Member-only story
Secure Your Docker Images With Signatures
How to use Docker Content Trust for your containers
With Docker dominating the delivery workflow, it’s become imperative that your container images can be trusted. How can your users be sure that the image content they’re downloading is what you’ve created? How can you verifiably prove that you are, indeed, the creator of an image?
In this article, we’ll explore how trust works in Docker and I’ll show you how to securely sign your Docker images. If you need a quick introduction to the fundamentals of public-key cryptography, check out my previous piece on the topic.
Docker Registry and Trusted Entities
Although many associate Docker Hub with being the Docker registry, a Docker registry is a standalone concept. In simple terms, a registry is a location where records of information are kept. In the Docker domain, it’s where you upload your Docker images to share them with others.
There are many products available allowing you to run your own private or public Docker registry, with Docker providing a default implementation for free in registry.
Currently, Docker Hub features north of 6 million repositories with 130 billion total image pulls. With such staggering numbers and literally anybody…