moby--moby/docs/security/trust/trust_automation.md

<!--[metadata]>
+++
title = "Automation with content trust"
description = "Automating content push pulls with trust"
keywords = ["trust, security, docker,  documentation, automation"]
[menu.main]
parent= "smn_content_trust"
+++
<![end-metadata]-->

# Automation with content trust

Your automation systems that pull or build images can also work with trust. Any automation environment must set `DOCKER_TRUST_ENABLED` either manually or in in a scripted fashion before processing images.

## Bypass requests for passphrases

To allow tools to wrap docker and push trusted content, there are two
environment variables that allow you to provide the passphrases without an
expect script, or typing them in:

 - `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE`
 - `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`

Docker attempts to use the contents of these environment variables as passphrase
for the keys. For example, an image publisher can export the repository `target`
and `snapshot` passphrases:

```bash
$  export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="u7pEQcGoebUHm6LHe6"
$  export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="l7pEQcTKJjUHm6Lpe4"
```

Then, when pushing a new tag the Docker client does not request these values but signs automatically:

```bash
$  docker push docker/trusttest:latest
The push refers to a repository [docker.io/docker/trusttest] (len: 1)
a9539b34a6ab: Image already exists
b3dbab3810fc: Image already exists
latest: digest: sha256:d149ab53f871 size: 3355
Signing and pushing trust metadata
```

## Building with content trust

You can also build with content trust. Before running the `docker build` command, you should set the environment variable `DOCKER_CONTENT_TRUST` either manually or in in a scripted fashion. Consider the simple Dockerfile below.

```Dockerfile
FROM docker/trusttest:latest
RUN echo
```

The `FROM` tag is pulling a signed image. You cannot build an image that has a
`FROM` that is not either present locally or signed. Given that content trust
data exists for the tag `latest`, the following build should succeed:

```bash
$  docker build -t docker/trusttest:testing .
Using default tag: latest
latest: Pulling from docker/trusttest

b3dbab3810fc: Pull complete
a9539b34a6ab: Pull complete
Digest: sha256:d149ab53f871
```

If content trust is enabled, building from a Dockerfile that relies on tag without trust data, causes the build command to fail:

```bash
$  docker build -t docker/trusttest:testing .
unable to process Dockerfile: No trust data for notrust
```

## Related information

* [Content trust in Docker](content_trust.md)
* [Manage keys for content trust](trust_key_mng.md)
* [Delegations for content trust](trust_delegation.md)
* [Play in a content trust sandbox](trust_sandbox.md)
Docker content trust documentation - started from Diogo's work - updated after discussions with team - Updating with new key names - fixing weight - adding in sandbox - adding in gliffy for images - backing out to old names for now - Copy edit pass - Entering comments from the content trust team - Update name of branch and image name - Removing the last diogo reference - Updating with Seb's comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-07-30 01:16:43 +00:00			`<!--[metadata]>`
			`+++`
			`title = "Automation with content trust"`
			`description = "Automating content push pulls with trust"`
			`keywords = ["trust, security, docker, documentation, automation"]`
			`[menu.main]`
			`parent= "smn_content_trust"`
			`+++`
			`<![end-metadata]-->`

			`# Automation with content trust`

			Your automation systems that pull or build images can also work with trust. Any automation environment must set `DOCKER_TRUST_ENABLED` either manually or in in a scripted fashion before processing images.

			`## Bypass requests for passphrases`

			`To allow tools to wrap docker and push trusted content, there are two`
			`environment variables that allow you to provide the passphrases without an`
			`expect script, or typing them in:`

Changing docs to reflect new names Signed-off-by: Diogo Monica <diogo@docker.com> 2015-10-09 19:14:46 +00:00			- `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE`
			- `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`
Docker content trust documentation - started from Diogo's work - updated after discussions with team - Updating with new key names - fixing weight - adding in sandbox - adding in gliffy for images - backing out to old names for now - Copy edit pass - Entering comments from the content trust team - Update name of branch and image name - Removing the last diogo reference - Updating with Seb's comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-07-30 01:16:43 +00:00
			`Docker attempts to use the contents of these environment variables as passphrase`
			for the keys. For example, an image publisher can export the repository `target`
			and `snapshot` passphrases:

