docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update content_trust.md

This commit is contained in:
Wang Jie 2019-03-20 10:05:15 +08:00 committed by GitHub
parent ec0bcc6870
commit af6ad4fd99
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
engine/security/trust/content_trust.md
View File

@ -148,7 +148,7 @@ Unique Name (GUN). If this is the first time you are adding a delegation to that
repository, this command will also initiate the repository, using a local Notary repository, this command will also initiate the repository, using a local Notary
canonical root key. To understand more about initiating a repository, and the canonical root key. To understand more about initiating a repository, and the
role of delegations, head to role of delegations, head to
[delegations for content trust](trust_delegation/#managing-delegations-in-a-notary-server) [delegations for content trust](trust_delegation/#managing-delegations-in-a-notary-server).
``` ```
$ docker trust signer add --key cert.pem jeff dtr.example.com/admin/demo $ docker trust signer add --key cert.pem jeff dtr.example.com/admin/demo
@ -243,13 +243,13 @@ unsigned images from being imported, loaded, or created.
DCT is controlled by the Docker Engine's configuration file. By default this is DCT is controlled by the Docker Engine's configuration file. By default this is
found at `/etc/docker/daemon.json`. More details on this file can be found found at `/etc/docker/daemon.json`. More details on this file can be found
[here](/engine/reference/commandline/dockerd/#daemon-configuration-file) [here](/engine/reference/commandline/dockerd/#daemon-configuration-file).
The `content-trust` flag is based around a `mode` variable instructing The `content-trust` flag is based around a `mode` variable instructing
the engine whether to enforce signed images, and a `trust-pinning` variable the engine whether to enforce signed images, and a `trust-pinning` variable
instructing the engine which sources to trust. instructing the engine which sources to trust.
`Mode` can take 3 variables: `Mode` can take three variables:
* `Disabled` - Verification is not active and the remainder of the content-trust * `Disabled` - Verification is not active and the remainder of the content-trust
related metadata will be ignored. This is the default value if `mode` is not related metadata will be ignored. This is the default value if `mode` is not
@ -269,7 +269,7 @@ verified successfully will not be pulled or run.
} }
``` ```
### Official Docker Images ### Official Docker images
All official Docker library images found on the Docker Hub (docker.io/library/*) All official Docker library images found on the Docker Hub (docker.io/library/*)
are signed by the same Notary root key. This root key's ID has been embedded are signed by the same Notary root key. This root key's ID has been embedded
@ -287,9 +287,9 @@ Docker images can be used. Specify:
} }
``` ```
### User-Signed Images ### User-Signed images
There are 2 options for trust pinning user-signed images: There are two options for trust pinning user-signed images:
* Notary Canonical Root Key ID (DCT Root Key) is an ID that describes *just* the * Notary Canonical Root Key ID (DCT Root Key) is an ID that describes *just* the
root key used to sign a repository (or rather its respective keys). This is the root key used to sign a repository (or rather its respective keys). This is the