Docker CLI docker trust inspect 常用命令

Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux或Windows操作系统的机器上,也可以实现虚拟化。Docker是内核虚拟化,不使用Hypervisor是不完全虚拟化,依赖内核的特性实现资源隔离。本文主要介绍Docker CLI 中 docker trust inspect 常用命令。

1、docker trust inspect 简介

docker trust inspect 命令用于检查 Docker 镜像信任的相关信息。

通过运行 docker trust inspect 命令,可以获取指定镜像仓库的信任信息。这将显示与该仓库相关的签名和密钥信息,以及信任状态。

该命令可以用于验证镜像的真实性和完整性。它提供了一种验证镜像是否受到信任并且未被篡改的方式。

注意:该命令需要 Docker 19.03 或更高版本的客户端,并且需要具有适当的权限才能访问信任数据。

参考文档:https://docs.docker.com/engine/reference/commandline/trust_inspect/

2、docker trust inspect 语法

docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...]

3、docker trust inspect 命令

1)获取有关单个镜像标签的签名的低级详细信息

使用 docker trust inspect 命令获取有关镜像的信任信息。以下示例打印 alpine:latest 镜像的信任信息:

docker trust inspect alpine:latest

输出结果为 JSON 格式,例如:

[
  {
    "Name": "alpine:latest",
    "SignedTags": [
      {
        "SignedTag": "latest",
        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
        "Signers": [
          "Repo Admin"
        ]
      }
    ],
    "Signers": [],
    "AdministrativeKeys": [
      {
        "Name": "Repository",
        "Keys": [
            {
                "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
            }
        ]
      },
      {
        "Name": "Root",
        "Keys": [
            {
                "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
            }
        ]
      }
    ]
  }
]

SignedTags 键将列出 SignedTag 名称、其 Digest 和负责签名的 Signers。

AdministrativeKeys 将列出 Repository 和 Root 密钥。

如果通过其他 docker trust 命令为仓库设置了签名者,docker trust inspect 将包括一个 Signers 键:

docker trust inspect my-image:purple

输出结果为 JSON 格式,例如:

[
  {
    "Name": "my-image:purple",
    "SignedTags": [
      {
        "SignedTag": "purple",
        "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557",
        "Signers": [
          "alice",
          "bob",
          "carol"
        ]
      }
    ],
    "Signers": [
      {
        "Name": "alice",
        "Keys": [
            {
                "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3"
            },
            {
                "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8"
            }
        ]
      },
      {
        "Name": "bob",
        "Keys": [
            {
                "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba"
            }
        ]
      },
      {
        "Name": "carol",
        "Keys": [
            {
                "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9"
            },
            {
                "ID": "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606"
            }
        ]
      }
    ],
    "AdministrativeKeys": [
      {
        "Name": "Repository",
        "Keys": [
            {
                "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44"
            }
        ]
      },
      {
        "Name": "Root",
        "Keys": [
            {
                "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f"
            }
        ]
      }
    ]
  }
]

如果镜像标签未签名或不可用,则 docker trust inspect 不会显示任何已签名的标签。

docker trust inspect unsigned-img

no signatures or cannot access unsigned-img

但是,如果同一镜像仓库中的其他标签已签名,docker trust inspect 将报告相关的密钥信息:

docker trust inspect alpine:unsigned

输出结果为 JSON 格式,例如:

[
  {
    "Name": "alpine:unsigned",
    "Signers": [],
    "AdministrativeKeys": [
      {
        "Name": "Repository",
        "Keys": [
          {
            "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
          }
        ]
      },
      {
        "Name": "Root",
        "Keys": [
          {
            "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
          }
        ]
      }
    ]
  }
]

2)获取仓库中所有镜像标签的签名详细信息

如果未指定标签,则 docker trust inspect 将报告仓库中所有已签名标签的详细信息:

docker trust inspect alpine

输出结果为 JSON 格式,例如:

[
  {
    "Name": "alpine",
    "SignedTags": [
      {
        "SignedTag": "3.5",
        "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "3.6",
        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "edge",
        "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "latest",
        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
        "Signers": [
          "Repo Admin"
        ]
      }
    ],
    "Signers": [],
    "AdministrativeKeys": [
      {
        "Name": "Repository",
        "Keys": [
          {
            "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
          }
        ]
      },
      {
        "Name": "Root",
        "Keys": [
          {
            "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
          }
        ]
      }
    ]
  }
]

3)获取多个镜像的签名详细信息

docker trust inspect 可以接受多个仓库和镜像作为参数,并以有序列表的形式报告结果:

docker trust inspect alpine notary

输出结果为 JSON 格式,例如:

