DockerCLI/docs/reference/commandline/trust_sign.md

178 lines
5.8 KiB
Markdown
Raw Normal View History

# trust sign
<!---MARKER_GEN_START-->
Sign an image
### Options
| Name | Type | Default | Description |
|:----------|:-------|:--------|:----------------------------|
| `--local` | `bool` | | Sign a locally tagged image |
<!---MARKER_GEN_END-->
## Description
`docker trust sign` adds signatures to tags to create signed repositories.
## Examples
### Sign a tag as a repository admin
Given an image:
```console
$ docker trust inspect --pretty example/trust-demo
SIGNED TAG DIGEST SIGNERS
v1 c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 (Repo Admin)
Administrative keys for example/trust-demo:
Repository Key: 36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942
Root Key: 246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b
```
Sign a new tag with `docker trust sign`:
```console
$ docker trust sign example/trust-demo:v2
Signing and pushing trust metadata for example/trust-demo:v2
The push refers to a repository [docker.io/example/trust-demo]
eed4e566104a: Layer already exists
77edfb6d1e3c: Layer already exists
c69f806905c2: Layer already exists
582f327616f1: Layer already exists
a3fbb648f0bd: Layer already exists
5eac2de68a97: Layer already exists
8d4d1ab5ff74: Layer already exists
v2: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787
Signing and pushing trust metadata
Enter passphrase for repository key with ID 36d4c36:
Successfully signed docker.io/example/trust-demo:v2
```
Use `docker trust inspect --pretty` to list the new signature:
```console
$ docker trust inspect --pretty example/trust-demo
SIGNED TAG DIGEST SIGNERS
v1 c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 (Repo Admin)
v2 8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 (Repo Admin)
Administrative keys for example/trust-demo:
Repository Key: 36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942
Root Key: 246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b
```
### Sign a tag as a signer
Given an image:
```console
$ docker trust inspect --pretty example/trust-demo
No signatures for example/trust-demo
List of signers and their keys for example/trust-demo:
SIGNER KEYS
alice 05e87edcaecb
bob 5600f5ab76a2
Administrative keys for example/trust-demo:
Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
```
Sign a new tag with `docker trust sign`:
```console
$ docker trust sign example/trust-demo:v1
Signing and pushing trust metadata for example/trust-demo:v1
The push refers to a repository [docker.io/example/trust-demo]
26b126eb8632: Layer already exists
220d34b5f6c9: Layer already exists
8a5132998025: Layer already exists
aca233ed29c3: Layer already exists
e5d2f035d7a4: Layer already exists
v1: digest: sha256:74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 size: 1357
Signing and pushing trust metadata
Enter passphrase for delegation key with ID 27d42a8:
Successfully signed docker.io/example/trust-demo:v1
```
`docker trust inspect --pretty` lists the new signature:
```console
$ docker trust inspect --pretty example/trust-demo
SIGNED TAG DIGEST SIGNERS
v1 74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 alice
List of signers and their keys for example/trust-demo:
SIGNER KEYS
alice 05e87edcaecb
bob 5600f5ab76a2
Administrative keys for example/trust-demo:
Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
```
## Initialize a new repository and sign a tag
When signing an image on a repository for the first time, `docker trust sign` sets up new keys before signing the image.
