Need to generate a root signing key and a repo signing key per repo.
These need to be stored someplace safe because it's a nightmare if they are lost.
Need to generate a "delegate" signing key for the brigadecoreci Docker Hub user.
Need to authorize the delegate key as a signer for each repo.
docker trust signer add --key <path to brigadecoreci delegate's public key> brigadecoreci brigadecore/<repo>
Automation:
Need to set the following on the jobs:
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: This is exactly what it sounds like. This special env var is documented here.
MUST stash private key at ~/.docker/trust/private/<hash of key>.key
Can accomplish this by setting DCT_KEY to the key and DCT_HASH to the hash, then echo $DCT_KEY > ~/.docker/trust/$DCT_HASH.key
docker trust key load ~/.docker/trust/$DCT_HASH.key (Not positive this step is required as long as the file is already at the right place -- i.e. ~/.docker/trust/$DCT_HASH.key)
Notes:
This will require some experimentation first.
Manual, one-time setup:
brigadecoreci
Docker Hub user.docker trust signer add --key <path to brigadecoreci delegate's public key> brigadecoreci brigadecore/<repo>
Automation:
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE
: This is exactly what it sounds like. This special env var is documented here.~/.docker/trust/private/<hash of key>.key
DCT_KEY
to the key andDCT_HASH
to the hash, thenecho $DCT_KEY > ~/.docker/trust/$DCT_HASH.key
docker trust key load ~/.docker/trust/$DCT_HASH.key
(Not positive this step is required as long as the file is already at the right place -- i.e. ~/.docker/trust/$DCT_HASH.key)export DOCKER_CONTENT_TRUST=1