centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-27 06:18:55 +07:00
Code Issues Packages Projects Releases Wiki Activity

dhi: add skip-tlog info (#23274)

Browse Source 
<!--Delete sections as needed -->

## Description

Added `--skip-tlog` flag info to validate topic.

https://deploy-preview-23274--docsdocker.netlify.app/dhi/how-to/verify/#handle-missing-transparency-log-entries

Vale: Added Rekor to vocab.

## Related issues or tickets

DHI-647

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review
- [ ] Editorial review
- [ ] Product review

---------

Signed-off-by: Craig <craig.osterhout@docker.com>
This commit is contained in:
Craig Osterhout
2025-08-27 16:08:18 -07:00
committed by GitHub
parent 8bcdc25e3d
commit d9ef40f2f9
2 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
_vale/config/vocabularies/Docker/accept.txt
View File

@@ -159,6 +159,7 @@ Qualcomm
Quickview
rebalance
reimplement
Rekor
rollback
rootful
runc

37
content/manuals/dhi/how-to/verify.md
View File

@@ -119,6 +119,43 @@ $ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
--predicate-type https://scout.docker.com/sbom/v0.1 --verify
```
#### Handle missing transparency log entries
When using `--verify`, you may sometimes see an error like:
```text
ERROR no matching signatures: signature not found in transparency log
```
This occurs because Docker Hardened Images don't always record attestations in
the public [Rekor](https://docs.sigstore.dev/logging/overview/) transparency
log. In cases where an attestation would contain private user information (for
example, your organization's namespace in the image reference), writing it to
Rekor would expose that information publicly.
Even if the Rekor entry is missing, the attestation is still signed with
Docker's public key and can be verified offline by skipping the Rekor
transparency log check.
To skip the transparency log check and validate against Docker's key, use the
`--skip-tlog` flag:
```console
$ docker scout attest get \
--predicate-type https://cyclonedx.org/bom/v1.6 \
<your-org-namespace>/dhi-<image>:<tag> --platform <platform> \
--verify --skip-tlog
```
> [!NOTE]
>
> The `--skip-tlog` flag is only available in Docker Scout CLI version 1.18.2 and
> later.
This is equivalent to using `cosign` with the `--insecure-ignore-tlog=true`
flag, which validates the signature against Docker's published public key, but
ignores the transparency log check.
### Show the equivalent cosign command
When using the `--verify` flag, it also prints the corresponding