Sign an image

Once you have initiated a repository for use with Docker Content Trust (DCT), you can now sign images.

To sign an image:

1. Push the required image to MSR. You will be prompted for the repository key password, as displayed in the example output.

   docker push <registry-host-name>/<namespace>/<repository>:<tag>
   

   Example output:

   The push refers to repository [<registry-host-name>/<namespace>/<repository>]
   b2d5eeeaba3a: Layer already exists
   latest: digest: sha256:def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 size: 528
   Signing and pushing trust metadata
   Enter passphrase for repository key with ID c549efc: <repository-password>
   Successfully signed <registry-host-name>/<namespace>/<repository>:<tag>
   

2. Inspect the repository trust metadata to verify that the image is signed by the user:

   docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
   

   Example output:

   Signatures for <registry-host-name>/<namespace>/<repository>
   
   SIGNED TAG   DIGEST                                                             SIGNERS
   <tag>        def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748   Repo Admin
   
   Administrative keys for <registry-host-name>/<namespace>/<repository>
   
     Repository Key:       e0d15a24b7...540b4a2506b
     Root Key:             b74854cb27...a72fbdd7b9a