Add cmdline docs for signing and verification flows

[NathanMcCauley]

In order to address issue #2700 we have been working on design and implementation of a system for trusted distribution of Docker images

We'd like to solicit feedback on our design. Please find our design document for more details on this proposal.

To briefly summarize the proposal, a new environment variable, DOCKER_NOTARY, will enable signing and verification on push, pull, create and run. This flag will cause signing to happen on push and verification to happen on pull, create, and run. The signing and verification functionality will be implemented in the Docker client through notary's implementation of The Update Framework.

Signed-off-by: Nathan McCauley nathan.mccauley@docker.com

[jessfraz]

as in --untrusted=false for all? or does this mean something else?

EDIT: i did not read the original blurb, my b, but maybe this should say that too regardless, for non readers like me

[NathanMcCauley]

added ;)

[icecrime]

Notary is an implementation detail of the trust feature of Docker. Do we want to make it appear all the way up to the UX? Isn't making the name appear here contradictory to the idea of having well spec'ed ingredients that we can substitute with other conforming implementations?

[dave-tucker]

--untrusted=false feels a little like a double negative. E.g it is not un-trusted. Therefore it might be difficult for non-native english speakers to divine the expected behaviour. It's simpler to say it is trusted. I appreciate trusted is a loaded term, so maybe it's not the right word to use. Per icecrime's comment, I agree that we should use something more generic. Perhaps splitting the two workflows (signing and verification) would make sense - e.g DOCKER_IMAGE_VERIFY and DOCKER_IMAGE_SIGN

[jessfraz]

This is so eventually we can make trusted the default and not have it be counterintuitive.

Otherwise all options sound weird when they are turned on by default. There was a alot of back and forth on this already and I think I am still pro- the current approach.

[bfirsh]

Agreed --untrusted is a bit weird.

Perhaps --verify-image=true as a default, then the user would pass --verify-image=false?

[bfirsh]

Ah, I see @dave-tucker said a similar thing below. Just adding a +1 to his suggestions.

[jessfraz]

Design LGTM

eventually we can remove the --untrusted flag altogether, like all depreciated flags that stay forever and ever and ever ;)

[dmcgowan]

Design LGTM

[icecrime]

The doc should probably mention the default value (=true)

[dave-tucker]

Perhaps --verify=false

[icecrime]

A few remarks, otherwise design LGTM.

[jessfraz]

ok so i think we can get ready to move this into code review, and by this i mean #14546, @dmcgowan can you cherry pick this commit to your branch and we can close this and be on our way.

[dmcgowan]

cherry picked