It is very common for Docker Content Trust to be built into existing automation systems. To allow tools to wrap Docker and push trusted content, there are environment variables that can be passed through to the client.
This guide follows the steps as described in Signing images with Docker Content Trust. Make sure you understand and follow the prerequisites.
When working directly with the Notary client, it uses its own set of environment variables.
Add a delegation private key
To automate importing a delegation private key to the local Docker trust store, we need to pass a passphrase for the new key. This passphrase will be required everytime that delegation signs a tag.
Add a delegation public key
If you initialize a repository at the same time as adding a delegation public key, then you will need to use the local Notary Canonical Root Key's passphrase to create the repositories trust data. If the repository has already been initiated then you only need the repositories passphrase.
Sign an image
Finally when signing an image, we will need to export the passphrase of the
signing key. This was created when the key was loaded into the local Docker
trust store with $ docker trust key load.
Build with content trust
You can also build with content trust. Before running the docker build command,
you should set the environment variable DOCKER_CONTENT_TRUST either manually or
in a scripted fashion. Consider the simple Dockerfile below.
The FROM tag is pulling a signed image. You cannot build an image that has a
FROM that is not either present locally or signed. Given that content trust
data exists for the tag latest, the following build should succeed:
If content trust is enabled, building from a Dockerfile that relies on tag without trust data, causes the build command to fail:
