Member-only story
Secure Your Docker Images With Signatures
How to use Docker Content Trust for your containers
With Docker dominating the delivery workflow, it’s become imperative that your container images can be trusted. How can your users be sure that the image content they’re downloading is what you’ve created? How can you verifiably prove that you are, indeed, the creator of an image?
In this article, we’ll explore how trust works in Docker and I’ll show you how to securely sign your Docker images. If you need a quick introduction to the fundamentals of public-key cryptography, check out my previous piece on the topic.
Docker Registry and Trusted Entities
Although many associate Docker Hub with being the Docker registry, a Docker registry is a standalone concept. In simple terms, a registry is a location where records of information are kept. In the Docker domain, it’s where you upload your Docker images to share them with others.
There are many products available allowing you to run your own private or public Docker registry, with Docker providing a default implementation for free in registry.
Currently, Docker Hub features north of 6 million repositories with 130 billion total image pulls. With such staggering numbers and literally anybody being able to create a new repository and start pushing images, trust becomes an issue.
For big, well-known publishers, the issue of trust is taken care of by Docker, Inc., which manually vets selected publishers:
Anyone can apply to become a Verified Publisher. However, the complexity and associated cost behind it might be a deal-breaker for smaller publishers.
Luckily, we have public-key cryptography and Docker Hub supports digital signatures in uploaded images.
Let’s see how to become our own Verified Publisher.
Docker Content Trust (DCT)
DCT allows publishers of images to use digital signatures, effectively allowing users pulling their images to…
