github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/docs/reference/commandline/trust_inspect.md (about) 1 --- 2 title: "trust inspect" 3 description: "The inspect command description and usage" 4 keywords: "inspect, notary, trust" 5 --- 6 7 # trust inspect 8 9 ```markdown 10 Usage: docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...] 11 12 Return low-level information about keys and signatures 13 14 Options: 15 --help Print usage 16 --pretty Print the information in a human friendly format 17 ``` 18 19 ## Description 20 21 `docker trust inspect` provides low-level JSON information on signed repositories. 22 This includes all image tags that are signed, who signed them, and who can sign 23 new tags. 24 25 ## Examples 26 27 ### Get low-level details about signatures for a single image tag 28 29 Use the `docker trust inspect` to get trust information about an image. The 30 following example prints trust information for the `alpine:latest` image: 31 32 ```bash 33 $ docker trust inspect alpine:latest 34 ``` 35 36 The output is in JSON format, for example: 37 38 ```json 39 [ 40 { 41 "Name": "alpine:latest", 42 "SignedTags": [ 43 { 44 "SignedTag": "latest", 45 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 46 "Signers": [ 47 "Repo Admin" 48 ] 49 } 50 ], 51 "Signers": [], 52 "AdministrativeKeys": [ 53 { 54 "Name": "Repository", 55 "Keys": [ 56 { 57 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 58 } 59 ] 60 }, 61 { 62 "Name": "Root", 63 "Keys": [ 64 { 65 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 66 } 67 ] 68 } 69 ] 70 } 71 ] 72 ``` 73 74 The `SignedTags` key will list the `SignedTag` name, its `Digest`, 75 and the `Signers` responsible for the signature. 76 77 `AdministrativeKeys` will list the `Repository` and `Root` keys. 78 79 If signers are set up for the repository via other `docker trust` 80 commands, `docker trust inspect` includes a `Signers` key: 81 82 ```bash 83 $ docker trust inspect my-image:purple 84 ``` 85 86 The output is in JSON format, for example: 87 88 ```json 89 [ 90 { 91 "Name": "my-image:purple", 92 "SignedTags": [ 93 { 94 "SignedTag": "purple", 95 "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557", 96 "Signers": [ 97 "alice", 98 "bob", 99 "carol" 100 ] 101 } 102 ], 103 "Signers": [ 104 { 105 "Name": "alice", 106 "Keys": [ 107 { 108 "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3" 109 }, 110 { 111 "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8" 112 } 113 ] 114 }, 115 { 116 "Name": "bob", 117 "Keys": [ 118 { 119 "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba" 120 } 121 ] 122 }, 123 { 124 "Name": "carol", 125 "Keys": [ 126 { 127 "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9" 128 }, 129 { 130 "ID": "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606" 131 } 132 ] 133 } 134 ], 135 "AdministrativeKeys": [ 136 { 137 "Name": "Repository", 138 "Keys": [ 139 { 140 "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44" 141 } 142 ] 143 }, 144 { 145 "Name": "Root", 146 "Keys": [ 147 { 148 "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f" 149 } 150 ] 151 } 152 ] 153 } 154 ] 155 ``` 156 157 If the image tag is unsigned or unavailable, `docker trust inspect` does not 158 display any signed tags. 159 160 ```bash 161 $ docker trust inspect unsigned-img 162 163 No signatures or cannot access unsigned-img 164 ``` 165 166 However, if other tags are signed in the same image repository, 167 `docker trust inspect` reports relevant key information: 168 169 ```bash 170 $ docker trust inspect alpine:unsigned 171 ``` 172 173 The output is in JSON format, for example: 174 175 ```json 176 [ 177 { 178 "Name": "alpine:unsigned", 179 "Signers": [], 180 "AdministrativeKeys": [ 181 { 182 "Name": "Repository", 183 "Keys": [ 184 { 185 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 186 } 187 ] 188 }, 189 { 190 "Name": "Root", 191 "Keys": [ 192 { 193 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 194 } 195 ] 196 } 197 ] 198 } 199 ] 200 ``` 201 202 ### Get details about signatures for all image tags in a repository 203 204 If no tag is specified, `docker trust inspect` will report details for all 205 signed tags in the repository: 206 207 ```bash 208 $ docker trust inspect alpine 209 ``` 210 211 The output is in JSON format, for example: 212 213 ```json 214 [ 215 { 216 "Name": "alpine", 217 "SignedTags": [ 218 { 219 "SignedTag": "3.5", 220 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 221 "Signers": [ 222 "Repo Admin" 223 ] 224 }, 225 { 226 "SignedTag": "3.6", 227 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 228 "Signers": [ 229 "Repo Admin" 230 ] 231 }, 232 { 233 "SignedTag": "edge", 234 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 235 "Signers": [ 236 "Repo Admin" 237 ] 238 }, 239 { 240 "SignedTag": "latest", 241 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 242 "Signers": [ 243 "Repo Admin" 244 ] 245 } 246 ], 247 "Signers": [], 248 "AdministrativeKeys": [ 249 { 250 "Name": "Repository", 251 "Keys": [ 252 { 253 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 254 } 255 ] 256 }, 257 { 258 "Name": "Root", 259 "Keys": [ 260 { 261 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 262 } 263 ] 264 } 265 ] 266 } 267 ] 268 ``` 269 270 271 ### Get details about signatures for multiple images 272 273 `docker trust inspect` can take multiple repositories and images as arguments, 274 and reports the results in an ordered list: 275 276 ```bash 277 $ docker trust inspect alpine notary 278 ``` 279 280 The output is in JSON format, for example: 281 282 ```json 283 [ 284 { 285 "Name": "alpine", 286 "SignedTags": [ 287 { 288 "SignedTag": "3.5", 289 "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c", 