Docker Content Trust
Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.
Signing images in Azure Pipelines
Prerequisites on development machine
- Use Docker trust's built in generator or manually generate delegation key pair. If the built-in generator is used, the delegation private key is imported into the local Docker trust store. Else, the private key will need to be manually imported into the local Docker trust store
- Using the public key generated from the step above, upload the first key to a delegation and initiate the repository
Set up pipeline for signing images
Fetch the delegation private key, which is present in the local Docker trust store of your development machine used earlier, and add the same as a secure file in Pipelines
Authorize this secure file for use in all pipelines
Create a pipeline based on the following YAML snippet -
pool: vmImage: 'Ubuntu 16.04' variables: system.debug: true containerRegistryServiceConnection: serviceConnectionName imageRepository: foobar/content-trust tag: test steps: - task: Docker@2 inputs: command: login containerRegistry: $(containerRegistryServiceConnection) - task: DownloadSecureFile@1 name: privateKey inputs: secureFile: cc8f3c6f998bee63fefaaabc5a2202eab06867b83f491813326481f56a95466f.key - script: | mkdir -p $(DOCKER_CONFIG)/trust/private cp $(privateKey.secureFilePath) $(DOCKER_CONFIG)/trust/private - task: Docker@2 inputs: command: build Dockerfile: '**/Dockerfile' containerRegistry: $(containerRegistryServiceConnection) repository: $(imageRepository) tags: | $(tag) arguments: '--disable-content-trust=false' - task: Docker@2 inputs: command: push containerRegistry: $(containerRegistryServiceConnection) repository: $(imageRepository) tags: | $(tag) arguments: '--disable-content-trust=false' env: DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: $(DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE)
In the above snippet, the variable
DOCKER_CONFIGis set by the login action done by Docker task. It is recommended to setup
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASEas a secret variable for the pipeline as the alternative approach of using a pipeline variable in YAML would expose the passphrase in plaintext form.