Key Management

Content trust is directly associated with an image tag and each repository has a set of keys that publishers use to sign each image.

A repository can have both unsigned and signed images. They live as separate entities, so the same tag (e.g. latest) can point to different contents depending on whether Docker Content Trust is enabled or not on the client.

Image trust builds on 4 keys:

• A root key (offline) which is the root anchor of the content trust for an image. This is key that gets stored on the Yubikey and only brought online for a limited number of operations
• A targets key (online) - the key that signs the actual files downloaded, stored on the client and encrypted at rest
• A snapshot key (online), which signs the metadata file containing information about all the other metadata available on the collection
• A timestamp key (online), which ensures content freshness by periodically signing a timestamped statement.

The snapshot and the timestamp can be managed by the Notary service for convenience.