Member-only story

Secure Your Docker Images With Signatures

How to use Docker Content Trust for your containers

Nassos Michas
Better Programming
7 min readApr 8, 2020

--

Photo by Brian McGowan on Unsplash.

With Docker dominating the delivery workflow, it’s become imperative that your container images can be trusted. How can your users be sure that the image content they’re downloading is what you’ve created? How can you verifiably prove that you are, indeed, the creator of an image?

In this article, we’ll explore how trust works in Docker and I’ll show you how to securely sign your Docker images. If you need a quick introduction to the fundamentals of public-key cryptography, check out my previous piece on the topic.

Docker Registry and Trusted Entities

Although many associate Docker Hub with being the Docker registry, a Docker registry is a standalone concept. In simple terms, a registry is a location where records of information are kept. In the Docker domain, it’s where you upload your Docker images to share them with others.

There are many products available allowing you to run your own private or public Docker registry, with Docker providing a default implementation for free in registry.

Currently, Docker Hub features north of 6 million repositories with 130 billion total image pulls. With such staggering numbers and literally anybody…

--

--

Nassos Michas
Nassos Michas

Written by Nassos Michas

BSc, MSc in Software engineering | Cert. Scrum master | Cert. Professional for Software Architecture | Cert. Professional for Requirements Engineering

Responses (5)

What are your thoughts?