signer is removed from the list of authorized Signers, the Signatures section might still show signatures made by Releases. This is because the remove command removes the authorization for the signer to sign future images, but it doesn't necessarily remove existing signatures from the notary server immediately. However, for the purpose of verifying the removal of the signer's role for the repository, checking the Signers list is sufficient.
The absence of Releases under the Signers of docker/trusttest section confirms that the signer has been successfully removed from this specific repository.
Remove a signer from multiple repositories
In this step, we will learn how to remove a signer from multiple Docker repositories simultaneously using Docker Content Trust. This is efficient when a signer needs to be deauthorized across several repositories.
The docker trust signer remove command allows you to specify multiple repositories after the signer name.
Let's assume we have another repository, say docker/another-trusttest, that also has the Releases signer. To remove the Releases signer from both docker/trusttest and docker/another-trusttest in one command, you would list both repository names.
First, let's pull the hello-world image to use as a second repository for demonstration purposes. We will then tag it to simulate another repository.
docker pull hello-world
docker tag hello-world docker/another-trusttest
Now, let's remove the Releases signer from both docker/trusttest and docker/another-trusttest. Note that docker/another-trusttest might not actually have the Releases signer in a real-world scenario, but this command demonstrates the syntax for removing a signer from multiple repositories.
docker trust signer remove Releases docker/trusttest docker/another-trusttest
You will be prompted to confirm the removal for each repository. Type y and press Enter for each confirmation.
Removing signer "Releases" from docker/trusttest. Are you sure you want to continue? (y/n): y
Successfully removed signer "Releases" from docker/trusttest
Removing signer "Releases" from docker/another-trusttest. Are you sure you want to continue? (y/n): y
Successfully removed signer "Releases" from docker/another-trusttest
The output confirms that the Releases signer has been removed from both specified repositories. This command is a convenient way to manage signer authorizations across multiple repositories with a single action.
Verify signer removal from multiple repositories
In this step, we will verify that the signer was successfully removed from both repositories specified in the previous step. We will again use the docker trust inspect command for each repository.
First, let's inspect the signers for docker/trusttest. We expect the Releases signer to still be absent from the Signers list, as we removed it in a previous step and confirmed its removal.
docker trust inspect docker/trusttest
The output should show that Releases is not listed under Signers of docker/trusttest.
Signers of docker/trusttest:
ROLE KEYS
---- ----
Targets 0a0d52c692a8b3459f3422732222222222222222222222222222222222222222: docker/trusttest
Signatures for docker/trusttest:
SIGNER KEYS
------ ----
Releases 0a0d52c692a8b3459f3422732222222222222222222222222222222222222222: docker/trusttest
Now, let's inspect the signers for docker/another-trusttest. Since we attempted to remove the Releases signer from this repository as well, we expect it to also be absent from the Signers list for this repository.
docker trust inspect docker/another-trusttest
The output for docker/another-trusttest should indicate that there are no signers, as hello-world (which we tagged as docker/another-trusttest) is not signed by default, and we attempted to remove the Releases signer (which wasn't there initially for this specific tag).
No signatures for docker/another-trusttest
This confirms that the docker trust signer remove command, when used with multiple repository names, attempts to remove the specified signer from each listed repository. The verification for docker/trusttest shows the successful removal from a repository that previously had the signer, and the verification for docker/another-trusttest shows the state of a repository that didn't have the signer (and thus, the removal attempt didn't add it).
Summary
In this lab, we learned how to manage signers for Docker repositories using the docker trust command. We began by enabling Docker Content Trust and inspecting the current signers of a repository using docker trust inspect. This allowed us to see which keys were associated with signing images in a given repository.
Subsequently, we practiced removing a signer from a single repository and verified the removal using docker trust inspect again. Finally, we extended this knowledge to remove a signer from multiple repositories simultaneously and confirmed the successful removal across all specified repositories. This hands-on experience demonstrated the practical application of the docker trust signer remove command for managing content trust within a Docker environment.
