The example below demonstrates setting up the Notary server and Docker client, signing an image and the pushing it to Artifactory, with the following assumptions:
You have configured the Notary server
Notary server and Artifactory run on localhost (
127.0.0.1)Notary server is in directory
notaryboxWorking without a DNS (so we need to configure the
hostsfile)Notary server name is
notaryserverArtifactory server name is
artifactory-registryDocker Compose is installed.
Set up the IP mappings
sudo sh -c 'echo "127.0.0.1 notaryserver" >> /etc/hosts' sudo sh -c 'echo "127.0.0.1 artifactory-registry" >> /etc/hosts'
Pull an image for testing
docker pull docker/trusttest
After you have pulled the image, you need to docker login to artifactory-registry:5002/v2
Configure the Docker client
export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443
Tag the image you pulled for testing and push it to Artifactory
docker tag docker/trusttest artifactory-registry:5002/test/trusttest:latest docker push artifactory-registry:5002/test/trusttest:latest
You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the DOCKER_CONTENT_TRUST flag is set.
The root key is generated at: /root/.docker/trust/private/root_keys
You will also be asked to enter a new passphrase for the image. This is generated at /root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]
The Docker image is signed after it is pushed to Artifactory.