Add a delegation¶
You have the option to sign an image using multiple user keys. For example, in the event that an image must be signed by both a member of the Security team and a member of the Development team.
To add a delegation:
The procedure herein assumes that the original user is a member of the Development team, and thus you only need to add a Security team member.
Obtain a signing key pair for the Security team user. Refer to Initial local setup for more information.
Add the private key of the Security team member to the local Docker Container Trust store.
docker trust key load --name <security-team-member-name> key.pem
The system prompts you for the user key password, as shown in the example output:
Loading key from "key.pem"... Enter passphrase for new <security-team-member-name> key with ID 5ac7d9a: <security-team-member-password> Repeat passphrase for new <security-team-member-name> key with ID 5ac7d9a: <security-team-member-password> Successfully imported key from key.pem
Upload the Security team member public key to the Notary server.
docker trust signer add --key cert.pem <security-team-member-name> <registry-host-name>/<namespace>/<repository>
The system prompts you for the repository key password, as shown in the example output:
Adding signer "<security-team-member-name>" to <registry-host-name>/<namespace>/<repository>... Enter passphrase for repository key with ID e0d15a2: <repository-password> Successfully added signer: <security-team-member-name> to <registry-host-name>/<namespace>/<repository>
Sign the image as the Security team member.
docker trust sign <registry-host-name>/<namespace>/<repository>:<tag>
The system prompts you for the Development team member key password and the Security team member key password, as shown in the example output:
Signing and pushing trust metadata for <registry-host-name>/<namespace>/<repository>:<tag> Existing signatures for tag 1 digest 5b49c8e2c890fbb0a35f6050ed3c5109c5bb47b9e774264f4f3aa85bb69e2033 from: <development-team-member-name> Enter passphrase for <development-team-member-name> key with ID 927f303: <development-team-member-password> Enter passphrase for <security-team-member-name> key with ID 5ac7d9a: <security-team-member-password> Successfully signed <registry-host-name>/<namespace>/<repository>:<tag>
Review the repository trust metadata to verify that the image is signed by both users:
docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
Example output:
Signatures for <registry-host-name>/<namespace>/<repository>:<tag> SIGNED TAG DIGEST SIGNERS 1 5b49c8e2c89...5bb69e2033 <development-team-member-name>, <security-team-member-name> List of signers and their keys for <registry-host-name>/<namespace>/<repository>:<tag> SIGNER KEYS <development-team-member-name> 927f30366699 <security-team-member-name> 5ac7d9af7222 Administrative keys for <registry-host-name>/<namespace>/<repository>:<tag> Repository Key: e0d15a24b741ab049470298734397afbea539400510cb30d3b996540b4a2506b Root Key: b74854cb27cc25220ede4b08028967d1c6e297a759a6939dfef1ea72fbdd7b9a