github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/docs/reference/commandline/trust_sign.md (about) 1 --- 2 title: "trust sign" 3 description: "The sign command description and usage" 4 keywords: "sign, notary, trust" 5 --- 6 7 # trust sign 8 9 ```markdown 10 Usage: docker trust sign [OPTIONS] IMAGE:TAG 11 12 Sign an image 13 14 Options: 15 --help print usage 16 --local force the signing of a local image 17 18 ``` 19 20 ## Description 21 22 `docker trust sign` adds signatures to tags to create signed repositories. 23 24 ## Examples 25 26 ### Sign a tag as a repo admin 27 28 Given an image: 29 30 ```bash 31 $ docker trust inspect --pretty example/trust-demo 32 33 SIGNED TAG DIGEST SIGNERS 34 v1 c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 (Repo Admin) 35 36 Administrative keys for example/trust-demo: 37 Repository Key: 36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942 38 Root Key: 246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b 39 ``` 40 41 Sign a new tag with `docker trust sign`: 42 43 ```bash 44 $ docker trust sign example/trust-demo:v2 45 46 Signing and pushing trust metadata for example/trust-demo:v2 47 The push refers to a repository [docker.io/example/trust-demo] 48 eed4e566104a: Layer already exists 49 77edfb6d1e3c: Layer already exists 50 c69f806905c2: Layer already exists 51 582f327616f1: Layer already exists 52 a3fbb648f0bd: Layer already exists 53 5eac2de68a97: Layer already exists 54 8d4d1ab5ff74: Layer already exists 55 v2: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787 56 Signing and pushing trust metadata 57 Enter passphrase for repository key with ID 36d4c36: 58 Successfully signed docker.io/example/trust-demo:v2 59 ``` 60 61 Use `docker trust inspect --pretty` to list the new signature: 62 63 ```bash 64 $ docker trust inspect --pretty example/trust-demo 65 66 SIGNED TAG DIGEST SIGNERS 67 v1 c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 (Repo Admin) 68 v2 8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 (Repo Admin) 69 70 Administrative keys for example/trust-demo: 71 Repository Key: 36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942 72 Root Key: 246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b 73 ``` 74 75 ### Sign a tag as a signer 76 77 Given an image: 78 79 ```bash 80 $ docker trust inspect --pretty example/trust-demo 81 82 No signatures for example/trust-demo 83 84 85 List of signers and their keys for example/trust-demo: 86 87 SIGNER KEYS 88 alice 05e87edcaecb 89 bob 5600f5ab76a2 90 91 Administrative keys for example/trust-demo: 92 Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e 93 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 94 ``` 95 96 Sign a new tag with `docker trust sign`: 97 98 ```bash 99 $ docker trust sign example/trust-demo:v1 100 101 Signing and pushing trust metadata for example/trust-demo:v1 102 The push refers to a repository [docker.io/example/trust-demo] 103 26b126eb8632: Layer already exists 104 220d34b5f6c9: Layer already exists 105 8a5132998025: Layer already exists 106 aca233ed29c3: Layer already exists 107 e5d2f035d7a4: Layer already exists 108 v1: digest: sha256:74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 size: 1357 109 Signing and pushing trust metadata 110 Enter passphrase for delegation key with ID 27d42a8: 111 Successfully signed docker.io/example/trust-demo:v1 112 ``` 113 114 `docker trust inspect --pretty` lists the new signature: 115 116 ```bash 117 $ docker trust inspect --pretty example/trust-demo 118 119 SIGNED TAG DIGEST SIGNERS 120 v1 74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 alice 121 122 List of signers and their keys for example/trust-demo: 123 124 SIGNER KEYS 125 alice 05e87edcaecb 126 bob 5600f5ab76a2 127 128 Administrative keys for example/trust-demo: 129 Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e 130 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 131 ``` 132 133 ## Initialize a new repo and sign a tag 134 135 When signing an image on a repo for the first time, `docker trust sign` sets up new keys before signing the image. 136 137 ```bash 138 $ docker trust inspect --pretty example/trust-demo 139 140 No signatures or cannot access example/trust-demo 141 ``` 142 143 ```bash 144 $ docker trust sign example/trust-demo:v1 145 146 Signing and pushing trust metadata for example/trust-demo:v1 147 Enter passphrase for root key with ID 36cac18: 148 Enter passphrase for new repository key with ID 731396b: 149 Repeat passphrase for new repository key with ID 731396b: 150 Enter passphrase for new alice key with ID 6d52b29: 151 Repeat passphrase for new alice key with ID 6d52b29: 152 Created signer: alice 153 Finished initializing "docker.io/example/trust-demo" 154 The push refers to a repository [docker.io/example/trust-demo] 155 eed4e566104a: Layer already exists 156 77edfb6d1e3c: Layer already exists 157 c69f806905c2: Layer already exists 158 582f327616f1: Layer already exists 159 a3fbb648f0bd: Layer already exists 160 5eac2de68a97: Layer already exists 161 8d4d1ab5ff74: Layer already exists 162 v1: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787 163 Signing and pushing trust metadata 164 Enter passphrase for alice key with ID 6d52b29: 165 Successfully signed docker.io/example/trust-demo:v1 166 ``` 167 168 ```bash 169 $ docker trust inspect --pretty example/trust-demo 170 171 SIGNED TAG DIGEST SIGNERS 172 v1 8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 alice 173 174 List of signers and their keys for example/trust-demo: 175 176 SIGNER KEYS 177 alice 6d52b29d940f 178 179 Administrative keys for example/trust-demo: 180 Repository Key: 731396b65eac3ef5ec01406801bdfb70feb40c17808d2222427c18046eb63beb 181 Root Key: 70d174714bd1461f6c58cb3ef39087c8fdc7633bb11a98af844fd9a04e208103 182 ```