[
  {
    "Name": "alpine",
    "SignedTags": [
      {
        "SignedTag": "3.5",
        "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "3.6",
        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "edge",
        "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "integ-test-base",
        "Digest": "3952dc48dcc4136ccdde37fbef7e250346538a55a0366e3fccc683336377e372",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "latest",
        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
        "Signers": [
          "Repo Admin"
        ]
      }
    ],
    "Signers": [],
    "AdministrativeKeys": [
      {
        "Name": "Repository",
        "Keys": [
          {
            "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
          }
        ]
      },
      {
        "Name": "Root",
        "Keys": [
          {
            "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
          }
        ]
      }
    ]
  },
  {
    "Name": "notary",
    "SignedTags": [
      {
        "SignedTag": "server",
        "Digest": "71f64ab718a3331dee103bc5afc6bc492914738ce37c2d2f127a8133714ecf5c",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "signer",
        "Digest": "a6122d79b1e74f70b5dd933b18a6d1f99329a4728011079f06b245205f158fe8",
        "Signers": [
          "Repo Admin"
        ]
      }
    ],
    "Signers": [],
    "AdministrativeKeys": [
      {
        "Name": "Root",
        "Keys": [
          {
            "ID": "8cdcdef5bd039f4ab5a029126951b5985eebf57cabdcdc4d21f5b3be8bb4ce92"
          }
        ]
      },
      {
        "Name": "Repository",
        "Keys": [
          {
            "ID": "85bfd031017722f950d480a721f845a2944db26a3dc084040a70f1b0d9bbb3df"
          }
        ]
      }
    ]
  }
]

4)获取单个镜像标签的签名详细信息

可以使用 --pretty 选项以人类可读的格式打印 inspect 输出,而不是默认的 JSON 输出:

docker trust inspect --pretty alpine:latest

SIGNED TAG          DIGEST                                                             SIGNERS
latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)

Administrative keys for alpine:latest:
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
Root Key:       a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce

已签名的标签是带有唯一内容可寻址 DIGEST 的已签名镜像标签。SIGNERS 列出了所有签名的实体。

列出的管理密钥指定了信任的根密钥以及管理仓库的密钥。这些密钥负责修改签名者,并为已签名仓库轮换密钥。

如果通过其他 docker trust 命令为仓库设置了签名者,docker trust inspect --pretty 会适当地显示它们作为 SIGNER,并指定其 KEYS:

docker trust inspect --pretty my-image:purple

SIGNED TAG          DIGEST                                                              SIGNERS
purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol

List of signers and their keys:

SIGNER              KEYS
alice               47caae5b3e61, a85aab9d20a4
bob                 034370bcbd77, 82a66673242c
carol               b6f9f8e1aab0

Administrative keys for my-image:
Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
Root Key:       40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f

然而,如果同一镜像仓库中的其他标签已签名,docker trust inspect 将报告相关的密钥信息。

docker trust inspect --pretty alpine:unsigned

No signatures for alpine:unsigned


Administrative keys for alpine:unsigned:
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
Root Key:       a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce

5)获取仓库中所有镜像标签的签名详细信息

docker trust inspect --pretty alpine

SIGNED TAG          DIGEST                                                             SIGNERS
2.6                 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b   (Repo Admin)
2.7                 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a   (Repo Admin)
3.1                 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8   (Repo Admin)
3.2                 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7   (Repo Admin)
3.3                 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7   (Repo Admin)
3.4                 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9   (Repo Admin)
3.5                 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308   (Repo Admin)
3.6                 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
edge                79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b   (Repo Admin)
latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)

Administrative keys for alpine:
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
Root Key:       a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce

以下是通过 docker trust 命令设置的签名者的示例:

docker trust inspect --pretty my-image

SIGNED TAG          DIGEST                                                              SIGNERS
red                 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943    alice
blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
green               cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139    alice, bob
yellow              9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba    carol
purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
orange              d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c    alice

List of signers and their keys for my-image:

SIGNER              KEYS
alice               47caae5b3e61, a85aab9d20a4
bob                 034370bcbd77, 82a66673242c
carol               b6f9f8e1aab0

Administrative keys for my-image:
Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
Root Key:       40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f

4、命令选项

选项

默认值

描述

--pretty

以人性化的格式打印信息

5、子命令

命令

描述

docker trust inspect

返回密钥和签名的低级别信息

docker trust key

管理用于签署 Docker 镜像的密钥

docker trust revoke

移除对镜像的信任

docker trust sign

对镜像进行签名

docker trust signer

管理可以对 Docker 镜像进行签名的实体

推荐阅读
cjavapy编程之路首页