github.com/khulnasoft/cli@v0.0.0-20240402070845-01bcad7beefa/docs/reference/commandline/trust_inspect.md (about) 1 # trust inspect 2 3 <!---MARKER_GEN_START--> 4 Return low-level information about keys and signatures 5 6 ### Options 7 8 | Name | Type | Default | Description | 9 |:-----------|:-----|:--------|:-------------------------------------------------| 10 | `--pretty` | | | Print the information in a human friendly format | 11 12 13 <!---MARKER_GEN_END--> 14 15 ## Description 16 17 `docker trust inspect` provides low-level JSON information on signed repositories. 18 This includes all image tags that are signed, who signed them, and who can sign 19 new tags. 20 21 ## Examples 22 23 ### Get low-level details about signatures for a single image tag 24 25 Use the `docker trust inspect` to get trust information about an image. The 26 following example prints trust information for the `alpine:latest` image: 27 28 ```console 29 $ docker trust inspect alpine:latest 30 ``` 31 32 The output is in JSON format, for example: 33 34 ```json 35 [ 36 { 37 "Name": "alpine:latest", 38 "SignedTags": [ 39 { 40 "SignedTag": "latest", 41 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 42 "Signers": [ 43 "Repo Admin" 44 ] 45 } 46 ], 47 "Signers": [], 48 "AdministrativeKeys": [ 49 { 50 "Name": "Repository", 51 "Keys": [ 52 { 53 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 54 } 55 ] 56 }, 57 { 58 "Name": "Root", 59 "Keys": [ 60 { 61 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 62 } 63 ] 64 } 65 ] 66 } 67 ] 68 ``` 69 70 The `SignedTags` key will list the `SignedTag` name, its `Digest`, 71 and the `Signers` responsible for the signature. 72 73 `AdministrativeKeys` will list the `Repository` and `Root` keys. 74 75 If signers are set up for the repository via other `docker trust` 76 commands, `docker trust inspect` includes a `Signers` key: 77 78 ```console 79 $ docker trust inspect my-image:purple 80 ``` 81 82 The output is in JSON format, for example: 83 84 ```json 85 [ 86 { 87 "Name": "my-image:purple", 88 "SignedTags": [ 89 { 90 "SignedTag": "purple", 91 "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557", 92 "Signers": [ 93 "alice", 94 "bob", 95 "carol" 96 ] 97 } 98 ], 99 "Signers": [ 100 { 101 "Name": "alice", 102 "Keys": [ 103 { 104 "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3" 105 }, 106 { 107 "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8" 108 } 109 ] 110 }, 111 { 112 "Name": "bob", 113 "Keys": [ 114 { 115 "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba" 116 } 117 ] 118 }, 119 { 120 "Name": "carol", 121 "Keys": [ 122 { 123 "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9" 124 }, 125 { 126 "ID": "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606" 127 } 128 ] 129 } 130 ], 131 "AdministrativeKeys": [ 132 { 133 "Name": "Repository", 134 "Keys": [ 135 { 136 "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44" 137 } 138 ] 139 }, 140 { 141 "Name": "Root", 142 "Keys": [ 143 { 144 "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f" 145 } 146 ] 147 } 148 ] 149 } 150 ] 151 ``` 152 153 If the image tag is unsigned or unavailable, `docker trust inspect` does not 154 display any signed tags. 155 156 ```console 157 $ docker trust inspect unsigned-img 158 159 no signatures or cannot access unsigned-img 160 ``` 161 162 However, if other tags are signed in the same image repository, 163 `docker trust inspect` reports relevant key information: 164 165 ```console 166 $ docker trust inspect alpine:unsigned 167 ``` 168 169 The output is in JSON format, for example: 170 171 ```json 172 [ 173 { 174 "Name": "alpine:unsigned", 175 "Signers": [], 176 "AdministrativeKeys": [ 177 { 178 "Name": "Repository", 179 "Keys": [ 180 { 181 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 182 } 183 ] 184 }, 185 { 186 "Name": "Root", 187 "Keys": [ 188 { 189 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 190 } 191 ] 192 } 193 ] 194 } 195 ] 196 ``` 197 198 ### Get details about signatures for all image tags in a repository 199 200 If no tag is specified, `docker trust inspect` will report details for all 201 signed tags in the repository: 202 203 ```console 204 $ docker trust inspect alpine 205 ``` 206 207 The output is in JSON format, for example: 208 209 ```json 210 [ 211 { 212 "Name": "alpine", 213 "SignedTags": [ 214 { 215 "SignedTag": "3.5", 216 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 217 "Signers": [ 218 "Repo Admin" 219 ] 220 }, 221 { 222 "SignedTag": "3.6", 223 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 224 "Signers": [ 225 "Repo Admin" 226 ] 227 }, 228 { 229 "SignedTag": "edge", 230 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 231 "Signers": [ 232 "Repo Admin" 233 ] 234 }, 235 { 236 "SignedTag": "latest", 237 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 238 "Signers": [ 239 "Repo Admin" 240 ] 241 } 242 ], 243 "Signers": [], 244 "AdministrativeKeys": [ 245 { 246 "Name": "Repository", 247 "Keys": [ 248 { 249 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 250 } 251 ] 252 }, 253 { 254 "Name": "Root", 255 "Keys": [ 256 { 257 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 258 } 259 ] 260 } 261 ] 262 } 263 ] 264 ``` 265 266 267 ### Get details about signatures for multiple images 268 269 `docker trust inspect` can take multiple repositories and images as arguments, 270 and reports the results in an ordered list: 271 272 ```console 273 $ docker trust inspect alpine notary 274 ``` 275 276 The output is in JSON format, for example: 277 278 ```json 279 [ 280 { 281 "Name": "alpine", 282 "SignedTags": [ 283 { 284 "SignedTag": "3.5", 285 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 286 "Signers": [ 