0 0 Share PDF

Automate Docker Trust Signer

Article ID: KB001007


When establishing an Automated Secure Supply Chain we need the ability to automate the docker trust command. Here are some basic steps for achieving that. These steps also apply for externally signed certs.


Please ensure Docker engine 18.09.0 or greater engine.


Please note that these commands should be run on either the build system or workstation. Please also do not use the example password below.

  1. Setup environment variables for password automation.

  2. Add the public certificate for the signer. This can be either the client bundle cert or from an external PKI system. Add the signer to the specific repository you want to sign.

    docker trust signer add --key cert.pem admin dtr.dockr.life/admin/flask_build
  3. Add the private key for the signer, aka load.

    docker trust key load --name admin key.pem
  4. Sign the image with the docker trust command. This is important if you are using PKI at the engine level. Pay attention to the tag you are signing.

    docker trust sign dtr.dockr.life/admin/flask_build:signed

What's Next

Next steps is to repeat this process for any other images or repositories you want to sign in an automated fashion.