Enabling container image signature verification in docker-latest
IMPORTANT: As of Red Hat Enterprise Linux 7.5, the docker-latest package (described in this article) is deprecated. Although the package will remain available for the foreseeable future, it will not be updated going forward and will not be used for its original purpose of providing later versions of Docker software than what is included in the docker package. This article is being maintained for historical purposes.
If you want to check image signatures using the docker-latest service, you need to disable the docker service and enable docker-latest. See section on switching between docker and docker-latest.
To enable signature-verification in the docker-latest service, a configuration file must be edited and the service restarted. However, the configuration file is not /etc/sysconfig/docker-latest but rather /etc/docker-latest/daemon.json, and these options conflict with one another, resulting in the following error:
unable to configure the Docker daemon with file /etc/docker-latest/daemon.json: the following directives are specified both as a flag and in the configuration file: signature-verification: (from flag: true, from file: false)
See This content is not included.this bugzilla for the reported issue.
To enable container image verification in docker-latest.service:
-
Edit /etc/docker-latest/daemon.json with '"signature-verification": true', save and exit.
{ "log-driver": "journald", "signature-verification": true } -
Edit /etc/sysconfig/docker-latest removing "--signature-verification=true", save and exit.
# /etc/sysconfig/docker-latest # Modify these options if you want to change the way the docker daemon runs OPTIONS='--debug --selinux-enabled' ... -
restart docker-latest service
$ systemctl restart docker-latest.service
See this article for more on the docker-latest package.