github.com/docker/docker-ce@v17.12.1-ce-rc2+incompatible/components/cli/docs/reference/commandline/trust_sign.md

github.com/docker/docker-ce@v17.12.1-ce-rc2+incompatible/components/cli/docs/reference/commandline/trust_sign.md (about)

     1  ---
     2  title: "trust sign"
     3  description: "The sign command description and usage"
     4  keywords: "sign, notary, trust"
     5  ---
     6  
     7  <!-- This file is maintained within the docker/cli GitHub
     8       repository at https://github.com/docker/cli/. Make all
     9       pull requests against that repo. If you see this file in
    10       another repository, consider it read-only there, as it will
    11       periodically be overwritten by the definitive file. Pull
    12       requests which include edits to this file in other repositories
    13       will be rejected.
    14  -->
    15  
    16  # trust sign
    17  
    18  ```markdown
    19  Usage:  docker trust sign [OPTIONS] IMAGE:TAG
    20  
    21  Sign an image
    22  
    23  Options:
    24        --help    print usage
    25        --local   force the signing of a local image
    26  
    27  ```
    28  
    29  ## Description
    30  
    31  `docker trust sign` adds signatures to tags to create signed repositories.
    32  
    33  `docker trust sign` is currently experimental.
    34  
    35  ## Examples
    36  
    37  ### Sign a tag as a repo admin
    38  
    39  Given an image:
    40  
    41  ```bash
    42  $ docker trust view example/trust-demo
    43  SIGNED TAG          DIGEST                                                             SIGNERS
    44  v1                  c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41   (Repo Admin)
    45  
    46  Administrative keys for example/trust-demo:
    47  Repository Key:	36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942
    48  Root Key:	246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b
    49  ```
    50  
    51  Sign a new tag with `docker trust sign`:
    52  
    53  ```bash
    54  $ docker trust sign example/trust-demo:v2
    55  Signing and pushing trust metadata for example/trust-demo:v2
    56  The push refers to a repository [docker.io/example/trust-demo]
    57  eed4e566104a: Layer already exists
    58  77edfb6d1e3c: Layer already exists
    59  c69f806905c2: Layer already exists
    60  582f327616f1: Layer already exists
    61  a3fbb648f0bd: Layer already exists
    62  5eac2de68a97: Layer already exists
    63  8d4d1ab5ff74: Layer already exists
    64  v2: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787
    65  Signing and pushing trust metadata
    66  Enter passphrase for repository key with ID 36d4c36:
    67  Successfully signed docker.io/example/trust-demo:v2
    68  ```
    69  
    70  `docker trust view` lists the new signature:
    71  
    72  ```bash
    73  $ docker trust view example/trust-demo
    74  SIGNED TAG          DIGEST                                                             SIGNERS
    75  v1                  c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41   (Repo Admin)
    76  v2                  8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56   (Repo Admin)
    77  
    78  Administrative keys for example/trust-demo:
    79  Repository Key:	36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942
    80  Root Key:	246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b
    81  ```
    82  
    83  ### Sign a tag as a signer
    84  
    85  Given an image:
    86  
    87  ```bash
    88  $ docker trust view example/trust-demo
    89  
    90  No signatures for example/trust-demo
    91  
    92  
    93  List of signers and their keys for example/trust-demo:
    94  
    95  SIGNER              KEYS
    96  alice               05e87edcaecb
    97  bob                 5600f5ab76a2
    98  
    99  Administrative keys for example/trust-demo:
   100  Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
   101  Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
   102  ```
   103  
   104  Sign a new tag with `docker trust sign`:
   105  
   106  ```bash
   107  $ docker trust sign example/trust-demo:v1
   108  Signing and pushing trust metadata for example/trust-demo:v1
   109  The push refers to a repository [docker.io/example/trust-demo]
   110  26b126eb8632: Layer already exists
   111  220d34b5f6c9: Layer already exists
   112  8a5132998025: Layer already exists
   113  aca233ed29c3: Layer already exists
   114  e5d2f035d7a4: Layer already exists
   115  v1: digest: sha256:74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 size: 1357
   116  Signing and pushing trust metadata
   117  Enter passphrase for delegation key with ID 27d42a8:
   118  Successfully signed docker.io/example/trust-demo:v1
   119  ```
   120  
   121  `docker trust view` lists the new signature:
   122  
   123  ```bash
   124  $ docker trust view example/trust-demo
   125  SIGNED TAG          DIGEST                                                             SIGNERS
   126  v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   alice
   127  
   128  List of signers and their keys for example/trust-demo:
   129  
   130  SIGNER              KEYS
   131  alice               05e87edcaecb
   132  bob                 5600f5ab76a2
   133  
   134  Administrative keys for example/trust-demo:
   135  Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
   136  Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
   137  ```
   138  
   139  ## Initialize a new repo and sign a tag
   140  
   141  When signing an image on a repo for the first time, `docker trust sign` sets up new keys before signing the image.
   142  
   143  ```bash
   144  $ docker trust view example/trust-demo
   145  No signatures or cannot access example/trust-demo
   146  ```
   147  
   148  ```bash
   149  $ docker trust sign example/trust-demo:v1
   150  Signing and pushing trust metadata for example/trust-demo:v1
   151  Enter passphrase for root key with ID 36cac18:
   152  Enter passphrase for new repository key with ID 731396b:
   153  Repeat passphrase for new repository key with ID 731396b:
   154  Enter passphrase for new alice key with ID 6d52b29:
   155  Repeat passphrase for new alice key with ID 6d52b29:
   156  Created signer: alice
   157  Finished initializing "docker.io/example/trust-demo"
   158  The push refers to a repository [docker.io/example/trust-demo]
   159  eed4e566104a: Layer already exists
   160  77edfb6d1e3c: Layer already exists
   161  c69f806905c2: Layer already exists
   162  582f327616f1: Layer already exists
   163  a3fbb648f0bd: Layer already exists
   164  5eac2de68a97: Layer already exists
   165  8d4d1ab5ff74: Layer already exists
   166  v1: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787
   167  Signing and pushing trust metadata
   168  Enter passphrase for alice key with ID 6d52b29:
   169  Successfully signed docker.io/example/trust-demo:v1
   170  ```
   171  
   172  ```bash
   173  $ docker trust view example/trust-demo
   174  SIGNED TAG          DIGEST                                                             SIGNERS
   175  v1                  8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56   alice
   176  
   177  List of signers and their keys for example/trust-demo:
   178  
   179  SIGNER              KEYS
   180  alice               6d52b29d940f
   181  
   182  Administrative keys for example/trust-demo:
   183  Repository Key:	731396b65eac3ef5ec01406801bdfb70feb40c17808d2222427c18046eb63beb
   184  Root Key:	70d174714bd1461f6c58cb3ef39087c8fdc7633bb11a98af844fd9a04e208103
   185  ```
   186