Ensuring the integrity of the image supply chain

Providing content trust of the image supply chain is one of the most important, but often neglected, topics in managing Docker images. In any distributed system that communicates and transfers data over an untrusted medium (such as the internet), it is crucial to provide a means of content trust – a way of verifying both the source (publisher) and the integrity of data entering the system. For Docker, this is especially true for pushing and pulling images (data), which is performed by Docker Engine.

The Docker ecosystem describes the concept of Docker Content Trust (DCT), which provides a means of verifying the digital signatures of data being transferred between the Docker Engine and the Docker Registry. This verification allows the publishers to sign their images and the consumer (Docker Engine) to verify the signatures to ensure the integrity and source of the images.

In the Docker CLI, it is possible to sign an image using the docker trust command, which is built on top of Docker Notary. This is a tool that's used for publishing and managing trusted collections of content. Signing images requires a Docker Registry with an associated Notary server, for example, Docker Hub.