command: docker trust sign short: Sign an image long: '`docker trust sign` adds signatures to tags to create signed repositories.' usage: docker trust sign IMAGE:TAG pname: docker trust plink: docker_trust.yaml options: - option: local value_type: bool default_value: "false" description: Sign a locally tagged image deprecated: false experimental: false experimentalcli: false kubernetes: false swarm: false examples: "### Sign a tag as a repo admin\n\nGiven an image:\n\n```bash\n$ docker trust view example/trust-demo\nSIGNED TAG DIGEST SIGNERS\nv1 \ c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 \ (Repo Admin)\n\nAdministrative keys for example/trust-demo:\nRepository Key:\t36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942\nRoot Key:\t246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b\n```\n\nSign a new tag with `docker trust sign`:\n\n```bash\n$ docker trust sign example/trust-demo:v2\nSigning and pushing trust metadata for example/trust-demo:v2\nThe push refers to a repository [docker.io/example/trust-demo]\need4e566104a: Layer already exists\n77edfb6d1e3c: Layer already exists\nc69f806905c2: Layer already exists\n582f327616f1: Layer already exists\na3fbb648f0bd: Layer already exists\n5eac2de68a97: Layer already exists\n8d4d1ab5ff74: Layer already exists\nv2: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787\nSigning and pushing trust metadata\nEnter passphrase for repository key with ID 36d4c36:\nSuccessfully signed docker.io/example/trust-demo:v2\n```\n\n`docker trust view` lists the new signature:\n\n```bash\n$ docker trust view example/trust-demo\nSIGNED TAG DIGEST SIGNERS\nv1 \ c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41 \ (Repo Admin)\nv2 8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 \ (Repo Admin)\n\nAdministrative keys for example/trust-demo:\nRepository Key:\t36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942\nRoot Key:\t246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b\n```\n\n### Sign a tag as a signer\n\nGiven an image:\n\n```bash\n$ docker trust view example/trust-demo\n\nNo signatures for example/trust-demo\n\n\nList of signers and their keys for example/trust-demo:\n\nSIGNER \ KEYS\nalice 05e87edcaecb\nbob 5600f5ab76a2\n\nAdministrative keys for example/trust-demo:\nRepository Key:\tecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e\nRoot Key:\t3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949\n```\n\nSign a new tag with `docker trust sign`:\n\n```bash\n$ docker trust sign example/trust-demo:v1\nSigning and pushing trust metadata for example/trust-demo:v1\nThe push refers to a repository [docker.io/example/trust-demo]\n26b126eb8632: Layer already exists\n220d34b5f6c9: Layer already exists\n8a5132998025: Layer already exists\naca233ed29c3: Layer already exists\ne5d2f035d7a4: Layer already exists\nv1: digest: sha256:74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 size: 1357\nSigning and pushing trust metadata\nEnter passphrase for delegation key with ID 27d42a8:\nSuccessfully signed docker.io/example/trust-demo:v1\n```\n\n`docker trust view` lists the new signature:\n\n```bash\n$ docker trust view example/trust-demo\nSIGNED TAG DIGEST SIGNERS\nv1 \ 74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 \ alice\n\nList of signers and their keys for example/trust-demo:\n\nSIGNER KEYS\nalice \ 05e87edcaecb\nbob 5600f5ab76a2\n\nAdministrative keys for example/trust-demo:\nRepository Key:\tecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e\nRoot Key:\t3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949\n```" deprecated: false experimental: false experimentalcli: false kubernetes: false swarm: false