0 0 Share PDF

Automate Docker Trust Signer

Article ID: KB001007

Issue

When establishing an Automated Secure Supply Chain we need the ability to automate the docker trust command. Here are some basic steps for achieving that. These steps also apply for externally signed certs.

Prerequisites

Please ensure Docker engine 18.09.0 or greater engine.

Resolution

Please note that these commands should be run on either the build system or workstation. Please also do not use the example password below.

  1. Setup environment variables for password automation.

    export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="Pa22word" 
    export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="Pa22word"
    
  2. Add the public certificate for the signer. This can be either the client bundle cert or from an external PKI system. Add the signer to the specific repository you want to sign.

    docker trust signer add --key cert.pem admin dtr.dockr.life/admin/flask_build
    
  3. Add the private key for the signer, aka load.

    docker trust key load --name admin key.pem
    
  4. Sign the image with the docker trust command. This is important if you are using PKI at the engine level. Pay attention to the tag you are signing.

    docker trust sign dtr.dockr.life/admin/flask_build:signed
    

What's Next

Next steps is to repeat this process for any other images or repositories you want to sign in an automated fashion.