Add a delegation

You have the option to sign an image using multiple user keys. For example, in the event that an image must be signed by both a member of the Security team and a member of the Development team.

To add a delegation:

The procedure herein assumes that the original user is a member of the Development team, and thus you only need to add a Security team member.

1. Obtain a signing key pair for the Security team user. Refer to Initial local setup for more information.

2. Add the private key of the Security team member to the local Docker Container Trust store.

   docker trust key load --name <security-team-member-name> key.pem
   

   The system prompts you for the user key password, as shown in the example output:

   Loading key from "key.pem"...
   Enter passphrase for new <security-team-member-name> key with ID 5ac7d9a: <security-team-member-password>
   Repeat passphrase for new <security-team-member-name> key with ID 5ac7d9a: <security-team-member-password>
   Successfully imported key from key.pem
   

3. Upload the Security team member public key to the Notary server.

   docker trust signer add --key cert.pem <security-team-member-name> <registry-host-name>/<namespace>/<repository>
   

   The system prompts you for the repository key password, as shown in the example output:

   Adding signer "<security-team-member-name>" to <registry-host-name>/<namespace>/<repository>...
   Enter passphrase for repository key with ID e0d15a2: <repository-password>
   Successfully added signer: <security-team-member-name> to <registry-host-name>/<namespace>/<repository>
   

4. Sign the image as the Security team member.

   docker trust sign <registry-host-name>/<namespace>/<repository>:<tag>
   

   The system prompts you for the Development team member key password and the Security team member key password, as shown in the example output:

   Signing and pushing trust metadata for <registry-host-name>/<namespace>/<repository>:<tag>
   Existing signatures for tag 1 digest 5b49c8e2c890fbb0a35f6050ed3c5109c5bb47b9e774264f4f3aa85bb69e2033 from:
   <development-team-member-name>
   Enter passphrase for <development-team-member-name> key with ID 927f303: <development-team-member-password>
   Enter passphrase for <security-team-member-name> key with ID 5ac7d9a: <security-team-member-password>
   Successfully signed <registry-host-name>/<namespace>/<repository>:<tag>
   

5. Review the repository trust metadata to verify that the image is signed by both users:

   docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
   

   Example output:

   Signatures for <registry-host-name>/<namespace>/<repository>:<tag>
   
   SIGNED TAG     DIGEST                                                            SIGNERS
   1              5b49c8e2c89...5bb69e2033  <development-team-member-name>, <security-team-member-name>
   
   List of signers and their keys for <registry-host-name>/<namespace>/<repository>:<tag>
   
   SIGNER                             KEYS
   <development-team-member-name>     927f30366699
   <security-team-member-name>        5ac7d9af7222
   
   Administrative keys for <registry-host-name>/<namespace>/<repository>:<tag>
   
     Repository Key:       e0d15a24b741ab049470298734397afbea539400510cb30d3b996540b4a2506b
     Root Key:     b74854cb27cc25220ede4b08028967d1c6e297a759a6939dfef1ea72fbdd7b9a
   

See also

Official Docker documentation: Delegations for content trust