The example below demonstrates setting up the Notary server and Docker client, signing an image and the pushing it to Artifactory, with the following assumptions:
You have configured the Notary server
Notary server and Artifactory run on localhost (
Notary server is in directory
Working without a DNS (so we need to configure the
Notary server name is
Artifactory server name is
Docker Compose is installed.
Set up the IP mappings
sudo sh -c 'echo "127.0.0.1 notaryserver" >> /etc/hosts' sudo sh -c 'echo "127.0.0.1 artifactory-registry" >> /etc/hosts'
Pull an image for testing
docker pull docker/trusttest
After you have pulled the image, you need to
docker login to
Configure the Docker client
export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443
Tag the image you pulled for testing and push it to Artifactory
docker tag docker/trusttest artifactory-registry:5002/test/trusttest:latest docker push artifactory-registry:5002/test/trusttest:latest
You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the
DOCKER_CONTENT_TRUST flag is set.
The root key is generated at:
You will also be asked to enter a new passphrase for the image. This is generated at
/root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]
The Docker image is signed after it is pushed to Artifactory.