docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarifying use of flag 

Updating with Seb's comments
Updating with comments from review

Signed-off-by: Mary Anthony <mary@docker.com>
This commit is contained in:
Mary Anthony 2015-09-13 13:22:04 -07:00
parent 552c361f39
commit a2f545c86d
1 changed files with 59 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
docs/security/trust/content_trust.md
View File

@ -138,13 +138,13 @@ for details on creating, securing, and backing up your keys.
This section surveys the typical trusted operations users perform with Docker This section surveys the typical trusted operations users perform with Docker
images. images.
### Enable content trust ### Enable and disable content trust per-shell or per-invocation
Enable content trust by setting the `DOCKER_CONTENT_TRUST` environment variable. In a shell, you can enable content trust by setting the `DOCKER_CONTENT_TRUST`
Enabling per-shell is useful because you can have one shell configured for environment variable. Enabling per-shell is useful because you can have one
trusted operations and another terminal shell for untrusted operations. You can shell configured for trusted operations and another terminal shell for untrusted
also add this declaration to your shell profile to have it turned on always by operations. You can also add this declaration to your shell profile to have it
default. turned on always by default.
To enable content trust in a `bash` shell enter the following command: To enable content trust in a `bash` shell enter the following command:
@ -152,17 +152,30 @@ To enable content trust in a `bash` shell enter the following command:
export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST=1
``` ```
Once set, each of the "tag" operations require key for trusted tag. All of these Once set, each of the "tag" operations requires a key for a trusted tag.
commands also support the `--disable-content-trust` flag. This flag allows
publishers to run individual operations on tagged images without content trust on an In an environment where `DOCKER_CONTENT_TRUST` is set, you can use the
as-needed basis. `--disable-content-trust` flag to run individual operations on tagged images
without content trust on an as-needed basis.
```bash
$ docker pull --disable-content-trust docker/trusttest:untrusted
```
To invoke a command with content trust enabled regardless of whether or how the `DOCKER_CONTENT_TRUST` variable is set:
```bash
$ docker build --disable-content-trust=false -t docker/trusttest:testing .
```
All of the trusted operations support the `--disable-content-trust` flag.
### Push trusted content ### Push trusted content
To create signed content for a specific image tag, simply enable content trust and push To create signed content for a specific image tag, simply enable content trust
a tagged image. If this is the first time you have pushed an image using content trust and push a tagged image. If this is the first time you have pushed an image
on your system, the session looks like this: using content trust on your system, the session looks like this:
```bash ```bash
$ docker push docker/trusttest:latest $ docker push docker/trusttest:latest
@ -183,19 +196,19 @@ Enter passphrase for new tagging key with id docker.io/docker/trusttest (3a932f1
Repeat passphrase for new tagging key with id docker.io/docker/trusttest (3a932f1): Repeat passphrase for new tagging key with id docker.io/docker/trusttest (3a932f1):
Finished initializing "docker.io/docker/trusttest" Finished initializing "docker.io/docker/trusttest"
``` ```
When you push your first tagged image with content trust enabled, the `docker` client When you push your first tagged image with content trust enabled, the `docker`
recognizes this is your first push and: client recognizes this is your first push and:
- alerts you that it will create a new offline key - alerts you that it will create a new offline key
- requests a passphrase for the key - requests a passphrase for the key
- generates an offline key in the `~/.docker/trust` directory - generates an offline key in the `~/.docker/trust` directory
- generates a tagging key for in the `~/.docker/trust` directory - generates a tagging key for in the `~/.docker/trust` directory
The passphrase you chose for both the offline key and your content key-pair should The passphrase you chose for both the offline key and your content key-pair
be randomly generated and stored in a *password manager*. should be randomly generated and stored in a *password manager*.
It is important to note, if you had left off the `latest` tag, content trust is skipped. > **NOTE**: If you omit the `latest` tag, content trust is skipped. This is true
This is true even if content trust is enabled and even if this is your first push. even if content trust is enabled and even if this is your first push.
```bash ```bash
$ docker push docker/trusttest $ docker push docker/trusttest
@ -286,6 +299,3 @@ $ docker push --disable-content-trust docker/trusttest:untrusted
* [Manage keys for content trust](/security/trust/trust_key_mng) * [Manage keys for content trust](/security/trust/trust_key_mng)
* [Automation with content trust](/security/trust/trust_automation) * [Automation with content trust](/security/trust/trust_automation)
* [Play in a content trust sandbox](/security/trust/trust_sandbox) * [Play in a content trust sandbox](/security/trust/trust_sandbox)