Docker Content Trust

Overview

QCecuring integrates with Docker Content Trust (DCT) and Notary to provide centralized governance over container image signing. Organizations ensure that only verified, signed images are deployed to production while maintaining full control over signing keys and delegation policies.

Key capabilities

• Centralized management of Docker Content Trust root, targets, and delegation keys.
• Automated image signing during CI/CD pipeline image push operations.
• Policy enforcement for which registries, repositories, and tags require signatures.
• Key rotation workflows for DCT signing keys without disrupting image verification.
• Audit trail of all container image signing operations with pipeline and registry metadata.

Typical use cases

• Organizations enforcing signed container images in Kubernetes admission controllers.
• DevOps teams automating image signing in CI/CD pipelines before pushing to registries.
• Security teams requiring governance over Docker Content Trust key hierarchies.

High-level integration flow

1. Initialize or import Docker Content Trust key hierarchies into QCecuring’s secure key store.
2. Configure signing policies specifying which images and registries require DCT signatures.
3. CI/CD pipelines request image signing through QCecuring after successful builds and scans.
4. QCecuring signs image manifests using managed keys and pushes signatures to Notary.
5. Kubernetes admission controllers verify signatures, and QCecuring tracks all signing events centrally.

CBOM Discovery

QCecuring discovers Docker Content Trust signing keys and delegation roles, mapping them into your cryptographic inventory for PQC readiness assessment.