We are currently investigating how we plan to add support for signing to Quay and Quay Enterprise. We don't currently support Docker Content Trust, as we are not yet convinced that DCT meets the requirements necessary to ensure a truly secure and seamless experience for our users. If we find that it does meet those requirements, we'll be adding support for it in the near future. If not, we'll be implementing another solution.
There are a few issues that we've identified with Docker Content Trust. Keep in mind some of this may have changed, as Docker is rapidly iterating on the design.
1) Docker is (as stated) rapidly iterating on the design, so we don't have a stable foundation on which to build.
2) As far as we can tell, DCT does not allow for verification against multiple keys. Rather, a single key must be used, which is extremely limiting.
3) In order to sign an image, it must be pulled to a machine, signed, and then pushed. This is a hard flow for most users, and we'd like to find a way to allow for browser-based signing, while still ensuring security. A very hard problem.
For now, our recommendation if you want total control of your registry is to run your own "on-premises" (could be in AWS) version of Quay, which you then completely control with no callbacks to us.
Please sign in to leave a comment.