			```bash
Changing docs to reflect new names Signed-off-by: Diogo Monica <diogo@docker.com> 2015-10-09 19:14:46 +00:00			`$ export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="u7pEQcGoebUHm6LHe6"`
			`$ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="l7pEQcTKJjUHm6Lpe4"`
Docker content trust documentation - started from Diogo's work - updated after discussions with team - Updating with new key names - fixing weight - adding in sandbox - adding in gliffy for images - backing out to old names for now - Copy edit pass - Entering comments from the content trust team - Update name of branch and image name - Removing the last diogo reference - Updating with Seb's comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-07-30 01:16:43 +00:00			```

			`Then, when pushing a new tag the Docker client does not request these values but signs automatically:`

Fixing bad formatting reported by David via email Fixed and tested Signed-off-by: Mary Anthony <mary@docker.com> 2015-08-13 13:42:26 +00:00			```bash
Docker content trust documentation - started from Diogo's work - updated after discussions with team - Updating with new key names - fixing weight - adding in sandbox - adding in gliffy for images - backing out to old names for now - Copy edit pass - Entering comments from the content trust team - Update name of branch and image name - Removing the last diogo reference - Updating with Seb's comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-07-30 01:16:43 +00:00			`$ docker push docker/trusttest:latest`
			`The push refers to a repository [docker.io/docker/trusttest] (len: 1)`
			`a9539b34a6ab: Image already exists`
			`b3dbab3810fc: Image already exists`
			`latest: digest: sha256:d149ab53f871 size: 3355`
			`Signing and pushing trust metadata`
			```

			`## Building with content trust`

Changing docs to reflect new names Signed-off-by: Diogo Monica <diogo@docker.com> 2015-10-09 19:14:46 +00:00			You can also build with content trust. Before running the `docker build` command, you should set the environment variable `DOCKER_CONTENT_TRUST` either manually or in in a scripted fashion. Consider the simple Dockerfile below.
Docker content trust documentation - started from Diogo's work - updated after discussions with team - Updating with new key names - fixing weight - adding in sandbox - adding in gliffy for images - backing out to old names for now - Copy edit pass - Entering comments from the content trust team - Update name of branch and image name - Removing the last diogo reference - Updating with Seb's comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-07-30 01:16:43 +00:00
Fixing bad formatting reported by David via email Fixed and tested Signed-off-by: Mary Anthony <mary@docker.com> 2015-08-13 13:42:26 +00:00			```Dockerfile
Docker content trust documentation - started from Diogo's work - updated after discussions with team - Updating with new key names - fixing weight - adding in sandbox - adding in gliffy for images - backing out to old names for now - Copy edit pass - Entering comments from the content trust team - Update name of branch and image name - Removing the last diogo reference - Updating with Seb's comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-07-30 01:16:43 +00:00			`FROM docker/trusttest:latest`
			`RUN echo`
			```

			The `FROM` tag is pulling a signed image. You cannot build an image that has a
			`FROM` that is not either present locally or signed. Given that content trust
			data exists for the tag `latest`, the following build should succeed:

			```bash
			`$ docker build -t docker/trusttest:testing .`
			`Using default tag: latest`
			`latest: Pulling from docker/trusttest`

			`b3dbab3810fc: Pull complete`
			`a9539b34a6ab: Pull complete`
			`Digest: sha256:d149ab53f871`
			```

			`If content trust is enabled, building from a Dockerfile that relies on tag without trust data, causes the build command to fail:`

			```bash
			`$ docker build -t docker/trusttest:testing .`
			`unable to process Dockerfile: No trust data for notrust`
			```

			`## Related information`

Include documentation on how to add the targets/releases delegation to a repo Signed-off-by: cyli <cyli@twistedmatrix.com> 2016-03-18 23:11:37 +00:00			`* [Content trust in Docker](content_trust.md)`
Enabled GitHub Flavored Markdown GitHub flavored markdown is now supported for links and images. Also, ran LinkChecker and FileResolver. Yay! Fixes from Spider check Output for docker/docker now goes into engine directory Signed-off-by: Mary Anthony <mary@docker.com> 2015-10-09 23:50:41 +00:00			`* [Manage keys for content trust](trust_key_mng.md)`
Include documentation on how to add the targets/releases delegation to a repo Signed-off-by: cyli <cyli@twistedmatrix.com> 2016-03-18 23:11:37 +00:00			`* [Delegations for content trust](trust_delegation.md)`
Enabled GitHub Flavored Markdown GitHub flavored markdown is now supported for links and images. Also, ran LinkChecker and FileResolver. Yay! Fixes from Spider check Output for docker/docker now goes into engine directory Signed-off-by: Mary Anthony <mary@docker.com> 2015-10-09 23:50:41 +00:00			`* [Play in a content trust sandbox](trust_sandbox.md)`
Docker content trust documentation - started from Diogo's work - updated after discussions with team - Updating with new key names - fixing weight - adding in sandbox - adding in gliffy for images - backing out to old names for now - Copy edit pass - Entering comments from the content trust team - Update name of branch and image name - Removing the last diogo reference - Updating with Seb's comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-07-30 01:16:43 +00:00