github.com/AliyunContainerService/cli@v0.0.0-20181009023821-814ced4b30d0/docs/reference/commandline/trust_inspect.md (about) 1 --- 2 title: "trust inspect" 3 description: "The inspect command description and usage" 4 keywords: "inspect, notary, trust" 5 --- 6 7 <!-- This file is maintained within the docker/cli GitHub 8 repository at https://github.com/docker/cli/. Make all 9 pull requests against that repo. If you see this file in 10 another repository, consider it read-only there, as it will 11 periodically be overwritten by the definitive file. Pull 12 requests which include edits to this file in other repositories 13 will be rejected. 14 --> 15 16 # trust inspect 17 18 ```markdown 19 Usage: docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...] 20 21 Return low-level information about keys and signatures 22 23 Options: 24 --help Print usage 25 --pretty Print the information in a human friendly format 26 ``` 27 28 ## Description 29 30 `docker trust inspect` provides low-level JSON information on signed repositories. 31 This includes all image tags that are signed, who signed them, and who can sign 32 new tags. 33 34 ## Examples 35 36 ### Get low-level details about signatures for a single image tag 37 38 Use the `docker trust inspect` to get trust information about an image. The 39 following example prints trust information for the `alpine:latest` image: 40 41 ```bash 42 $ docker trust inspect alpine:latest 43 [ 44 { 45 "Name": "alpine:latest", 46 "SignedTags": [ 47 { 48 "SignedTag": "latest", 49 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 50 "Signers": [ 51 "Repo Admin" 52 ] 53 } 54 ], 55 "Signers": [], 56 "AdministrativeKeys": [ 57 { 58 "Name": "Repository", 59 "Keys": [ 60 { 61 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 62 } 63 ] 64 }, 65 { 66 "Name": "Root", 67 "Keys": [ 68 { 69 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 70 } 71 ] 72 } 73 ] 74 } 75 ] 76 ``` 77 78 The `SignedTags` key will list the `SignedTag` name, its `Digest`, 79 and the `Signers` responsible for the signature. 80 81 `AdministrativeKeys` will list the `Repository` and `Root` keys. 82 83 If signers are set up for the repository via other `docker trust` 84 commands, `docker trust inspect` includes a `Signers` key: 85 86 ```bash 87 $ docker trust inspect my-image:purple 88 [ 89 { 90 "Name": "my-image:purple", 91 "SignedTags": [ 92 { 93 "SignedTag": "purple", 94 "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557", 95 "Signers": [ 96 "alice", 97 "bob", 98 "carol" 99 ] 100 } 101 ], 102 "Signers": [ 103 { 104 "Name": "alice", 105 "Keys": [ 106 { 107 "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3" 108 }, 109 { 110 "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8" 111 } 112 ] 113 }, 114 { 115 "Name": "bob", 116 "Keys": [ 117 { 118 "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba" 119 } 120 ] 121 }, 122 { 123 "Name": "carol", 124 "Keys": [ 125 { 126 "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9" 127 }, 128 { 129 "ID": "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606" 130 } 131 ] 132 } 133 ], 134 "AdministrativeKeys": [ 135 { 136 "Name": "Repository", 137 "Keys": [ 138 { 139 "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44" 140 } 141 ] 142 }, 143 { 144 "Name": "Root", 145 "Keys": [ 146 { 147 "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f" 148 } 149 ] 150 } 151 ] 152 } 153 ] 154 ``` 155 156 If the image tag is unsigned or unavailable, `docker trust inspect` does not 157 display any signed tags. 158 159 ```bash 160 $ docker trust inspect unsigned-img 161 No signatures or cannot access unsigned-img 162 ``` 163 164 However, if other tags are signed in the same image repository, 165 `docker trust inspect` reports relevant key information: 166 167 ```bash 168 $ docker trust inspect alpine:unsigned 169 [ 170 { 171 "Name": "alpine:unsigned", 172 "Signers": [], 173 "AdministrativeKeys": [ 174 { 175 "Name": "Repository", 176 "Keys": [ 177 { 178 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 179 } 180 ] 181 }, 182 { 183 "Name": "Root", 184 "Keys": [ 185 { 186 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 187 } 188 ] 189 } 190 ] 191 } 192 ] 193 ``` 194 195 ### Get details about signatures for all image tags in a repository 196 197 If no tag is specified, `docker trust inspect` will report details for all 198 signed tags in the repository: 199 200 ```bash 201 $ docker trust inspect alpine 202 [ 203 { 204 "Name": "alpine", 205 "SignedTags": [ 206 { 207 "SignedTag": "3.5", 208 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 209 "Signers": [ 210 "Repo Admin" 211 ] 212 }, 213 { 214 "SignedTag": "3.6", 215 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 216 "Signers": [ 217 "Repo Admin" 218 ] 219 }, 220 { 221 "SignedTag": "edge", 222 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 223 "Signers": [ 224 "Repo Admin" 225 ] 226 }, 227 { 228 "SignedTag": "latest", 229 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 230 "Signers": [ 231 "Repo Admin" 232 ] 233 } 234 ], 235 "Signers": [], 236 "AdministrativeKeys": [ 237 { 238 "Name": "Repository", 239 "Keys": [ 240 { 241 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 242 } 243 ] 244 }, 245 { 246 "Name": "Root", 247 "Keys": [ 248 { 249 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 250 } 251 ] 252 } 253 ] 254 } 255 ] 256 ``` 257 258 259 ### Get details about signatures for multiple images 260 261 `docker trust inspect` can take multiple repositories and images as arguments, 262 and reports the results in an ordered list: 263 264 ```bash 265 $ docker trust inspect alpine notary 266 [ 267 { 268 "Name": "alpine", 269 "SignedTags": [ 270 { 271 "SignedTag": "3.5", 272 