Skip to main content

Working with Docker Content Trust

Hands-On Lab


Photo of Will Boyd

Will Boyd

DevOps Team Lead in Content





Software signing is an important aspect of security. It is imperative to verify that any software you run on your system has not been tampered with, and Docker images are no exception. Docker Content Trust enables you to sign and verify images before downloading or running them on your system. In this lab, you will have the opportunity to work with Docker Content Trust (DCT) by signing a previously unsigned image and running it on a system that has DCT enabled.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with Docker Content Trust


In this lab, we will work with Docker Content Trust (DCT) by signing a previously unsigned image and running it on a system that has DCT enabled.


Log in to the lab server using the credentials provided on the hands-on lab page:

ssh cloud_user@PUBLIC_IP_ADDRESS

Generate a Trust Key and Add Yourself as a Signer to the New Repository

  1. Generate a trust key:

    docker trust key generate docker
  2. Create a new passphrase for your key when prompted. Note the passphrase for new docker key, since we will use it later on in this lab.

  3. Add yourself as a signer to the ip-10-0-1-102:443/content-dca-tea repository:

    docker trust signer add --key docker ip-10-0-1-102:443/content-dca-tea
  4. Create passphrases for the new root key and new repository key when prompted.

Create a New Tag for the Image, Sign It, and Push It to the Registry

  1. Create a new tag for the image:

    docker tag linuxacademycontent/content-dca-tea:1 ip-10-0-1-102:443/content-dca-tea:1
  2. Sign the image and push it to the registry:

    docker trust sign ip-10-0-1-102:443/content-dca-tea:1
  3. Enter your passphrase when prompted. This is the passphrase we created earlier by establishing your trust key using the docker trust key generate docker command.

  4. Verify that you can run the signed image:

    docker run -d -p 8080:80 ip-10-0-1-102:443/content-dca-tea:1

    If you want to test the image further, you can query the tea list web service:

    curl localhost:8080

    You should see generated JSON data that contains a list of the various kinds of tea.


Congratulations — you've completed this hands-on lab!