A security team wants to ensure that only signed Docker images are deployed in production. Which CI/CD pipeline step validates the image signature before deployment?
Standard mechanism for image signing and verification.
Why this answer
Docker Content Trust (DCT) integrates with Notary to provide a framework for signing and verifying Docker images. When DCT is enabled in the CI/CD pipeline, the Docker client verifies the image's signature against a trusted signing key before allowing the image to be pulled or deployed, ensuring only images signed by authorized parties are used in production.
Exam trap
The trap here is that candidates confuse integrity verification (hash comparison) with authenticity verification (digital signatures), assuming a simple SHA check provides the same security as a full PKI-based signing scheme like Docker Content Trust.
How to eliminate wrong answers
Option B is wrong because comparing the image SHA with a known good hash only verifies integrity (that the image hasn't been tampered with during transit), not authenticity (that the image was signed by a trusted publisher). Option C is wrong because a vulnerability scan checks for known security flaws in the image's packages, but does not validate any cryptographic signature or provenance. Option D is wrong because checking the image size on the registry is a trivial metadata check that provides no security assurance about the image's origin or integrity.