Test Your Docker Content Trust Setup

JFrog Artifactory Documentation

ft:sourceType
Paligo

The example below demonstrates setting up the Notary server and Docker client, signing an image and the pushing it to Artifactory, with the following assumptions:

  • Artifactory is up and running in a Docker containerInstall Artifactory single node with Docker

  • You have configured the Notary server

  • Notary server and Artifactory run on localhost (127.0.0.1)

  • Notary server is in directory notarybox

  • Working without a DNS (so we need to configure the hosts file)

  • Notary server name is notaryserver

  • Artifactory server name is artifactory-registry

  • Docker Compose is installed.

Set up the IP mappings

sudo sh -c 'echo "127.0.0.1 notaryserver" >> /etc/hosts'
sudo sh -c 'echo "127.0.0.1 artifactory-registry" >> /etc/hosts'

Pull an image for testing

docker pull docker/trusttest

After you have pulled the image, you need to docker login to artifactory-registry:5002/v2

Configure the Docker client

export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443

Tag the image you pulled for testing and push it to Artifactory

docker tag docker/trusttest artifactory-registry:5002/test/trusttest:latest
docker push artifactory-registry:5002/test/trusttest:latest

You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the DOCKER_CONTENT_TRUST flag is set.

The root key is generated at: /root/.docker/trust/private/root_keys

You will also be asked to enter a new passphrase for the image. This is generated at /root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]

The Docker image is signed after it is pushed to Artifactory.