Add an additional signer¶
You have the option to sign an image using multiple user keys. This topic describes how to add a regular user as a signer in addition to the repository admin.
Note
Signers in Docker Content Trust (DCT) do not correspond with users in MSR, thus you can add a signer using a user name that does not exist in MSR.
To add a signer:
On the user machine, obtain a signing key pair:
docker trust key generate <user-name>
Example output:
Generating key for <user-name>... Enter passphrase for new <user-name> key with ID c549efc: <user-password> Repeat passphrase for new <user-name> key with ID c549efc: <user-password> Successfully generated and loaded private key. Corresponding public key available: /path/to/public/key/<user-name>.pub
The private key is password protected and kept in the local trust store, where it remains throughout all signing operations. The public key is stored in the
.pubfile, which you must provide to the repository administrator to add the user as a signer.Provide the user public key to the repository admin.
On the admin machine, add the user as a signer to the repository. You will be prompted for the repository key password that you created in Configure repository for signing, as displayed in the example output.
docker trust signer add --key /path/to/public/key/<user-name>.pub <user-name> <registry-host-name>/<namespace>/<repository>
Example output:
Adding signer "<user-name>" to <registry-host-name>/<namespace>/<repository>... Enter passphrase for repository key with ID 493e995: <repository-password> Successfully added signer: <user-name> to <registry-host-name>/<namespace>/<repository>
Inspect the repository trust metadata to verify that the user is correctly added:
docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
Example output:
Signatures for <registry-host-name>/<namespace>/<repository> SIGNED TAG DIGEST SIGNERS <tag> def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 Repo Admin List of signers and their keys for kubernetes.docker.internal/admin/nginx SIGNER KEYS <user-name> c9f9039a520a Administrative keys for <registry-host-name>/<namespace>/<repository> Repository Key: e0d15a24b7...540b4a2506b Root Key: b74854cb27...a72fbdd7b9a
On the user machine, sign the image as the regular user. You will be prompted for the user key password, as displayed in the example output.
docker trust sign <registry-host-name>/<namespace>/<repository>:<tag>
Example output:
Signing and pushing trust metadata for <registry-host-name>/<namespace>/<repository>:<tag> Enter passphrase for <user-name> key with ID 927f303: <user-password> Enter passphrase for <user-name> key with ID 5ac7d9a: <user-password> Successfully signed <registry-host-name>/<namespace>/<repository>:<tag>
Inspect the repository trust metadata to verify that the image is signed by the user:
docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
Example output:
Signatures for <registry-host-name>/<namespace>/<repository>:<tag> SIGNED TAG DIGEST SIGNERS <tag> 5b49c8e2c89...5bb69e2033 <user-name> List of signers and their keys for <registry-host-name>/<namespace>/<repository>:<tag> SIGNER KEYS <user-name> 927f30366699 Administrative keys for <registry-host-name>/<namespace>/<repository>:<tag> Repository Key: e0d15a24b741ab049470298734397afbea539400510cb30d3b996540b4a2506b Root Key: b74854cb27cc25220ede4b08028967d1c6e297a759a6939dfef1ea72fbdd7b9a
Note
Once an additional signer signs an image, the repository admin is no longer listed under SIGNERS.