inconsistent information about docker content trust configuration

[urld]

Is this a docs issue?

• [X] My issue is about the documentation content or website

Type of issue

Information is incorrect

Description

The Engine Security Overview page states the following about DCT:

Docker Engine can be configured to only run signed images. The Docker Content Trust signature verification feature is built directly into the dockerd binary. This is configured in the Dockerd configuration file.

To enable this feature, trustpinning can be configured in daemon.json, whereby only repositories signed with a user-specified root key can be pulled and run.

However, the DCT page does not mention anything about the configuration via daemon.json, but only mentions client side config via env vars.

So which one is true? Am i missing something? I was only able to find a rather old reference to Docker EE which seems to be related to a documentation issue: https://github.com/moby/moby/issues/38639

Location

https://docs.docker.com/engine/security/

Suggestion

No response

[neersighted]

Technically both of these are true at once. The daemon-side DCT never made it to the open source upstream in moby/moby (and thus isn't in the Docker CE packages); but the docs at docs.docker.com originally covered both the closed-source and open-source versions of "Docker."

Today this isn't so simple as Mirantis owns Docker EE (and renamed it Mirantis Container Engine), but the docs at docs.docker.com continue to mostly apply to both versions.

I think we'll probably have to reach out to Mirantis's docs team to figure out what the right move to reduce confusion here is.