github.com/docker/docker-ce@v17.12.1-ce-rc2+incompatible/components/cli/docs/reference/commandline/trust_inspect.md (about) 1 --- 2 title: "trust inspect" 3 description: "The inspect command description and usage" 4 keywords: "view, notary, trust" 5 --- 6 7 <!-- This file is maintained within the docker/cli GitHub 8 repository at https://github.com/docker/cli/. Make all 9 pull requests against that repo. If you see this file in 10 another repository, consider it read-only there, as it will 11 periodically be overwritten by the definitive file. Pull 12 requests which include edits to this file in other repositories 13 will be rejected. 14 --> 15 16 # trust inspect 17 18 ```markdown 19 Usage: docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...] 20 21 Return low-level information about keys and signatures 22 23 ``` 24 25 ## Description 26 27 `docker trust inspect` provides low-level JSON information on signed repositories. 28 This includes all image tags that are signed, who signed them, and who can sign 29 new tags. 30 31 `docker trust inspect` prints the trust information in a machine-readable format. Refer to 32 [`docker trust view`](trust_view.md) for a human-friendly output. 33 34 `docker trust inspect` is currently experimental. 35 36 37 ## Examples 38 39 ### Get low-level details about signatures for a single image tag 40 41 Use the `docker trust inspect` to get trust information about an image. The 42 following example prints trust information for the `alpine:latest` image: 43 44 ```bash 45 $ docker trust inspect alpine:latest 46 [ 47 { 48 "Name": "alpine:latest", 49 "SignedTags": [ 50 { 51 "SignedTag": "latest", 52 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 53 "Signers": [ 54 "Repo Admin" 55 ] 56 } 57 ], 58 "Signers": [], 59 "AdminstrativeKeys": [ 60 { 61 "Name": "Repository", 62 "Keys": [ 63 { 64 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 65 } 66 ] 67 }, 68 { 69 "Name": "Root", 70 "Keys": [ 71 { 72 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 73 } 74 ] 75 } 76 ] 77 } 78 ] 79 ``` 80 81 The `SignedTags` key will list the `SignedTag` name, its `Digest`, and the `Signers` responsible for the signature. 82 83 `AdministrativeKeys` will list the `Repository` and `Root` keys. 84 85 This format mirrors the output of `docker trust view` 86 87 If signers are set up for the repository via other `docker trust` commands, `docker trust inspect` includes a `Signers` key: 88 89 ```bash 90 $ docker trust inspect my-image:purple 91 [ 92 { 93 "Name": "my-image:purple", 94 "SignedTags": [ 95 { 96 "SignedTag": "purple", 97 "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557", 98 "Signers": [ 99 "alice", 100 "bob", 101 "carol" 102 ] 103 } 104 ], 105 "Signers": [ 106 { 107 "Name": "alice", 108 "Keys": [ 109 { 110 "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3" 111 }, 112 { 113 "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8" 114 } 115 ] 116 }, 117 { 118 "Name": "bob", 119 "Keys": [ 120 { 121 "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba" 122 } 123 ] 124 }, 125 { 126 "Name": "carol", 127 "Keys": [ 128 { 129 "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9" 130 }, 131 { 132 "ID": "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606" 133 } 134 ] 135 } 136 ], 137 "AdminstrativeKeys": [ 138 { 139 "Name": "Repository", 140 "Keys": [ 141 { 142 "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44" 143 } 144 ] 145 }, 146 { 147 "Name": "Root", 148 "Keys": [ 149 { 150 "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f" 151 } 152 ] 153 } 154 ] 155 } 156 ] 157 ``` 158 159 If the image tag is unsigned or unavailable, `docker trust inspect` does not display any signed tags. 160 161 ```bash 162 $ docker trust inspect unsigned-img 163 No signatures or cannot access unsigned-img 