You configure a local Docker engine to enforce content trust by setting the environment variable DOCKER_CONTENT_TRUST=1.
If myorg/myimage: 1.0 is unsigned, does Docker block this command?
Solution: docker image inspect myorg/myimage: 1.0
Correct Answer: A
Explanation
= Docker will block the command docker image inspect myorg/myimage: 1.0 if the image tag is unsigned and the environment variable DOCKER_CONTENT_TRUST is set to 1. This is because Docker Content Trust (DCT) enables the verification of the integrity and publisher of Docker images using digital signatures1. When DCT is enabled, Docker will only pull, run, or inspect images that have a valid signature2. If the image tag is not signed, Docker will reject the command and display an error message, such as No valid trust data for 1.03.
To inspect an unsigned image, you need to either disable DCT by setting DOCKER_CONTENT_TRUST to 0, or use the --disable-content-trust flag with the command. References:
* Content trust in Docker | Docker Docs
* Enable and disable content trust in Docker | Docker Docs
* Docker Content Trust: What It Is and How It Secures Container Images
* [docker image inspect | Docker Docs]