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 273 "Signers": [ 274 "Repo Admin" 275 ] 276 }, 277 { 278 "SignedTag": "3.6", 279 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 280 "Signers": [ 281 "Repo Admin" 282 ] 283 }, 284 { 285 "SignedTag": "edge", 286 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 287 "Signers": [ 288 "Repo Admin" 289 ] 290 }, 291 { 292 "SignedTag": "integ-test-base", 293 "Digest": "3952dc48dcc4136ccdde37fbef7e250346538a55a0366e3fccc683336377e372", 294 "Signers": [ 295 "Repo Admin" 296 ] 297 }, 298 { 299 "SignedTag": "latest", 300 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 301 "Signers": [ 302 "Repo Admin" 303 ] 304 } 305 ], 306 "Signers": [], 307 "AdministrativeKeys": [ 308 { 309 "Name": "Repository", 310 "Keys": [ 311 { 312 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 313 } 314 ] 315 }, 316 { 317 "Name": "Root", 318 "Keys": [ 319 { 320 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 321 } 322 ] 323 } 324 ] 325 }, 326 { 327 "Name": "notary", 328 "SignedTags": [ 329 { 330 "SignedTag": "server", 331 "Digest": "71f64ab718a3331dee103bc5afc6bc492914738ce37c2d2f127a8133714ecf5c", 332 "Signers": [ 333 "Repo Admin" 334 ] 335 }, 336 { 337 "SignedTag": "signer", 338 "Digest": "a6122d79b1e74f70b5dd933b18a6d1f99329a4728011079f06b245205f158fe8", 339 "Signers": [ 340 "Repo Admin" 341 ] 342 } 343 ], 344 "Signers": [], 345 "AdministrativeKeys": [ 346 { 347 "Name": "Root", 348 "Keys": [ 349 { 350 "ID": "8cdcdef5bd039f4ab5a029126951b5985eebf57cabdcdc4d21f5b3be8bb4ce92" 351 } 352 ] 353 }, 354 { 355 "Name": "Repository", 356 "Keys": [ 357 { 358 "ID": "85bfd031017722f950d480a721f845a2944db26a3dc084040a70f1b0d9bbb3df" 359 } 360 ] 361 } 362 ] 363 } 364 ] 365 ``` 366 367 ### Formatting 368 369 You can print the inspect output in a human-readable format instead of the default 370 JSON output, by using the `--pretty` option: 371 372 ### Get details about signatures for a single image tag 373 374 ```bash 375 $ docker trust inspect --pretty alpine:latest 376 377 SIGNED TAG DIGEST SIGNERS 378 latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 379 380 Administrative keys for alpine:latest: 381 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 382 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 383 ``` 384 385 The `SIGNED TAG` is the signed image tag with a unique content-addressable 386 `DIGEST`. `SIGNERS` lists all entities who have signed. 387 388 The administrative keys listed specify the root key of trust, as well as 389 the administrative repository key. These keys are responsible for modifying 390 signers, and rotating keys for the signed repository. 391 392 If signers are set up for the repository via other `docker trust` commands, 393 `docker trust inspect --pretty` displays them appropriately as a `SIGNER` 394 and specify their `KEYS`: 395 396 ```bash 397 $ docker trust inspect --pretty my-image:purple 398 SIGNED TAG DIGEST SIGNERS 399 purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol 400 401 List of signers and their keys: 402 403 SIGNER KEYS 404 alice 47caae5b3e61, a85aab9d20a4 405 bob 034370bcbd77, 82a66673242c 406 carol b6f9f8e1aab0 407 408 Administrative keys for my-image: 409 Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44 410 Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f 411 ``` 412 413 However, if other tags are signed in the same image repository, 414 `docker trust inspect` reports relevant key information. 415 416 ```bash 417 $ docker trust inspect --pretty alpine:unsigned 418 419 No signatures for alpine:unsigned 420 421 422 Administrative keys for alpine:unsigned: 423 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 424 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 425 ``` 426 427 ### Get details about signatures for all image tags in a repository 428 429 ```bash 430 $ docker trust inspect --pretty alpine 431 SIGNED TAG DIGEST SIGNERS 432 2.6 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b (Repo Admin) 433 2.7 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a (Repo Admin) 434 3.1 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8 (Repo Admin) 435 3.2 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7 (Repo Admin) 436 3.3 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7 (Repo Admin) 437 3.4 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9 (Repo Admin) 438 3.5 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308 (Repo Admin) 439 3.6 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 440 edge 79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b (Repo Admin) 441 latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 442 443 Administrative keys for alpine: 444 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 445 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 446 ``` 447 448 Here's an example with signers that are set up by `docker trust` commands: 449 450 ```bash 451 $ docker trust inspect --pretty my-image 452 SIGNED TAG DIGEST SIGNERS 453 red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice 454 blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob 455 green cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139 alice, bob 456 yellow 9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba carol 457 purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol 458 orange d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c alice 459 460 List of signers and their keys for my-image: 461 462 SIGNER KEYS 463 alice 47caae5b3e61, a85aab9d20a4 464 bob 034370bcbd77, 82a66673242c 465 carol b6f9f8e1aab0 466 467 Administrative keys for my-image: 468 Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44 469 Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f 470 ```