290 "Signers": [ 291 "Repo Admin" 292 ] 293 }, 294 { 295 "SignedTag": "3.6", 296 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 297 "Signers": [ 298 "Repo Admin" 299 ] 300 }, 301 { 302 "SignedTag": "edge", 303 "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096", 304 "Signers": [ 305 "Repo Admin" 306 ] 307 }, 308 { 309 "SignedTag": "integ-test-base", 310 "Digest": "3952dc48dcc4136ccdde37fbef7e250346538a55a0366e3fccc683336377e372", 311 "Signers": [ 312 "Repo Admin" 313 ] 314 }, 315 { 316 "SignedTag": "latest", 317 "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478", 318 "Signers": [ 319 "Repo Admin" 320 ] 321 } 322 ], 323 "Signers": [], 324 "AdministrativeKeys": [ 325 { 326 "Name": "Repository", 327 "Keys": [ 328 { 329 "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd" 330 } 331 ] 332 }, 333 { 334 "Name": "Root", 335 "Keys": [ 336 { 337 "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce" 338 } 339 ] 340 } 341 ] 342 }, 343 { 344 "Name": "notary", 345 "SignedTags": [ 346 { 347 "SignedTag": "server", 348 "Digest": "71f64ab718a3331dee103bc5afc6bc492914738ce37c2d2f127a8133714ecf5c", 349 "Signers": [ 350 "Repo Admin" 351 ] 352 }, 353 { 354 "SignedTag": "signer", 355 "Digest": "a6122d79b1e74f70b5dd933b18a6d1f99329a4728011079f06b245205f158fe8", 356 "Signers": [ 357 "Repo Admin" 358 ] 359 } 360 ], 361 "Signers": [], 362 "AdministrativeKeys": [ 363 { 364 "Name": "Root", 365 "Keys": [ 366 { 367 "ID": "8cdcdef5bd039f4ab5a029126951b5985eebf57cabdcdc4d21f5b3be8bb4ce92" 368 } 369 ] 370 }, 371 { 372 "Name": "Repository", 373 "Keys": [ 374 { 375 "ID": "85bfd031017722f950d480a721f845a2944db26a3dc084040a70f1b0d9bbb3df" 376 } 377 ] 378 } 379 ] 380 } 381 ] 382 ``` 383 384 ### Formatting 385 386 You can print the inspect output in a human-readable format instead of the default 387 JSON output, by using the `--pretty` option: 388 389 ### Get details about signatures for a single image tag 390 391 ```bash 392 $ docker trust inspect --pretty alpine:latest 393 394 SIGNED TAG DIGEST SIGNERS 395 latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 396 397 Administrative keys for alpine:latest: 398 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 399 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 400 ``` 401 402 The `SIGNED TAG` is the signed image tag with a unique content-addressable 403 `DIGEST`. `SIGNERS` lists all entities who have signed. 404 405 The administrative keys listed specify the root key of trust, as well as 406 the administrative repository key. These keys are responsible for modifying 407 signers, and rotating keys for the signed repository. 408 409 If signers are set up for the repository via other `docker trust` commands, 410 `docker trust inspect --pretty` displays them appropriately as a `SIGNER` 411 and specify their `KEYS`: 412 413 ```bash 414 $ docker trust inspect --pretty my-image:purple 415 416 SIGNED TAG DIGEST SIGNERS 417 purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol 418 419 List of signers and their keys: 420 421 SIGNER KEYS 422 alice 47caae5b3e61, a85aab9d20a4 423 bob 034370bcbd77, 82a66673242c 424 carol b6f9f8e1aab0 425 426 Administrative keys for my-image: 427 Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44 428 Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f 429 ``` 430 431 However, if other tags are signed in the same image repository, 432 `docker trust inspect` reports relevant key information. 433 434 ```bash 435 $ docker trust inspect --pretty alpine:unsigned 436 437 No signatures for alpine:unsigned 438 439 440 Administrative keys for alpine:unsigned: 441 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 442 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 443 ``` 444 445 ### Get details about signatures for all image tags in a repository 446 447 ```bash 448 $ docker trust inspect --pretty alpine 449 450 SIGNED TAG DIGEST SIGNERS 451 2.6 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b (Repo Admin) 452 2.7 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a (Repo Admin) 453 3.1 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8 (Repo Admin) 454 3.2 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7 (Repo Admin) 455 3.3 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7 (Repo Admin) 456 3.4 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9 (Repo Admin) 457 3.5 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308 (Repo Admin) 458 3.6 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 459 edge 79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b (Repo Admin) 460 latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin) 461 462 Administrative keys for alpine: 463 Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd 464 Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce 465 ``` 466 467 Here's an example with signers that are set up by `docker trust` commands: 468 469 ```bash 470 $ docker trust inspect --pretty my-image 471 472 SIGNED TAG DIGEST SIGNERS 473 red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice 474 blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob 475 green cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139 alice, bob 476 yellow 9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba carol 477 purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol 478 orange d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c alice 479 480 List of signers and their keys for my-image: 481 482 SIGNER KEYS 483 alice 47caae5b3e61, a85aab9d20a4 484 bob 034370bcbd77, 82a66673242c 485 carol b6f9f8e1aab0 486 487 Administrative keys for my-image: 488 Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44 489 Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f 490 ```