docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update content_trust.md

This commit is contained in:
Anne Henmi 2018-11-07 10:11:23 -08:00 committed by GitHub
parent d32723440e
commit e87a26decc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
engine/security/trust/content_trust.md
View File

@ -174,15 +174,18 @@ The signature verification feature is configured in the Docker daemon configurat
<table>
<tr>
<td>***Stanza***</td>
<td>***Description***</td>
<td><b>Stanza</b></td>
<td><b>Description</b></td>
</tr>
<tr>
<td>| `trust-pinning:root-keys`</td>
<td><code>trust-pinning:root-keys</code></td>
<td>Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an images name matches more than one glob, then the most specific (longest) one is chosen.</td>
</tr>
<tr>
<td><code>trust-pinning:library-images</code></td>
<td>This option pins the official libraries (docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.</td>
</tr>
<table>
| `trust-pinning:root-keys` | Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an images name matches more than one glob, then the most specific (longest) one is chosen.|
|`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.|