Sign an image¶
Once you have initiated a repository for use with Docker Content Trust (DCT), you can now sign images.
To sign an image:
Push the required image to MSR. You will be prompted for the repository key password, as displayed in the example output.
docker push <registry-host-name>/<namespace>/<repository>:<tag>
Example output:
The push refers to repository [<registry-host-name>/<namespace>/<repository>] b2d5eeeaba3a: Layer already exists latest: digest: sha256:def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 size: 528 Signing and pushing trust metadata Enter passphrase for repository key with ID c549efc: <repository-password> Successfully signed <registry-host-name>/<namespace>/<repository>:<tag>
Inspect the repository trust metadata to verify that the image is signed by the user:
docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
Example output:
Signatures for <registry-host-name>/<namespace>/<repository> SIGNED TAG DIGEST SIGNERS <tag> def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 Repo Admin Administrative keys for <registry-host-name>/<namespace>/<repository> Repository Key: e0d15a24b7...540b4a2506b Root Key: b74854cb27...a72fbdd7b9a