• Pushing the image

    Pushing the image

    Now that a root key is available, it’s time to initialize the repository on the first push.

    Consider this as your app:

    1. FROM alpine
    3. RUN true

    Make sure you have all trusted metadata using the official Notary server when building the image by temporarily redefining the content trust server:

    1.  DOCKER_CONTENT_TRUST_SERVER=https://notary.docker.io docker build -t <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app:1.0.0 .

    Then push it upstream, forcing Docker to initialize the signed repository:

    1.  docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app:1.0.0
    3. The push refers to a repository [<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app]
    4. 011b303988d2: Pushed
    5. 1.0.0: digest: sha256:475d897467451caf22f22ad9fd2856a5dd4a876b9eb2daab4d474185f4244e8d size: 2101
    6. Signing and pushing trust metadata
    7. Enter the User Pin for the attached Yubikey:
    8. Please touch the attached Yubikey to perform signing.
    9. Enter passphrase for new repository key with ID 9c738a6 (<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app):
    10. Repeat passphrase for new repository key with ID 9c738a6 (<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app):
    11. Enter the User Pin for the attached Yubikey:
    12. Please touch the attached Yubikey to perform signing.
    13. Finished initializing "<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app"
    14. Successfully signed "<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app":1.0.0

    The repository key passphrase should be generated and stored by a password manager. This will be a personal key, i.e., not intended to be shared. It will be stored, in its encrypted form, under ~/.docker/trust. The repository key is will be generated with the targets role.

    1.  notary -d ~/.docker/trust key list

    Now edit the file and generate a new build:

    1. FROM alpine
    3. RUN true
    4. RUN uname

    Build it:

    1.  docker build -t <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app:1.0.1 .

    And push it:

    1.  docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app:1.0.1
    3. The push refers to a repository [<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app]
    4. 011b303988d2: Layer already exists
    5. 1.0.1: digest: sha256:afc214501f950ca11246ceb62fb5c07dd5856f359d6122a620e2c60071a484bc size: 2531
    6. Signing and pushing trust metadata
    7. Enter passphrase for repository key with ID 9c738a6 (<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app):
    8. Successfully signed "<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app":1.0.1

    On the second push, only the passphrase of the repository key was required.

    That’s it. Signed builds using an offline root key (Yubikey) and one online repository key.