Skip to main content

Docker Success Center

The Docker enterprise customer portal.

Docker, Inc.

Introduction to Docker Content Trust

This guide provides an overview of Docker Content Trust and some quick familiarization exercises. It was introduced in Docker Engine 1.8 and Docker CS Engine 1.9.0 an is available in Docker EE.

Docker Content Trust (DCT) provides strong cryptographic guarantees over what code and what versions of software are being run in your infrastructure.  Docker Content Trust integrates The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.

When a publisher using Docker Content Trust pushes an image to a remote registry, Docker Engine signs the image locally with the publisher’s private key. When a user  later pulls this image, Docker Engine uses the publisher’s public key to verify that the image is exactly what the publisher created, has not been tampered with, and is up to date.

More details about the internals of DCT can be found in the Docker Blog.

More information about using DCT can be found on doc.docker.com.

DCT Motivations

  • Image Provenance is critical for Production
  • Distributed content should be signed
  • Key compromise should be difficult
  • Compromise resilience is important
  • Replay attacks should be hard
  • Existing infrastructure is reused
  • Trusting Docker should not be mandatory

Pull Images with Docker Content Trust

docker pull --disable-content-trust jpetazzo/clock
docker -D pull --disable-content-trust hello-world
docker -D pull hello-world
  • Temporarily disable content trust to successfully pull unsigned content:
  • Enable debug mode to compare the behavior of pulls where signed content is verified to pulls where no trust data is verified:
  • Enable DCT:
    export DOCKER_CONTENT_TRUST=1
  • Try to pull unsigned content and observe error messages:
    docker pull jpetazzo/clock

Sign and Push Images with DCT

  • Log into Docker Hub with Docker Engine 1.8, Docker CS Engine 1.9.0, or newer:
    docker login
  • With DCT enabled, push an image to Hub. When you push, Docker will note you have no keys, create them, and prompt you for a passphrase to encrypt them:
    docker tag <clock image ID> <HubUsername>/clock:latest
    docker -D push <username>/clock:latest 
    Enter key passphrase for offline key with id <yourIDnumber>: 
    Enter passphrase for new tagging key with id docker.io/<HubUsername>/clock (<yourIDnumber>):