Verifying the Docker Image Signature
This page explains how to confirm that the Stardog image pulled from Docker Hub is digitally signed.
As of version 11.0.0, the Stardog image in Docker Hub is digitally signed by Stardog. Docker provides information about their Content Trust system in their online documentation here.
If you want to enforce that the image you use is digitally signed, set the environment variable DOCKER_CONTENT_TRUST
to 1
before running docker pull
(see more here).
If you want to verify the image on Docker Hub is digitally signed, you can run the command:
$ docker trust inspect stardog/stardog:latest --pretty
Signatures for stardog/stardog:latest
SIGNED TAG DIGEST SIGNERS
latest 915070c7a72bba4bcae66789d21a59c33574f10eaed277eee57fc9ecdccf34c4 stardog
List of signers and their keys for stardog/stardog:latest
SIGNER KEYS
stardog 3e6e217a9a9e
Administrative keys for stardog/stardog:latest
Repository Key: 1acd5f77de79aa54dbefd726caf47aecb39767b0342b27c677deb20ee09462d6
Root Key: 084fa0e02607008ff0e00ee4c29762bf0094a6a188c91de3d21dd8f7a71e5653
Note this is the signature for Stardog 11.0.0, and yours will look different if you’re using a more recent version.