Sign an image

Once you have initiated a repository for use with Docker Content Trust (DCT), you can now sign images.

To sign an image:

  1. Push the required image to MSR. You will be prompted for the repository key password, as displayed in the example output.

    docker push <registry-host-name>/<namespace>/<repository>:<tag>

    Example output:

    The push refers to repository [<registry-host-name>/<namespace>/<repository>]
    b2d5eeeaba3a: Layer already exists
    latest: digest: sha256:def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 size: 528
    Signing and pushing trust metadata
    Enter passphrase for repository key with ID c549efc: <repository-password>
    Successfully signed <registry-host-name>/<namespace>/<repository>:<tag>
  2. Inspect the repository trust metadata to verify that the image is signed by the user:

    docker trust inspect --pretty <registry-host-name>/<namespace>/<repository>

    Example output:

    Signatures for <registry-host-name>/<namespace>/<repository>
    SIGNED TAG   DIGEST                                                             SIGNERS
    <tag>        def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748   Repo Admin
    Administrative keys for <registry-host-name>/<namespace>/<repository>
      Repository Key:       e0d15a24b7...540b4a2506b
      Root Key:             b74854cb27...a72fbdd7b9a