Initial local setup

Before you can use Docker Content Trust (DCT), you must complete local setup.

Enable DCT

DCT is active on the server, but must be opted in to by any Docker client who wants to use it. This is done by setting the DOCKER_CONTENT_TRUST environment variable. It must be enabled whenever DCT is used locally.

export DOCKER_CONTENT_TRUST=1

Configure CA certificates

You can skip this section and move on to Sign images that MKE can trust, if:

  • Your CA certificate is issued by a well-know root CA.

  • Your MSR is installed on the local machine and is configured as an insecure registry, although this is mostly a development and test configuration.

If the MSR is configured with a self-signed CA certificate, you must configure the machine that runs the docker trust commands to trust the CA , certificate as detailed below.

Caution

It is not possible to use DCT with a remote MSR that is set up as an insecure registry in the Docker daemon configuration. This is because the Docker client does not use the server daemon for Notary operations, but instead communicates directly with the MSR Notary service. The client does not read the insecure registry configuration from the server, and there is no way to configure the client for insecure registries.

To configure your machine to trust a self-signed CA:

  1. Create a certificate directory for the MSR host in the Docker configuration directory:

    export MSR=<registy-hostname>
    mkdir -p ~/.docker/certs.d/${MSR}
    
  2. Download the MSR CA certificate into the newly created directory:

    curl -ks https://$MSR/ca > ~/.docker/certs.d/${MSR}/ca.crt
    
  3. Restart the Docker daemon.

  4. Verify that you do not receive certificate errors when accessing MSR using the Docker CLI by running docker login ${MSR}.

  5. Create a symlink between the certs.d and tls directories:

    ln -s certs.d ~/.docker/tls