```console
$ docker trust inspect --pretty example/trust-demo
linting: ST1005: error strings should not be capitalized (stylecheck) While fixing, also updated errors without placeholders to `errors.New()`, and updated some code to use pkg/errors if it was already in use in the file. cli/command/config/inspect.go:59:10: ST1005: error strings should not be capitalized (stylecheck) return fmt.Errorf("Cannot supply extra formatting options to the pretty template") ^ cli/command/node/inspect.go:61:10: ST1005: error strings should not be capitalized (stylecheck) return fmt.Errorf("Cannot supply extra formatting options to the pretty template") ^ cli/command/secret/inspect.go:57:10: ST1005: error strings should not be capitalized (stylecheck) return fmt.Errorf("Cannot supply extra formatting options to the pretty template") ^ cli/command/trust/common.go:77:74: ST1005: error strings should not be capitalized (stylecheck) return []trustTagRow{}, []client.RoleWithSignatures{}, []data.Role{}, fmt.Errorf("No signatures or cannot access %s", remote) ^ cli/command/trust/common.go:85:73: ST1005: error strings should not be capitalized (stylecheck) return []trustTagRow{}, []client.RoleWithSignatures{}, []data.Role{}, fmt.Errorf("No signers for %s", remote) ^ cli/command/trust/sign.go:137:10: ST1005: error strings should not be capitalized (stylecheck) return fmt.Errorf("No tag specified for %s", imgRefAndAuth.Name()) ^ cli/command/trust/sign.go:151:19: ST1005: error strings should not be capitalized (stylecheck) return *target, fmt.Errorf("No tag specified") ^ cli/command/trust/signer_add.go:77:10: ST1005: error strings should not be capitalized (stylecheck) return fmt.Errorf("Failed to add signer to: %s", strings.Join(errRepos, ", ")) ^ cli/command/trust/signer_remove.go:52:10: ST1005: error strings should not be capitalized (stylecheck) return fmt.Errorf("Error removing signer from: %s", strings.Join(errRepos, ", ")) ^ cli/command/trust/signer_remove.go:67:17: ST1005: error strings should not be capitalized (stylecheck) return false, fmt.Errorf("All signed tags are currently revoked, use docker trust sign to fix") ^ cli/command/trust/signer_remove.go:108:17: ST1005: error strings should not be capitalized (stylecheck) return false, fmt.Errorf("No signer %s for repository %s", signerName, repoName) ^ opts/hosts.go:89:14: ST1005: error strings should not be capitalized (stylecheck) return "", fmt.Errorf("Invalid bind address format: %s", addr) ^ opts/hosts.go:100:14: ST1005: error strings should not be capitalized (stylecheck) return "", fmt.Errorf("Invalid proto, expected %s: %s", proto, addr) ^ opts/hosts.go:119:14: ST1005: error strings should not be capitalized (stylecheck) return "", fmt.Errorf("Invalid proto, expected tcp: %s", tryAddr) ^ opts/hosts.go:144:14: ST1005: error strings should not be capitalized (stylecheck) return "", fmt.Errorf("Invalid bind address format: %s", tryAddr) ^ opts/hosts.go:155:14: ST1005: error strings should not be capitalized (stylecheck) return "", fmt.Errorf("Invalid bind address format: %s", tryAddr) ^ Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-02 18:04:53 -04:00
no signatures or cannot access example/trust-demo
```
```console
$ docker trust sign example/trust-demo:v1
Signing and pushing trust metadata for example/trust-demo:v1
Enter passphrase for root key with ID 36cac18:
Enter passphrase for new repository key with ID 731396b:
Repeat passphrase for new repository key with ID 731396b:
Enter passphrase for new alice key with ID 6d52b29:
Repeat passphrase for new alice key with ID 6d52b29:
Created signer: alice
Finished initializing "docker.io/example/trust-demo"
The push refers to a repository [docker.io/example/trust-demo]
eed4e566104a: Layer already exists
77edfb6d1e3c: Layer already exists
c69f806905c2: Layer already exists
582f327616f1: Layer already exists
a3fbb648f0bd: Layer already exists
5eac2de68a97: Layer already exists
8d4d1ab5ff74: Layer already exists
v1: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787
Signing and pushing trust metadata
Enter passphrase for alice key with ID 6d52b29:
Successfully signed docker.io/example/trust-demo:v1
```
```console
$ docker trust inspect --pretty example/trust-demo
SIGNED TAG DIGEST SIGNERS
v1 8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 alice
List of signers and their keys for example/trust-demo:
SIGNER KEYS
alice 6d52b29d940f
Administrative keys for example/trust-demo:
Repository Key: 731396b65eac3ef5ec01406801bdfb70feb40c17808d2222427c18046eb63beb
Root Key: 70d174714bd1461f6c58cb3ef39087c8fdc7633bb11a98af844fd9a04e208103
```