docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update content_trust.md 

Make it clear that DCT does not protect against layer tampering on the docker host.
This commit is contained in:
Marc Nimmerrichter 2020-01-20 18:02:41 +01:00 committed by GitHub
parent 0d5ded5d22
commit 27e529ce3e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
engine/security/trust/content_trust.md
View File

@ -20,7 +20,7 @@ client-side or runtime verification of the integrity and publisher of specific
image tags.
Through DCT, image publishers can sign their images and image consumers can
ensure that the images they use are signed. Publishers could be individuals
ensure that the images they pull are signed. Publishers could be individuals
or organizations manually signing their content or automated software supply
chains signing content as part of their release process.
@ -244,9 +244,9 @@ Engine Signature Verification prevents the following:
DCT does not verify that a running containers filesystem has not been altered
from what was in the image. For example, it does not prevent a container from
writing to the filesystem, once the container is running, nor does it prevent
the containers filesystem from being altered on disk. DCT will also not prevent
unsigned images from being imported, loaded, or created.
writing to the filesystem, once the container is running. Moreover, it does not
prevent the image's filesystem from being altered on a docker host's disk. DCT
will also not prevent unsigned images from being imported, loaded, or created.
### Enabling DCT within the Docker Enterprise Engine