Clarify where signing and verification happen (#5149)

2017-11-10 15:26:35 -08:00 · 2017-11-10 15:26:35 -08:00 · 60286e718b
parent 4bbaa46993
commit 60286e718b
1 changed files with 6 additions and 1 deletions
--- a/engine/security/trust/content_trust.md
+++ b/engine/security/trust/content_trust.md
@ -11,7 +11,7 @@ operates on. You use Docker Engine to push and pull images (data) to a public or
 gives you the ability to verify both the integrity and the publisher of all the
 data received from a registry over any channel.

-## Understand trust in Docker
+## About trust in Docker

 Content trust allows operations with a remote Docker registry to enforce
 client-side signing and verification of image tags. Content trust provides the
@ -30,6 +30,11 @@ ensure that the images they use are signed. Publishers and consumers can be
 individuals alone or in organizations. Docker's content trust supports users and
 automated processes such as builds.

+When you enable content trust, signing occurs on the client after push and
+verification happens on the client after pull if you use Docker CE. If you use
+Docker EE with UCP, and you have configured UCP to require images to be signed
+before deploying, signing is verified by UCP.
+
 ### Image tags and content trust

 An individual image record has the following identifier: