Docker trust: how to sign image without pushing it to repository

Question

We run private docker registry, and I am trying to use notary to add image signing. I have notary set up, and Docker client can sign images as it pushes to the registry.

My problem is that we do not push to the same registry name we are pulling from. We use Nexus for hosting our docker images, and this is an artifact of the Nexus way of running private registry.

We push to docker-registry-publish.example.com and pull from docker-registry.example.com
We cannot push to docker-registry.example.com

I cannot find a way to have docker, or notary, sign an image without pushing it first. What I would like to be able to do is something like this:

docker push docker-registry-publish.example.com/team1/app1:1.0
docker tag docker-registry-publish.example.com/team1/app1:1.00 docker-registry.example.com/team1/app1:1.0
$some_way_to_sign docker-registry.example.com/team1/app1:1.0

There is no 'docker sign' command, the only way for docker to sign an image is to push it, as far as I know. 'notary sign' needs a file, and I do not know how to feed it a docker image.
Is there a way to have either docker, or notary, just do the signing?

Thank you!

Answer 1

These are the steps I would do.

First, generate the key using docker trust key generate and name it ${key}

Then, load the key and add the signer for the image

docker trust key load --name ${key} ${key}.pub
docker trust signer add --key ${key}.pub ${key} docker-registry-publish.example.com/team1/app1:1.0

Next, build the image:

docker build --disable-content-trust=true -t docker-registry-publish.example.com/team1/app1:1.0 .

And then, sign the image:

docker trust sign docker-registry-publish.example.com/team1/app1:1.0

Verify the keys and signature:

docker trust inspect --pretty docker-registry-publish.example.com/team1/app1:1.0

And, finally, push it:

docker push docker-registry-publish.example.com/team1/app1:1.0