Virtualization Technology News and Information
Docker Content Trust Secures Distribution of Containerized Applications

Docker, the open platform for distributed applications, today announced the availability of Docker Content Trust, a new capability that uses digital signatures to ensure the integrity of Dockerized content. Available as part of Docker platform release 1.8, this feature allows Docker users to operate exclusively on signed content when building or deploying Dockerized applications. Based on Notary and the The Update Framework (TUF), a secure general design for the problem of software distribution and updates, Docker Content Trust delivers the highest level of security without compromising usability.

“As organizations evolve from a monolithic software architecture to distributed applications, the secure distribution of software becomes increasingly difficult to solve,” said Diogo Mónica, Security Lead for Docker. “Without a standard method for validating the integrity of content, Docker has the unique opportunity to leapfrog the status quo and build a system that meets the strongest standard for software distribution. With Docker Content Trust, users have a solution that works across any infrastructure, offering security guarantees that were not previously available to them.”

Docker Content Trust is implemented to work within a user’s existing workflow without requiring users to learn a new set of commands or to be trained on a deep set of security principles. When enabled, Docker Content Trust ensures that all operations using a remote registry enforce the signing and verification of images. In particular, Docker’s central commands `push`, `pull`, `build`, `create` and `run` will only operate on images that either have content signatures or explicit content hashes. The result is that IT operations teams have the assurance that only signed content is being used in their production infrastructure. Leveraging this implementation of content trust, Docker will be signing the Docker Hub Official Repos, providing users with a trusted set of base images they can use to build distributed applications.

The Power of Leveraging The Update Framework (TUF), the Strongest Security Standard for Content Trust

The Update Framework (TUF) is a standard for software delivery that provides the strongest guarantees for secure content distribution. At the heart of this model are a set of different cryptographic keys that are used for signing and verification of content. TUF was built to allow the resistance against a variety of different classes of attacks. By leveraging TUF, Docker Content Trust inherits a flexible way to provide high levels of security when building and distributing Docker images.

Docker Content Trust has two distinct keys, an Offline (root) key and a Tagging (per-repository) key that are generated and stored client-side the first time a publisher pushes an image. Each repository has its own unique tagging key, which allows the holder to digitally sign Docker images for a particular repository. The tagging key is used any time new content is added or removed from the repository. Because the tagging key is online, it is vulnerable to being compromised. With Docker Content Trust, the publisher will be able to securely rotate compromised keys by using the offline key, which should be securely stored offline.

Docker Content Trust also generates a Timestamp key that provides protection against replay attacks, which would allow a malicious actor to serve signed but expired content. Docker manages the Timestamp key for you, reducing the hassle of having to constantly refresh the content client-side.

Built on Notary to Ensure Interoperability with Any Registry

Docker Content Trust is enabled through an integration of Notary into Docker Engine. Designed to be platform agnostic, Notary is an open source project developed by Docker to serve as “infrastructure plumbing” for secure and trusted content distribution. An enterprise with its own private registry or third-party solutions can integrate with Notary to have its repositories integrate with Docker Content Trust.


Docker Content Trust is available immediately as part of Docker Platform 1.8. For more information on how to use Docker Content Trust.

Published Wednesday, August 12, 2015 8:50 AM by David Marshall
Filed under:
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2015>