As I understood from Docker official documentation, both environment variable DOCKER_CONTENT_TRUST and deamon config content-trust prevents the usage of unsigned tags. If I want to restrict using un-signed images, what will be the best option?
Option1: export DOCKER_CONTENT_TRUST=1
Option2: /etc/docker/daemon.json:
{
"content-trust": {
"mode": "enforced"
}
}
The best option would be to use the content-trust (ie runtime enforcement) with docker daemon (specified in daemon's json configuration file). This is preferable because the end users of your environment can't just disable trust by setting DOCKER_CONTENT_TRUST environment variable value to 0, and downloading unsecure images.
On the flip side, this is available only in docker enterprise so if you are using community edition then this option won't be available at all leaving you with using just the environment variables