At DockerCon 2023, we https://www.linuxfoundation.org/press/announcing-openpubkey-project our intention to use https://github.com/openpubkey/openpubkey, a project jointly developed by https://www.bastionzero.com/ and Docker and recently open-sourced and donated to the https://www.linuxfoundation.org/press/announcing-openpubkey-project, as part of our signing solution for https://docs.docker.com/trusted-content/official-images/ (DOI). In this post, we walk you through the updated DOI signing strategy.

Going back to the example of DOI signing, if we distribute a certificate binding the 1234 public key with the Docker Official Images (DOI) builder name, anybody can verify that an image signed by the 1234 private key was signed by the DOI builder, as long as they trust the CA that issued the certificate (Figure .

For Docker Official Images, trust policy will state that our DOI build servers must sign the images.

DOI builder pushes the signed image, certificate from CA, and the bundle signed by the TSA to the registry.

Related Articles