Hands-On Kubernetes on Windows
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Signing an image

As an example, we will sign one of the Docker images we have built and pushed to Docker Hub in this chapter, that is, packtpubkubernetesonwindows/iis-demo-index. To follow along, you will need to perform the operations on your own image repository, <dockerId>/iis-demo-index. Signing can be performed with the following steps:

  1. Generate a delegation key pair. Locally, this can be done using the following command:
docker trust key generate <pairName>

  1. You will be asked for a passphrase for the private key. Choose a safe password and continue. The private delegation key will be stored in ~/.docker/trust/private by default (also on Windows) and the public delegation key will be saved in the current working directory.
  2. Add the delegation public key to the Notary server (for Docker Hub, it is notary.docker.io). Loading the key is performed for a particular image repository, which in Notary is identified by a Globally Unique Name (GUN). For Docker Hub, they have the form of docker.io/<dockerId>/<repository>. Execute the following command:
docker trust signer add --key <pairName>.pub <signerName> docker.io/<dockerId>/<repository>

# For example
docker trust signer add --key packtpubkubernetesonwindows-key.pub packtpubkubernetesonwindows docker.io/packtpubkubernetesonwindows/iis-demo-index
  1. If you are performing the delegation for your repository for the first time, you will be automatically asked for initiation using the local Notary canonical root key.
  2. Tag the image so that it has a specific tag that can be signed, like so:
docker tag packtpubkubernetesonwindows/iis-demo:latest packtpubkubernetesonwindows/iis-demo:1.0.1
  1. Use the private delegation key to sign the new tag and push it to Docker Hub, like so:
docker trust sign packtpubkubernetesonwindows/iis-demo:1.0.1
  1. Alternatively, this can be performed by docker push, providing that you have set the DOCKER_CONTENT_TRUST environment variable in PowerShell before pushing:
$env:DOCKER_CONTENT_TRUST=1
docker tag packtpubkubernetesonwindows/iis-demo:latest packtpubkubernetesonwindows/iis-demo:1.0.2
docker push packtpubkubernetesonwindows/iis-demo:1.0.2

  1. Now, you can inspect the remote trust data for the repository:
docker trust inspect --pretty docker.io/packtpubkubernetesonwindows/iis-demo:1.0.1

Next, let's try running a container with DCT enabled on the client side.

上一章目录下一章