Cloud Computing Courses and Training | Kubernetes | RedPeppy

Digital Trust in Transit – Docker Content Trust

DevOps introduced several third-party components in the CI/CD Pipeline. The automation engine downloads OS libraries, software binaries, third party tools to build a Container.

With the use of third parties comes the question “Do I trust the Source?’.

Most of us are familiar with GitHub GPG signature trust for commit and tags. Why do we even sign the code commit? A beautiful answer that I found on stackexchange is below;

There are several ways in which a git repository can be compromised (this isn’t a security flaw, just a fact of life one should not avoid using git because of this). For example, someone may have pushed to your repository claiming to be you. Or for that matter, someone could have pushed to someone else’s repository claiming to be you (someone could push to their repository claiming to be you too). This is just part of life in a DVCS (Distributed Version Control System).

Imagine the similar use case for a Container Registry. A person pretending to be you can push a Container to a registry with a malware and it will affect the user when they pull the container. OR someone can tamper the Container in-transit because there is no digital signature. In-Transit security issues.

Docker introduced a security framework called ‘Docker Content Trust’.

When a publisher using Docker Content Trust pushes an image to a remote registry, Docker Engine signs the image locally with the publisher’s private key. When a user later pulls this image, Docker Engine uses the publisher’s public key to verify that the image is exactly what the publisher created, has not been tampered with, and is up to date.

In this article, I detail how to setup a DCT (Docker Content Trust) for your Containers.

There are 4 major steps to setup DCT.

Generate Docker Content Trust Key

To sign a Docker Image, you will need a delegation key pair. These keys can be generated locally using $ docker trust key generate <keyname>.

Add the Signer to the Docker Repository

Next you will need to add the delegation public key to the Docker Repository;

Pull the Image

You need an Image to be signed.

Tag the Image

Tag the pulled Image with a unique name to distinguish between unsigned and signed images.

Sign the Image

Inspect the Image

It is important to inspect the image to know if the signing process went through.

Push the Signed Image

Push the signed Image to the repository.

Enable Content Trust at the Docker host

It’s a flag at the shell. You should enable it on your environment to ensure the integrity of Docker Content Trust

Pull the unsigned Image

It will fail because your Docker host is enabled with Content Trust.

Pull the signed Image

It asks you to enter the passphrase you supplied in the previous steps and add the container to the Docker host.

This is it.

You can also watch the demo at youtube here

There are commands to revoke the trust, add notary, build your own keys etc. Refer the DCT document to know more about them.

Lawrence Manickam is the Founder of Kuberiter Inc, a Seattle based Start-up that provide Enterprise/SaaS DevOps Services (Kubernetes, Docker, Helm, Istio and CyberArk Conjur) for MultiCloud.

Please subscribe at to try our DevOps SaaS Services.



The Master Cloud Architect Trainer of RedPeppy is Lawrence Manickam. He has 25+ years of experience in Information Technology. Living in Vancouver, Canada, he has consulted with more than 40 corporate and Government clients in the United States and Canada.