Sign images with Docker Content Trust¶
Mirantis Secure Registry (MSR) ships with both the Notary server and the Notary signer, thus providing the required components for using Docker Content Trust (DCT). DCT allows you to sign image tags, giving consumers a way to verify the integrity of your images.
MSR implements DCT using a combination of server and client semantics. The notary containers comprise the server side and are deployed by default with every MSR installation. Operations on the client side are performed with a combination of docker trust and notary commands and operate on data that resides in the local trust store that these tools maintain. Changes are then pushed from the local store to the Notary server so that they are available with MSR.
As they are part of MSR, the Notary and the Registry servers are accessed through a front-end proxy, with both components sharing the MKE RBAC (Role-based Access Control) Engine. As such, you do not require additional Docker client configuration to use DCT.
DCT is integrated with the Docker CLI and allows you to configure repositories, add signers, and sign images using the docker trust command.
Note
If the MSR certificate authority (CA) is self-signed, you must configure the
machine running the docker trust command to trust the MSR CA. To
do this, create a $HOME/.docker/tls/
folder and place the MSR CA file
in it. For example:
mkdir -p $HOME/.docker/tls/msr.example.com curl -k -o
$HOME/.docker/tls/msr.example.com/msr-ca.crt https://msr.example.com/ca