Once you have images in your repository, you can sign them to let's other know the image has passed a verification procedure.
- Docker to sign container images in your registry
- Connectivity to the registry (including credentials)
- Connectivity to the notary server (including credentials)
- An already existing container image in the repository (and locally)
Make sure you know the Harbor external hostname, username and password along with the
notary external hostname.
Let's assume these values in this example:
- Harbor Hostname:
- Notary Hostname:
Then log in to the registry:
$ docker login harbor.example.com -u admin -pHarbor12345 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Login Succeeded
Export the following environment variable to let us Docker know that has to verify signatures against a notary server.
DOCKER_CONTENT_TRUST: Enables/Disables signatures verification.
DOCKER_CONTENT_TRUST_SERVER: Indicates what is the verification server.
$ export DOCKER_CONTENT_TRUST=1 $ export DOCKER_CONTENT_TRUST_SERVER=https://notary.example.com
Try to download the previously pushed ubuntu:16.04 image:
$ docker pull harbor.example.com/library/ubuntu:16.04 Error: remote trust data does not exist for harbor.example.com/library/ubuntu: notary.example.com does not have trust data for harbor.example.com/library/ubuntu
You can not update it because it does not have any signature. You can check it in the UI:
Let's sign it:
$ docker push harbor.example.com/library/ubuntu:16.04 The push refers to repository [harbor.example.com/library/ubuntu] 64d2e4aaa54c: Layer already exists 0d3833376c2f: Layer already exists 4a048ea09024: Layer already exists b592b5433bbf: Layer already exists 16.04: digest: sha256:a4fc0c40360ff2224db3a483e5d80e9164fe3fdce2a8439d2686270643974632 size: 1150 Signing and pushing trust metadata Enter passphrase for root key with ID 219e1af: Enter passphrase for new repository key with ID 2942d87: Repeat passphrase for new repository key with ID 2942d87: Finished initializing "harbor.example.com/library/ubuntu" Successfully signed harbor.example.com/library/ubuntu:16.04
As you can see, now
docker requires us to specify a couple of passwords:
rootkey. Required because is the first image we are signing in the entire registry
repositorykey. Required because
16.04tag in the
ubunturepository is the first tag signed for the ubuntu image.
If you want to learn more about how the keys works, read the official documentation site
Now you can verify the container image is now signed in the UI:
Try to download the image again:
$ docker pull harbor.example.com/library/ubuntu:16.04 Pull (1 of 1): harbor.example.com/library/ubuntu:16.04@sha256:a4fc0c40360ff2224db3a483e5d80e9164fe3fdce2a8439d2686270643974632 sha256:a4fc0c40360ff2224db3a483e5d80e9164fe3fdce2a8439d2686270643974632: Pulling from library/ubuntu Digest: sha256:a4fc0c40360ff2224db3a483e5d80e9164fe3fdce2a8439d2686270643974632 Status: Image is up to date for harbor.example.com/library/ubuntu@sha256:a4fc0c40360ff2224db3a483e5d80e9164fe3fdce2a8439d2686270643974632 Tagging harbor.example.com/library/ubuntu@sha256:a4fc0c40360ff2224db3a483e5d80e9164fe3fdce2a8439d2686270643974632 as harbor.example.com/library/ubuntu:16.04 harbor.example.com/library/ubuntu:16.04
Now docker pull command works as expected!
Feel free to continue to the clair section to discover vulnerabilities in the image.
Was this page helpful?
Glad to hear it! Thanks for letting us know!
Sorry to hear that. Please tell us how we can improve.