Implementing Content Trust

Notary is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.

If you want to enable content trust to ensure that images are signed, please set two environment variables in the command line before pushing or pulling any image:


If you push the image for the first time, You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the DOCKER_CONTENT_TRUST flag is set. The root key is generated at: /root/.docker/trust/private/root_keys You will also be asked to enter a new passphrase for the image. This is generated at /root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]. If you are using a self-signed cert, make sure to copy the CA cert into /etc/docker/certs.d/ and $HOME/.docker/tls/ When an image is signed, it is indicated in the Web UI.

A signed image will have a checkbox next to it, otherwise an X is displayed instead.

If you want to remove a tag signature from harbor, you can use ‘notary remove’ command:

notary remove -p latest
Replace “” with the IP address or domain name of your Harbor node. In order to use content trust, HTTPS must be enabled in Harbor.

browse project