Enabling Content Trust in Azure Container Registry
Docker Content Trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags.
Using DCT, image publishers can sign their images and consumers, those that pull those images, can check whether those images have been signed.
DCT can be also used in Azure Container Registries (ACR). Let me walk you through by showing how to push a simple hello-world
image to ACR.
What will you need?
Docker installed locally
Azure CLI installed locally (although everything can be done also in the Azure Portal)
Getting Azure Container Repository ready
Let's start by creating an Azure Resource Group under which we will create our repository.
Now we should have our resource group ready (resourcegroupdavid
in my case). With the resource group ready, we can now continue and create the container repository itself.
To enable Content Trust in Azure Container Registry you need Premium SKU tier and that's why we added --sku Premium
into the command. With this, we should have a resource group resourcegroupdavid
and registry registrydavid
. However, the Content Trust is disabled by default. We can enable it using following command
To push signed images into our registry, we will create a service account with AcrImageSigner
and AcrPush
roles. You can either create the user in the Access control (IAM)
part of the registry or call the following command
The command will return a JSON which contains the username (appId
) and password which we will use to assign roles and later log in
Now we have a service account DavidServiceAccount
created and we can add required roles to that account.
The last step is signing in with the service account (this will also sign us in with the docker. Following command will also store your Azure Active Directory token in the docker.config
file so all furhter docker
commands will be done under the service account.
Creating simple hello-world image
Our image, which we will push into our new registry will be based on the Docker's Hello World image. So let's pull the image.
Before we can push the image, we must tag it with the fully qualified name of our registry.
Now we can push the image into our registry.
This should push a hello-world
image tagged unsigned
into our registry. How do we sign the image tag though?
Enabling Docker Content Trust
Whole Docker Content Trust can be enabled by setting an environment variable DOCKER_CONTENT_TRUST
.
Now, once we enabled the DCT, our client will start verifying signatures. That means, that if we try to pull an image which is not signed, we should get an error.
The client will also start signing image tags that we try to push into registries. Let's create a new tag that we will sign.
Now that we have a new image with tag signed
we can push it.
Once you push the image with the signed
tag, you will be prompted for two passphrases (if you have never done it before). After entering those passphrases, your signed image tag will be successfully pushed. Now when you try to pull the image, you should get no error.
If you want to know how the content trust works in details, you can go through Docker Content Trust documentation.