Link Search Menu Expand Document
Start for Free

Verifying the Docker Image Signature

This page explains how to confirm that the Stardog image pulled from Docker Hub is digitally signed.

Verification with Notation (Current)

As of Stardog 12.0.0, Launchpad 3.8.0, and Voicebox 0.25.0, our images on Docker Hub are signed using Notation (OCI) with AWS Signer. Notation verifies by digest rather than by tag, so you will need the image digest for the tag you plan to use.

  1. Install the Notation CLI and the AWS Signer Notation plugin in your environment. AWS provides an installer for both at this link.
  2. Download the Stardog Notation trust policy and import it:
    $ curl -fL -o trustpolicy.json \
  https://docs.stardog.com/assets/trustpolicy.json
$ notation policy import trustpolicy.json
  3. Add the AWS Signer root certificate to the signingAuthority store:
    $ curl -fL -o aws-signer-notation-root.crt \
  https://d2hvyiie56hcat.cloudfront.net/aws-signer-notation-root.cert
$ notation cert add --store aws-signer-ts --type signingAuthority aws-signer-notation-root.crt
  4. To find the digest you want to verify, go to Docker Hub and find the image you want to verify. From there, click on the tag you want to verify, and copy the index digest below the name of the image. For example, the digest of stardog/stardog:12.0.0 is sha256:[placeholder].

Once you have the digest, verify the signature with this command:

$ notation verify \
  --plugin-config aws-region=us-east-1 \
  docker.io/stardog/stardog@sha256:<digest>

If your environment performs AWS Signer revocation checks, configure the AWS Signer plugin with the appropriate AWS credentials and region.

Legacy: Docker Content Trust (Notary v1)

As of version 11.0.0, the Stardog image in Docker Hub is digitally signed by Stardog. Docker provides information about their Content Trust system in their online documentation here.

If you want to enforce that the image you use is digitally signed, set the environment variable DOCKER_CONTENT_TRUST to 1 before running docker pull (see more here).

If you want to verify the image on Docker Hub is digitally signed, you can run the command:

$ docker trust inspect stardog/stardog:latest --pretty

Signatures for stardog/stardog:latest

SIGNED TAG   DIGEST                                                             SIGNERS
latest       915070c7a72bba4bcae66789d21a59c33574f10eaed277eee57fc9ecdccf34c4   stardog

List of signers and their keys for stardog/stardog:latest

SIGNER    KEYS
stardog   3e6e217a9a9e

Administrative keys for stardog/stardog:latest

Repository Key:	1acd5f77de79aa54dbefd726caf47aecb39767b0342b27c677deb20ee09462d6
Root Key:	084fa0e02607008ff0e00ee4c29762bf0094a6a188c91de3d21dd8f7a71e5653

Note this is the signature for Stardog 11.0.0, and yours will look different if you’re using a more recent version.