kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Clarifying use of flag 

Updating with Seb's comments
Updating with comments from review

Signed-off-by: Mary Anthony <mary@docker.com>
This commit is contained in:
Mary Anthony 2015-09-13 13:22:04 -07:00
parent 552c361f39
commit a2f545c86d
1 changed files with 59 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
docs/security/trust/content_trust.md
View File

@ -138,13 +138,13 @@ for details on creating, securing, and backing up your keys.
This section surveys the typical trusted operations users perform with Docker
images.
### Enable content trust
### Enable and disable content trust per-shell or per-invocation
Enable content trust by setting the `DOCKER_CONTENT_TRUST` environment variable.
Enabling per-shell is useful because you can have one shell configured for
trusted operations and another terminal shell for untrusted operations. You can
also add this declaration to your shell profile to have it turned on always by
default.
In a shell, you can enable content trust by setting the `DOCKER_CONTENT_TRUST`
environment variable. Enabling per-shell is useful because you can have one
shell configured for trusted operations and another terminal shell for untrusted
operations. You can also add this declaration to your shell profile to have it
turned on always by default.
To enable content trust in a `bash` shell enter the following command:
@ -152,17 +152,30 @@ To enable content trust in a `bash` shell enter the following command:
export DOCKER_CONTENT_TRUST=1
```
Once set, each of the "tag" operations require key for trusted tag. All of these
commands also support the `--disable-content-trust` flag. This flag allows
publishers to run individual operations on tagged images without content trust on an
as-needed basis.
Once set, each of the "tag" operations requires a key for a trusted tag.
In an environment where `DOCKER_CONTENT_TRUST` is set, you can use the
`--disable-content-trust` flag to run individual operations on tagged images
without content trust on an as-needed basis.
```bash
$ docker pull --disable-content-trust docker/trusttest:untrusted
```
To invoke a command with content trust enabled regardless of whether or how the `DOCKER_CONTENT_TRUST` variable is set:
```bash
$ docker build --disable-content-trust=false -t docker/trusttest:testing .
```
All of the trusted operations support the `--disable-content-trust` flag.
### Push trusted content
To create signed content for a specific image tag, simply enable content trust and push
a tagged image. If this is the first time you have pushed an image using content trust
on your system, the session looks like this:
To create signed content for a specific image tag, simply enable content trust
and push a tagged image. If this is the first time you have pushed an image
using content trust on your system, the session looks like this:
```bash
$ docker push docker/trusttest:latest
@ -183,19 +196,19 @@ Enter passphrase for new tagging key with id docker.io/docker/trusttest (3a932f1
Repeat passphrase for new tagging key with id docker.io/docker/trusttest (3a932f1):
Finished initializing "docker.io/docker/trusttest"
```
When you push your first tagged image with content trust enabled, the `docker` client
recognizes this is your first push and:
When you push your first tagged image with content trust enabled, the `docker`
client recognizes this is your first push and:
- alerts you that it will create a new offline key
- requests a passphrase for the key
- generates an offline key in the `~/.docker/trust` directory
- generates a tagging key for in the `~/.docker/trust` directory
The passphrase you chose for both the offline key and your content key-pair should
be randomly generated and stored in a *password manager*.
The passphrase you chose for both the offline key and your content key-pair
should be randomly generated and stored in a *password manager*.
It is important to note, if you had left off the `latest` tag, content trust is skipped.
This is true even if content trust is enabled and even if this is your first push.
> **NOTE**: If you omit the `latest` tag, content trust is skipped. This is true
even if content trust is enabled and even if this is your first push.
```bash
$ docker push docker/trusttest
@ -286,6 +299,3 @@ $ docker push --disable-content-trust docker/trusttest:untrusted
* [Manage keys for content trust](/security/trust/trust_key_mng)
* [Automation with content trust](/security/trust/trust_automation)
* [Play in a content trust sandbox](/security/trust/trust_sandbox)