iSharkFly-Docs/Docker-Docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Docker-Docs/docker-hub/publish/trustchain.md
YuCheng Hu e8587dc33f init submit all files
2020-11-18 13:32:27 -05:00

66 lines
3.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Docker Hub Publisher Image Trust Chain
keywords: trust, chain, store, security
redirect_from:
- /docker-store/trustchain/
---
## For consumers
Docker can ensure that all content is securely received and verified from original
producers, and additionally audits images before adding them to the Docker
Hub. Docker cryptographically signs the images upon completion of a
satisfactory image check, so that you can verify and trust certified content
from the Docker Hub.
Heres the full trust chain in detail, with details on how to cryptographically
verify completion of the process when pulling an image from Docker Hub:
1. Publishers sign and push their images using Docker Content Trust to a private staging area.
2. Docker pulls the image, verifies the signatures to guarantee authenticity, integrity, and freshness of the image.
3. The Docker Hub certification team performs a thorough review of the image, looking for vulnerabilities and verifying best practices for image hygiene, such as ensuring minimal image sizes and working health-checks.
4. Upon a successful review, Docker signs the image and makes it officially available on Docker Hub. As a consumer, you can confirm that Docker signed the image by pulling and running with Docker Content Trust:
```shell
DOCKER_CONTENT_TRUST=1 docker pull <image>
DOCKER_CONTENT_TRUST=1 docker run <image>
```
## For publishers
The Docker Hub has a thorough and well-defined certification process to ensure
top-quality content from producers is delivered to consumers in a trusted
manner. As a producer of content, you are required to sign your images so
that Docker can verify that your content is not tampered with upon starting the
image certification and publishing process as outlined below:
1. Producers sign and push their images using Docker Content Trust to a private staging area. To do this, run a `docker push` command with Content Trust enabled:
```shell
DOCKER_CONTENT_TRUST=1 docker push <image>
```
2. Docker verifies the signatures to guarantee authenticity, integrity, and freshness of the image. All of the individual layers of your image, and the combination thereof, are encompassed as part of this verification check. [Read more detail about Content Trust in Docker's documentation](../../engine/security/trust/index.md).
3. Upon a successful signature verification, Docker pulls the original image to a private, internal staging area only accessible to the Docker Hub certification team.
4. The Docker Hub certification team performs a thorough review of the image, looking for vulnerabilities and verifying best practices for image hygiene, such as ensuring minimal image sizes and working health-checks.
5. Upon a successful review, Docker signs the image and makes it officially available on Docker Hub. Similar to artifacts on the Apple Store, this is the final and only signature on the image. Your consumers confirm that the full certification process was completed by checking Dockers signature by pulling and running with Docker Content Trust:
```shell
DOCKER_CONTENT_TRUST=1 docker pull <image>
DOCKER_CONTENT_TRUST=1 docker run <image>
```
![Store Trust Chain signing process](images/image_0.png)
To learn more the trust chain and certification for publishing content, see
[Security and Audit Policies](publish.md#security-and-audit-policies) in the
publishers guide.
Reference in New Issue View Git Blame Copy Permalink