Docker Content Trust is a security feature for Docker containers. Content Trust, which uses cryptographic keys to ensure container images and their publisher are not comprised, became available with the release of Docker Engine 1.8 in August 2015.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
To verify Docker images and their publisher, Docker Content Trust uses private and public cryptographic keys, a method of storing and transmitting data in a particular format so that only authorized parties can access and read it. With Content Trust, Docker images -- the container files that hold application components and content -- are signed with their creator's, or publisher's, private key before that image is sent to the Docker repository.
When another IT team member goes to use that image, Content Trust uses its publisher's public key to verify that the image is the latest version and hasn't been compromised. As software developers update or change an image, the cryptographic signature continues to ensure that the content is original and from a trusted source.
Docker Content Trust uses up to four different kinds of keys to secure content:
Target and Snapshot Keys: These two keys combined are known as the "repository key," which is made for each new repository the publisher owns and can be shared with any user who needs to be able to digitally sign off on content.
Offline Key: This key serves as the root of trust for the repository and the same key can be used for multiple repositories. This key should be kept offline to protect from threats.
Timestamp Key: This key is used when content is added or removed from the repository and is meant to prevent replay attacks, which are when users run signed, but expired, content.
Docker Content Trust is based on the open source tool Notary, along with The Update Framework (TUF), a design framework for securing software update systems.
Content Trust is one of several container features from Docker, whose headquarters are in San Francisco, Calif. Content Trust is used primarily by developers and IT system administrators.