▲ | westurner 3 days ago | ||||||||||||||||
Do docker-pussh or docker-pushmi-pullyu verify container image signatures and attestations? From "About Docker Content Trust (DCT)" https://docs.docker.com/engine/security/trust/ :
cosign > verifying containers > verify attestation: https://docs.sigstore.dev/cosign/verifying/verify/#verify-at.../? difference between docker content trust dct and cosign: https://www.google.com/search?q=difference+between+docker+co... | |||||||||||||||||
▲ | matt_kantor 2 days ago | parent [-] | ||||||||||||||||
docker-pushmi-pullyu does a vanilla `docker pull`[1] on the remote side, so you should be able to set `DOCKER_CONTENT_TRUST` in the remote environment to get whatever behavior you want (though admittedly I have not tested this). If there's desire for an option to specify `--disable-content-trust` during push and/or pull I'll happily add it. Please file an issue if this is something you want. [1]: https://github.com/mkantor/docker-pushmi-pullyu/blob/12d2893... | |||||||||||||||||
|