Docker Integration

Docker Container Signing with TigerTrust

TigerTrust provides enterprise-grade container image signing for Docker environments. Sign images with enterprise code signing certificates, verify image integrity, and enforce signing policies to secure your software supply chain.

Image Signing

Sign container images with TigerTrust:

# Sign a Docker image
tigertrust docker sign \
  --image myapp:v1.0.0 \
  --certificate code-signing-cert \
  --registry ghcr.io/myorg

# Output
✓ Image signed: ghcr.io/myorg/myapp:v1.0.0
  Digest: sha256:abc123...
  Signature: sha256:def456...
  Certificate: CN=MyOrg Code Signing

Cosign Integration

TigerTrust integrates with Sigstore Cosign:

# Sign with Cosign using TigerTrust certificate
tigertrust cosign sign \
  --certificate code-signing-cert \
  ghcr.io/myorg/myapp:v1.0.0

# Verify signature
cosign verify \
  --certificate-identity "[email protected]" \
  --certificate-oidc-issuer "https://tigertrust.io" \
  ghcr.io/myorg/myapp:v1.0.0

Registry Integration

Configure automatic signing for registries:

# TigerTrust registry signing policy
registries:
  - name: production-registry
    url: ghcr.io/myorg
    signing:
      enabled: true
      certificate: enterprise-code-signing
      auto_sign: true
      sign_on_push: true

  - name: staging-registry
    url: registry.staging.example.com
    signing:
      enabled: true
      certificate: staging-code-signing
      require_signature: true

Policy Enforcement

Enforce signing policies:

# Container signing policy
policy:
  name: container-signing-policy

  rules:
    - name: production-images
      registries:
        - "ghcr.io/myorg/*"
        - "*.prod.example.com/*"
      requirements:
        signed: required
        certificate_issuer: "CN=MyOrg CA"
        timestamp: required
        max_age_days: 30

    - name: base-images
      images:
        - "*/base-*:*"
      requirements:
        signed: required
        trusted_roots:
          - enterprise-root-ca
          - public-ca-bundle

Verification in CI/CD

Verify images before deployment:

# GitHub Actions verification
- name: Verify container signature
  uses: tigertrust/verify-action@v1
  with:
    image: ghcr.io/myorg/myapp:${{ github.sha }}
    policy: production-policy
    fail-on-unsigned: true

# Kubernetes admission webhook
- name: Deploy verified image
  run: |
    kubectl apply -f deployment.yaml
    # TigerTrust admission controller verifies signature

SBOM Signing

Sign Software Bill of Materials:

# Generate and sign SBOM
tigertrust sbom generate \
  --image myapp:v1.0.0 \
  --format spdx \
  --sign \
  --certificate sbom-signing-cert \
  --output myapp-sbom.json

# Attach SBOM to image
tigertrust sbom attach \
  --image ghcr.io/myorg/myapp:v1.0.0 \
  --sbom myapp-sbom.json

Kubernetes Admission Controller

Enforce signing in Kubernetes:

apiVersion: tigertrust.io/v1
kind: ImagePolicy
metadata:
  name: require-signed-images
spec:
  namespaces:
    - production
    - staging

  rules:
    - images: ["*"]
      require:
        signed: true

    - images: ["ghcr.io/myorg/*"]
      require:
        signed: true
        certificate:
          issuer: "CN=MyOrg Code Signing CA"

  action:
    onViolation: reject
    audit: true

Multi-Architecture Support

Sign multi-architecture images:

# Sign manifest list
tigertrust docker sign \
  --manifest myapp:v1.0.0 \
  --certificate code-signing-cert \
  --platforms linux/amd64,linux/arm64

# Verify specific platform
tigertrust docker verify \
  --image myapp:v1.0.0 \
  --platform linux/arm64

Supply Chain Security

Complete supply chain visibility:

• Track image provenance
• Verify build attestations
• Validate source code signatures
• Audit signing history

Secure your container supply chain with TigerTrust's Docker integration.