How can I list all of the Docker Content Trust root keys on my system?
I am setting up a CI process that will use the debian:stable-slim
docker image to build my application's releases in ephemeral cloud instances. I want to make sure that every time my fresh build system does a docker pull debian:stable-slim
, it doesn't just blindly TOFU the root public key used to sign debian's docker images--thus defeating the entire security model of DCT.
Before downloading a given docker image, how can I check to see if the system already has the image's root public key or not?
To see what keys you already have on your system (happily/blindly/silently obtained with TOFU unless you put them there yourself), check
$HOME/.docker/trust/tuf/docker.io/library
For example:
See Also