Add an additional signer

You have the option to sign an image using multiple user keys. This topic describes how to add a regular user as a signer in addition to the repository admin.

Note

Signers in Docker Content Trust (DCT) do not correspond with users in MSR, thus you can add a signer using a user name that does not exist in MSR.

To add a signer:

  1. On the user machine, obtain a signing key pair:

    docker trust key generate <user-name>
    

    Example output:

    Generating key for <user-name>...
    Enter passphrase for new <user-name> key with ID c549efc: <user-password>
    Repeat passphrase for new <user-name> key with ID c549efc: <user-password>
    Successfully generated and loaded private key. Corresponding public key available:
    /path/to/public/key/<user-name>.pub
    

    The private key is password protected and kept in the local trust store, where it remains throughout all signing operations. The public key is stored in the .pub file, which you must provide to the repository administrator to add the user as a signer.

  2. Provide the user public key to the repository admin.

  3. On the admin machine, add the user as a signer to the repository. You will be prompted for the repository key password that you created in Configure repository for signing, as displayed in the example output.

    docker trust signer add --key /path/to/public/key/<user-name>.pub <user-name> <registry-host-name>/<namespace>/<repository>
    

    Example output:

    Adding signer "<user-name>" to <registry-host-name>/<namespace>/<repository>...
    Enter passphrase for repository key with ID 493e995: <repository-password>
    Successfully added signer: <user-name> to <registry-host-name>/<namespace>/<repository>
    
  4. Inspect the repository trust metadata to verify that the user is correctly added:

    docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
    

    Example output:

    Signatures for <registry-host-name>/<namespace>/<repository>
    
    SIGNED TAG   DIGEST                                                             SIGNERS
    <tag>        def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748   Repo Admin
    
    List of signers and their keys for kubernetes.docker.internal/admin/nginx
    
    SIGNER           KEYS
    <user-name>      c9f9039a520a
    
    Administrative keys for <registry-host-name>/<namespace>/<repository>
    
      Repository Key:       e0d15a24b7...540b4a2506b
      Root Key:             b74854cb27...a72fbdd7b9a
    
  5. On the user machine, sign the image as the regular user. You will be prompted for the user key password, as displayed in the example output.

    docker trust sign <registry-host-name>/<namespace>/<repository>:<tag>
    

    Example output:

    Signing and pushing trust metadata for <registry-host-name>/<namespace>/<repository>:<tag>
    Enter passphrase for <user-name> key with ID 927f303: <user-password>
    Enter passphrase for <user-name> key with ID 5ac7d9a: <user-password>
    Successfully signed <registry-host-name>/<namespace>/<repository>:<tag>
    
  6. Inspect the repository trust metadata to verify that the image is signed by the user:

    docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>
    

    Example output:

    Signatures for <registry-host-name>/<namespace>/<repository>:<tag>
    
    SIGNED TAG     DIGEST                       SIGNERS
    <tag>              5b49c8e2c89...5bb69e2033     <user-name>
    
    List of signers and their keys for <registry-host-name>/<namespace>/<repository>:<tag>
    
    SIGNER         KEYS
    <user-name>    927f30366699
    
    Administrative keys for <registry-host-name>/<namespace>/<repository>:<tag>
    
      Repository Key:       e0d15a24b741ab049470298734397afbea539400510cb30d3b996540b4a2506b
      Root Key:     b74854cb27cc25220ede4b08028967d1c6e297a759a6939dfef1ea72fbdd7b9a
    

    Note

    Once an additional signer signs an image, the repository admin is no longer listed under SIGNERS.