164 ``` 165 166 However, if other tags are signed in the same image repository, `docker trust inspect` reports relevant key information: 167 168 ```bash 169 $ docker trust inspect alpine:unsigned 170 [ 171 { 172 "Name": "alpine:unsigned", 173 "Signers": [], 174 "AdminstrativeKeys": [ 175 { 176 "Name": "Repository", 177 "Keys": [ 178 { 179 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 180 } 181 ] 182 }, 183 { 184 "Name": "Root", 185 "Keys": [ 186 { 187 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 188 } 189 ] 190 } 191 ] 192 } 193 ] 194 ``` 195 196 ### Get details about signatures for all image tags in a repository 197 198 If no tag is specified, `docker trust inspect` will report details for all signed tags in the repository: 199 200 ```bash 201 $ docker trust inspect alpine 202 [ 203 { 204 "Name": "alpine", 205 "SignedTags": [ 206 { 207 "SignedTag": "3.5", 208 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 209 "Signers": [ 210 "Repo Admin" 211 ] 212 }, 213 { 214 "SignedTag": "3.6", 215 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 216 "Signers": [ 217 "Repo Admin" 218 ] 219 }, 220 { 221 "SignedTag": "edge", 222 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 223 "Signers": [ 224 "Repo Admin" 225 ] 226 }, 227 { 228 "SignedTag": "latest", 229 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 230 "Signers": [ 231 "Repo Admin" 232 ] 233 } 234 ], 235 "Signers": [], 236 "AdminstrativeKeys": [ 237 { 238 "Name": "Repository", 239 "Keys": [ 240 { 241 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 242 } 243 ] 244 }, 245 { 246 "Name": "Root", 247 "Keys": [ 248 { 249 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 250 } 251 ] 252 } 253 ] 254 } 255 ] 256 ``` 257 258 259 ### Get details about signatures for multiple images 260 261 `docker trust inspect` can take multiple repositories and images as arguments, and reports the results in an ordered list: 262 263 ```bash 264 $ docker trust inspect alpine notary 265 [ 266 { 267 "Name": "alpine", 268 "SignedTags": [ 269 { 270 "SignedTag": "3.5", 271 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 272 "Signers": [ 273 "Repo Admin" 274 ] 275 }, 276 { 277 "SignedTag": "3.6", 278 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 279 "Signers": [ 280 "Repo Admin" 281 ] 282 }, 283 { 284 "SignedTag": "edge", 285 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 286 "Signers": [ 287 "Repo Admin" 288 ] 289 }, 290 { 291 "SignedTag": "integ-test-base", 292 "Digest": "3952dc48dcc4136ccdde37fbef7e250346538a55a0366e3fccc683336377e372", 293 "Signers": [ 294 "Repo Admin" 295 ] 296 }, 297 { 298 "SignedTag": "latest", 299 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 300 "Signers": [ 301 "Repo Admin" 302 ] 303 } 304 ], 305 "Signers": [], 306 "AdminstrativeKeys": [ 307 { 308 "Name": "Repository", 309 "Keys": [ 310 { 311 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 312 } 313 ] 314 }, 315 { 316 "Name": "Root", 317 "Keys": [ 318 { 319 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 320 } 321 ] 322 } 323 ] 324 }, 325 { 326 "Name": "notary", 327 "SignedTags": [ 328 { 329 "SignedTag": "server", 330 "Digest": "71f64ab718a3331dee103bc5afc6bc492914738ce37c2d2f127a8133714ecf5c", 331 "Signers": [ 332 "Repo Admin" 333 ] 334 }, 335 { 336 "SignedTag": "signer", 337 "Digest": "a6122d79b1e74f70b5dd933b18a6d1f99329a4728011079f06b245205f158fe8", 338 "Signers": [ 339 "Repo Admin" 340 ] 341 } 342 ], 343 "Signers": [], 344 "AdminstrativeKeys": [ 345 { 346 "Name": "Root", 347 "Keys": [ 348 { 349 "ID": "8cdcdef5bd039f4ab5a029126951b5985eebf57cabdcdc4d21f5b3be8bb4ce92" 350 } 351 ] 352 }, 353 { 354 "Name": "Repository", 355 "Keys": [ 356 { 357 "ID": "85bfd031017722f950d480a721f845a2944db26a3dc084040a70f1b0d9bbb3df" 358 } 359 ] 360 } 361 ] 362 } 363 ] 364 ```