287 "Repo Admin" 288 ] 289 }, 290 { 291 "SignedTag": "3.6", 292 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 293 "Signers": [ 294 "Repo Admin" 295 ] 296 }, 297 { 298 "SignedTag": "edge", 299 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 300 "Signers": [ 301 "Repo Admin" 302 ] 303 }, 304 { 305 "SignedTag": "integ-test-base", 306 "Digest": "3952dc48dcc4136ccdde37fbef7e250346538a55a0366e3fccc683336377e372", 307 "Signers": [ 308 "Repo Admin" 309 ] 310 }, 311 { 312 "SignedTag": "latest", 313 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 314 "Signers": [ 315 "Repo Admin" 316 ] 317 } 318 ], 319 "Signers": [], 320 "AdministrativeKeys": [ 321 { 322 "Name": "Repository", 323 "Keys": [ 324 { 325 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 326 } 327 ] 328 }, 329 { 330 "Name": "Root", 331 "Keys": [ 332 { 333 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 334 } 335 ] 336 } 337 ] 338 }, 339 { 340 "Name": "notary", 341 "SignedTags": [ 342 { 343 "SignedTag": "server", 344 "Digest": "71f64ab718a3331dee103bc5afc6bc492914738ce37c2d2f127a8133714ecf5c", 345 "Signers": [ 346 "Repo Admin" 347 ] 348 }, 349 { 350 "SignedTag": "signer", 351 "Digest": "a6122d79b1e74f70b5dd933b18a6d1f99329a4728011079f06b245205f158fe8", 352 "Signers": [ 353 "Repo Admin" 354 ] 355 } 356 ], 357 "Signers": [], 358 "AdministrativeKeys": [ 359 { 360 "Name": "Root", 361 "Keys": [ 362 { 363 "ID": "8cdcdef5bd039f4ab5a029126951b5985eebf57cabdcdc4d21f5b3be8bb4ce92" 364 } 365 ] 366 }, 367 { 368 "Name": "Repository", 369 "Keys": [ 370 { 371 "ID": "85bfd031017722f950d480a721f845a2944db26a3dc084040a70f1b0d9bbb3df" 372 } 373 ] 374 } 375 ] 376 } 377 ] 378 ``` 379 380 ### Formatting 381 382 You can print the inspect output in a human-readable format instead of the default 383 JSON output, by using the `--pretty` option: 384 385 ### Get details about signatures for a single image tag 386 387 ```console 388 $ docker trust inspect --pretty alpine:latest 389 390 SIGNED TAG DIGEST SIGNERS 391 latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 392 393 Administrative keys for alpine:latest: 394 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 395 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 396 ``` 397 398 The `SIGNED TAG` is the signed image tag with a unique content-addressable 399 `DIGEST`. `SIGNERS` lists all entities who have signed. 400 401 The administrative keys listed specify the root key of trust, as well as 402 the administrative repository key. These keys are responsible for modifying 403 signers, and rotating keys for the signed repository. 404 405 If signers are set up for the repository via other `docker trust` commands, 406 `docker trust inspect --pretty` displays them appropriately as a `SIGNER` 407 and specify their `KEYS`: 408 409 ```console 410 $ docker trust inspect --pretty my-image:purple 411 412 SIGNED TAG DIGEST SIGNERS 413 purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol 414 415 List of signers and their keys: 416 417 SIGNER KEYS 418 alice 47caae5b3e61, a85aab9d20a4 419 bob 034370bcbd77, 82a66673242c 420 carol b6f9f8e1aab0 421 422 Administrative keys for my-image: 423 Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44 424 Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f 425 ``` 426 427 However, if other tags are signed in the same image repository, 428 `docker trust inspect` reports relevant key information. 429 430 ```console 431 $ docker trust inspect --pretty alpine:unsigned 432 433 No signatures for alpine:unsigned 434 435 436 Administrative keys for alpine:unsigned: 437 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 438 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 439 ``` 440 441 ### Get details about signatures for all image tags in a repository 442 443 ```console 444 $ docker trust inspect --pretty alpine 445 446 SIGNED TAG DIGEST SIGNERS 447 2.6 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b (Repo Admin) 448 2.7 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a (Repo Admin) 449 3.1 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8 (Repo Admin) 450 3.2 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7 (Repo Admin) 451 3.3 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7 (Repo Admin) 452 3.4 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9 (Repo Admin) 453 3.5 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308 (Repo Admin) 454 3.6 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 455 edge 79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b (Repo Admin) 456 latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 457 458 Administrative keys for alpine: 459 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 460 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 461 ``` 462 463 Here's an example with signers that are set up by `docker trust` commands: 464 465 ```console 466 $ docker trust inspect --pretty my-image 467 468 SIGNED TAG DIGEST SIGNERS 469 red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice 470 blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob 471 green cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139 alice, bob 472 yellow 9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba carol 473 purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol 474 orange d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c alice 475 476 List of signers and their keys for my-image: 477 478 SIGNER KEYS 479 alice 47caae5b3e61, a85aab9d20a4 480 bob 034370bcbd77, 82a66673242c 481 carol b6f9f8e1aab0 482 483 Administrative keys for my-image: 484 Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44 485 Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f 486 ```