When establishing an Automated Secure Supply Chain we need the ability to automate the
docker trust command. Here are some basic steps for achieving that. These steps also apply for externally signed certs.
Please ensure Docker engine 18.09.0 or greater engine.
Please note that these commands should be run on either the build system or workstation. Please also do not use the example password below.
Setup environment variables for password automation.
export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="Pa22word" export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="Pa22word"
Add the public certificate for the signer. This can be either the client bundle cert or from an external PKI system. Add the signer to the specific repository you want to sign.
docker trust signer add --key cert.pem admin dtr.dockr.life/admin/flask_build
Add the private key for the signer, aka load.
docker trust key load --name admin key.pem
Sign the image with the
docker trustcommand. This is important if you are using PKI at the engine level. Pay attention to the tag you are signing.
docker trust sign dtr.dockr.life/admin/flask_build:signed
Next steps is to repeat this process for any other images or repositories you want to sign in an automated fashion.