mirror of
https://github.com/docker/cli.git
synced 2026-01-28 04:20:55 +03:00
c9bb291154
move the `trust` subcommands to a plugin, so that the subcommands can
be installed separate from the `docker trust` integration in push/pull
(for situations where trust verification happens on the daemon side).
make binary
go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust
docker info
Client:
Version: 28.2.0-dev
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.24.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
trust: Manage trust on Docker images (Docker Inc.)
Version: unknown-version
Path: /usr/libexec/docker/cli-plugins/docker-trust
docker trust --help
Usage: docker trust [OPTIONS] COMMAND
Extended build capabilities with BuildKit
Options:
-D, --debug Enable debug logging
Management Commands:
key Manage keys for signing Docker images
signer Manage entities who can sign Docker images
Commands:
inspect Return low-level information about keys and signatures
revoke Remove trust for an image
sign Sign an image
Run 'docker trust COMMAND --help' for more information on a command.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
118 lines
3.8 KiB
Markdown
118 lines
3.8 KiB
Markdown
# trust revoke
|
|
|
|
<!---MARKER_GEN_START-->
|
|
Remove trust for an image
|
|
|
|
### Options
|
|
|
|
| Name | Type | Default | Description |
|
|
|:--------------|:-------|:--------|:-------------------------------|
|
|
| `-y`, `--yes` | `bool` | | Do not prompt for confirmation |
|
|
|
|
|
|
<!---MARKER_GEN_END-->
|
|
|
|
## Description
|
|
|
|
`docker trust revoke` removes signatures from tags in signed repositories.
|
|
|
|
## Examples
|
|
|
|
### Revoke signatures from a signed tag
|
|
|
|
Here's an example of a repository with two signed tags:
|
|
|
|
|
|
```console
|
|
$ docker trust inspect --pretty example/trust-demo
|
|
SIGNED TAG DIGEST SIGNERS
|
|
red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice
|
|
blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob
|
|
|
|
List of signers and their keys for example/trust-demo:
|
|
|
|
SIGNER KEYS
|
|
alice 05e87edcaecb
|
|
bob 5600f5ab76a2
|
|
|
|
Administrative keys for example/trust-demo:
|
|
Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
|
|
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
|
|
```
|
|
|
|
When `alice`, one of the signers, runs `docker trust revoke`:
|
|
|
|
```console
|
|
$ docker trust revoke example/trust-demo:red
|
|
Enter passphrase for delegation key with ID 27d42a8:
|
|
Successfully deleted signature for example/trust-demo:red
|
|
```
|
|
|
|
After revocation, the tag is removed from the list of released tags:
|
|
|
|
```console
|
|
$ docker trust inspect --pretty example/trust-demo
|
|
SIGNED TAG DIGEST SIGNERS
|
|
blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob
|
|
|
|
List of signers and their keys for example/trust-demo:
|
|
|
|
SIGNER KEYS
|
|
alice 05e87edcaecb
|
|
bob 5600f5ab76a2
|
|
|
|
Administrative keys for example/trust-demo:
|
|
Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
|
|
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
|
|
```
|
|
|
|
### Revoke signatures on all tags in a repository
|
|
|
|
When no tag is specified, `docker trust` revokes all signatures that you have a signing key for.
|
|
|
|
```console
|
|
$ docker trust inspect --pretty example/trust-demo
|
|
SIGNED TAG DIGEST SIGNERS
|
|
red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice
|
|
blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob
|
|
|
|
List of signers and their keys for example/trust-demo:
|
|
|
|
SIGNER KEYS
|
|
alice 05e87edcaecb
|
|
bob 5600f5ab76a2
|
|
|
|
Administrative keys for example/trust-demo:
|
|
Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
|
|
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
|
|
```
|
|
|
|
When `alice`, one of the signers, runs `docker trust revoke`:
|
|
|
|
```console
|
|
$ docker trust revoke example/trust-demo
|
|
Confirm you would like to delete all signature data for example/trust-demo? [y/N] y
|
|
Enter passphrase for delegation key with ID 27d42a8:
|
|
Successfully deleted signature for example/trust-demo
|
|
```
|
|
|
|
All tags that have `alice`'s signature on them are removed from the list of released tags:
|
|
|
|
```console
|
|
$ docker trust inspect --pretty example/trust-demo
|
|
|
|
No signatures for example/trust-demo
|
|
|
|
|
|
List of signers and their keys for example/trust-demo:
|
|
|
|
SIGNER KEYS
|
|
alice 05e87edcaecb
|
|
bob 5600f5ab76a2
|
|
|
|
Administrative keys for example/trust-demo:
|
|
Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
|
|
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
|
|
```
|
|
|