Image signing and content trust

DTR makes use of the client certificates managed by UCP to sign images with a digital signature that can be tracked to a known user account. Users download a client bundle from UCP, which contains a public and private key for their client certificate, which is used by the Docker CLI.

You can use the same approach with user accounts for other systems—so you can create an account for your CI service and set up repositories so that only the CI account has access to push. That lets you integrate image signing into your secure delivery pipeline, applying the signature from the CI process and using that to enforce content trust.

You can switch Docker Content Trust on with an environment variable, and, when you push ...

Get Docker on Windows - Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.