Docker image signing: Setup for third party signer

Description of generating keys and configuring signing of docker images.

1 How to get signing initialized on your repository
- 1.1 Using ‘docker trust’ cli
- 1.2 Using openssl
2 How to sign your docker images

How to get signing initialized on your repository

As a application vendor or third party signer you will have to send your key for signing and the Harbor Repository URL to FUT-S, so that signing can be configured. (See Contact Information - eHealth Infrastructure Wiki - Confluence (atlassian.net) for contact information).

If you do not already have a signing key-pair, this can be generated either using the ‘docker trust’ cli or using openssl.

Note: For every repository create, you will have to let the eHealth Platform know, that you want to it initialized with your signing.

Using ‘docker trust’ cli

docker trust key generate [YOUR_KEY_NAME]

This will generate new key-pair. Your public key will generated in the current directory with the name YOUR_KEY_NAME.pub. This is the key you will have to send.

To export your private key:

## Alias for your local notary
alias notary="notary -d ~/.docker/trust"

## List private keys
notary key list

## Export a private key
notary key export --key [KEY_ID] -o exported_key.pem

## Base64 an exported private key
base64 exported_key.pem

Using openssl

Read: https://docs.docker.com/engine/security/trust/trust_delegation/#manually-generating-keys

How to sign your docker images

Ensure that current terminal is setup to use Docker Content Trust:

export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://registry.admin.ehealth.sundhed.dk:4443

To sign images using your private key, then you will have to load your private key into docker.

Then when next time you use ‘docker push’ it will be signed.

Example: