To configure Docker Content Trust (DCT) signature verification on Unraid, follow these steps:
1. Enable Docker Content Trust
Set the DOCKER_CONTENT_TRUST environment variable to enable content trust. This can be done by executing the following command in your terminal:
export DOCKER_CONTENT_TRUST=1
This setting ensures that only signed images can be pulled or run, enhancing security by verifying the authenticity of images.
2. Generate Signing Keys
Before you can sign images, you need to generate a key pair. Use the following command to create a signing key:
docker trust key generate <your_key_name>
This command will generate a private key that is used for signing images.
3. Sign Your Docker Images
Once you have your keys, you can sign an image using the following command:
docker trust sign <repository>:<tag>
For example:
docker trust sign myrepo/myimage:latest
This command signs the specified image and pushes the trust data to the registry.
4. Verify Signed Images
To ensure that an image is properly signed, you can inspect it using:
docker trust inspect --pretty <image-name>
This command provides details about the signing status and the entity that signed the image.
5. Configure daemon.json for Trust Pinning (Optional)
If you want to enforce trust pinning, you can configure this in your daemon.json file located in /etc/docker/. Add the following configuration:
{
"content-trust": {
"mode": "enforced"
}
}
This setting ensures that only images signed with a specified root key can be pulled and run.
6. Restart Docker Daemon
After making changes to daemon.json, restart the Docker daemon for the changes to take effect:
sudo systemctl restart docker
7. Use a Notary Server (Optional)
For more advanced setups, consider using a Notary server for managing your signing keys and trust data. This is especially useful for larger teams or organizations.
By following these steps, you can effectively configure Docker Content Trust on your Unraid server, ensuring that only verified images are used within your Docker environment.