You should back up the root key somewhere safe. This loss also requires manual intervention from everyĬonsumer that used a signed tag from this repository prior to the loss. If you lose any other key, send an email to Docker Hub Support. The root key once lost is not recoverable. The following image depicts the various signing keys and their relationships: server-managed keys such as the timestamp key, which provides freshness.repository or tagging keys that sign tags.an offline key that is the root of DCT for an image tag.A key set isĬreated when an operation using DCT is first invoked. Trust for an image tag is managed through the use of signing keys. Every image is visible regardless of whether it is signed or To the consumer who has not enabled DCT, nothing about how they work with Docker Only signed image tags and the less desirable, unsigned image tags are If aĬonsumer enables DCT, they can only pull, run, or build with trusted images.Įnabling DCT is a bit like applying a “filter” to your registry. Image consumers can enable DCT to ensure that images they use were signed. The unsigned version of an image before officially signing it. The ability to choose which tags they can sign, allows publishers to iterate over Push replaces the last unsigned tag latest but does not affect the signed latest version. Later, the same publisher can push an unsigned someimage:latest image. ForĮxample, a publisher can push a tagged image someimage:latest and sign it. As a result, the content ofĪn unsigned tag and that of a signed tag with the same name may not match. Publishers can choose to sign a specific tag or not. In this representation, some image tags are signed, others are not: Responsibility of the image publisher to decide if an image tag is signed or Tag could be unsigned while the 3.1.6 tag could be signed. Image publishersĪn image repository can contain an image with one tag that is signed and another Each image repository hasĪ set of keys that image publishers use to sign an image tag. An image publisher can build an imageĪnd tag combination many times changing the image with each build.ĭCT is associated with the TAG portion of an image. For example, latest andģ.1.2 are both tags on the mongo image. ]REPOSITORYĪ particular image REPOSITORY can have multiple tags. Image tags and DCTĪn individual image record has the following identifier: Or organizations manually signing their content or automated software supplyĬhains signing content as part of their release process. Through DCT, image publishers can sign their images and image consumers canĮnsure that the images they pull are signed. These signatures allowĬlient-side or runtime verification of the integrity and publisher of specific About Docker Content Trust (DCT)ĭocker Content Trust (DCT) provides the ability to use digital signatures forĭata sent to and received from remote Docker registries. The integrity and the publisher of all the data received from a registry overĪny channel. Content trust gives you the ability to verify both You use the Docker Engine to push and pull images (data) to a Is critical to ensure the integrity and the publisher of all the data a system Particular, when communicating over an untrusted medium such as the internet, it When transferring data among networked systems, trust is a central concern.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |