github.com/khulnasoft/cli@v0.0.0-20240402070845-01bcad7beefa/docs/reference/commandline/trust_sign.md (about) 1 # trust sign 2 3 <!---MARKER_GEN_START--> 4 Sign an image 5 6 ### Options 7 8 | Name | Type | Default | Description | 9 |:----------|:-----|:--------|:----------------------------| 10 | `--local` | | | Sign a locally tagged image | 11 12 13 <!---MARKER_GEN_END--> 14 15 ## Description 16 17 `docker trust sign` adds signatures to tags to create signed repositories. 18 19 ## Examples 20 21 ### Sign a tag as a repository admin 22 23 Given an image: 24 25 ```console 26 $ docker trust inspect --pretty example/trust-demo 27 28 SIGNED TAG DIGEST SIGNERS 29 v1 c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 (Repo Admin) 30 31 Administrative keys for example/trust-demo: 32 Repository Key: 36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942 33 Root Key: 246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b 34 ``` 35 36 Sign a new tag with `docker trust sign`: 37 38 ```console 39 $ docker trust sign example/trust-demo:v2 40 41 Signing and pushing trust metadata for example/trust-demo:v2 42 The push refers to a repository [docker.io/example/trust-demo] 43 eed4e566104a: Layer already exists 44 77edfb6d1e3c: Layer already exists 45 c69f806905c2: Layer already exists 46 582f327616f1: Layer already exists 47 a3fbb648f0bd: Layer already exists 48 5eac2de68a97: Layer already exists 49 8d4d1ab5ff74: Layer already exists 50 v2: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787 51 Signing and pushing trust metadata 52 Enter passphrase for repository key with ID 36d4c36: 53 Successfully signed docker.io/example/trust-demo:v2 54 ``` 55 56 Use `docker trust inspect --pretty` to list the new signature: 57 58 ```console 59 $ docker trust inspect --pretty example/trust-demo 60 61 SIGNED TAG DIGEST SIGNERS 62 v1 c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 (Repo Admin) 63 v2 8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 (Repo Admin) 64 65 Administrative keys for example/trust-demo: 66 Repository Key: 36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942 67 Root Key: 246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b 68 ``` 69 70 ### Sign a tag as a signer 71 72 Given an image: 73 74 ```console 75 $ docker trust inspect --pretty example/trust-demo 76 77 No signatures for example/trust-demo 78 79 80 List of signers and their keys for example/trust-demo: 81 82 SIGNER KEYS 83 alice 05e87edcaecb 84 bob 5600f5ab76a2 85 86 Administrative keys for example/trust-demo: 87 Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e 88 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 89 ``` 90 91 Sign a new tag with `docker trust sign`: 92 93 ```console 94 $ docker trust sign example/trust-demo:v1 95 96 Signing and pushing trust metadata for example/trust-demo:v1 97 The push refers to a repository [docker.io/example/trust-demo] 98 26b126eb8632: Layer already exists 99 220d34b5f6c9: Layer already exists 100 8a5132998025: Layer already exists 101 aca233ed29c3: Layer already exists 102 e5d2f035d7a4: Layer already exists 103 v1: digest: sha256:74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 size: 1357 104 Signing and pushing trust metadata 105 Enter passphrase for delegation key with ID 27d42a8: 106 Successfully signed docker.io/example/trust-demo:v1 107 ``` 108 109 `docker trust inspect --pretty` lists the new signature: 110 111 ```console 112 $ docker trust inspect --pretty example/trust-demo 113 114 SIGNED TAG DIGEST SIGNERS 115 v1 74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 alice 116 117 List of signers and their keys for example/trust-demo: 118 119 SIGNER KEYS 120 alice 05e87edcaecb 121 bob 5600f5ab76a2 122 123 Administrative keys for example/trust-demo: 124 Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e 125 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 126 ``` 127 128 ## Initialize a new repository and sign a tag 129 130 When signing an image on a repository for the first time, `docker trust sign` sets up new keys before signing the image. 131 132 ```console 133 $ docker trust inspect --pretty example/trust-demo 134 135 no signatures or cannot access example/trust-demo 136 ``` 137 138 ```console 139 $ docker trust sign example/trust-demo:v1 140 141 Signing and pushing trust metadata for example/trust-demo:v1 142 Enter passphrase for root key with ID 36cac18: 143 Enter passphrase for new repository key with ID 731396b: 144 Repeat passphrase for new repository key with ID 731396b: 145 Enter passphrase for new alice key with ID 6d52b29: 146 Repeat passphrase for new alice key with ID 6d52b29: 147 Created signer: alice 148 Finished initializing "docker.io/example/trust-demo" 149 The push refers to a repository [docker.io/example/trust-demo] 150 eed4e566104a: Layer already exists 151 77edfb6d1e3c: Layer already exists 152 c69f806905c2: Layer already exists 153 582f327616f1: Layer already exists 154 a3fbb648f0bd: Layer already exists 155 5eac2de68a97: Layer already exists 156 8d4d1ab5ff74: Layer already exists 157 v1: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787 158 Signing and pushing trust metadata 159 Enter passphrase for alice key with ID 6d52b29: 160 Successfully signed docker.io/example/trust-demo:v1 161 ``` 162 163 ```console 164 $ docker trust inspect --pretty example/trust-demo 165 166 SIGNED TAG DIGEST SIGNERS 167 v1 8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 alice 168 169 List of signers and their keys for example/trust-demo: 170 171 SIGNER KEYS 172 alice 6d52b29d940f 173 174 Administrative keys for example/trust-demo: 175 Repository Key: 731396b65eac3ef5ec01406801bdfb70feb40c17808d2222427c18046eb63beb 176 Root Key: 70d174714bd1461f6c58cb3ef39087c8fdc7633bb11a98af844fd9a04e208103 177 ```