Test Your Docker Content Trust Setup

JFrog Artifactory Documentation

JFrog Artifactory
Content Type
User Guide

The example below demonstrates setting up the Notary server and Docker client, signing an image and the pushing it to Artifactory, with the following assumptions:

  • Artifactory is up and running in a Docker containerInstall Artifactory single node with Docker

  • You have configured the Notary server

  • Notary server and Artifactory run on localhost (

  • Notary server is in directory notarybox

  • Working without a DNS (so we need to configure the hosts file)

  • Notary server name is notaryserver

  • Artifactory server name is artifactory-registry

  • Docker Compose is installed.

Set up the IP mappings

sudo sh -c 'echo " notaryserver" >> /etc/hosts'
sudo sh -c 'echo " artifactory-registry" >> /etc/hosts'

Pull an image for testing

docker pull docker/trusttest

After you have pulled the image, you need to docker login to artifactory-registry:5002/v2

Configure the Docker client

export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443

Tag the image you pulled for testing and push it to Artifactory

docker tag docker/trusttest artifactory-registry:5002/test/trusttest:latest
docker push artifactory-registry:5002/test/trusttest:latest

You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the DOCKER_CONTENT_TRUST flag is set.

The root key is generated at: /root/.docker/trust/private/root_keys

You will also be asked to enter a new passphrase for the image. This is generated at /root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]

The Docker image is signed after it is pushed to Artifactory.