Rename to flags and environment variables to content trust

Update help line to allow 90 characters instead of 80

The trust flag pushes out the help description column wider, requiring more room to display help messages.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)

api/client/trust.go

@@ -37,7 +37,7 @@ var untrusted bool
 
 func addTrustedFlags(fs *flag.FlagSet, verify bool) {
 	var trusted bool
-	if e := os.Getenv("DOCKER_TRUST"); e != "" {
+	if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
 		if t, err := strconv.ParseBool(e); t || err != nil {
 			// treat any other value as true
 			trusted = true
@@ -47,7 +47,7 @@ func addTrustedFlags(fs *flag.FlagSet, verify bool) {
 	if verify {
 		message = "Skip image verification"
 	}
-	fs.BoolVar(&untrusted, []string{"-untrusted"}, !trusted, message)
+	fs.BoolVar(&untrusted, []string{"-disable-content-trust"}, !trusted, message)
 }
 
 func isTrusted() bool {
@@ -79,7 +79,7 @@ func (cli *DockerCli) certificateDirectory(server string) (string, error) {
 }
 
 func trustServer(index *registry.IndexInfo) string {
-	if s := os.Getenv("DOCKER_TRUST_SERVER"); s != "" {
+	if s := os.Getenv("DOCKER_CONTENT_TRUST_SERVER"); s != "" {
 		if !strings.HasPrefix(s, "https://") {
 			return "https://" + s
 		}
@@ -178,9 +178,9 @@ func convertTarget(t client.Target) (target, error) {
 func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {
 	baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out)
 	env := map[string]string{
-		"root":     os.Getenv("DOCKER_TRUST_ROOT_PASSPHRASE"),
-		"targets":  os.Getenv("DOCKER_TRUST_TARGET_PASSPHRASE"),
-		"snapshot": os.Getenv("DOCKER_TRUST_SNAPSHOT_PASSPHRASE"),
+		"root":     os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
+		"targets":  os.Getenv("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE"),
+		"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE"),
 	}
 	return func(keyName string, alias string, createNew bool, numAttempts int) (string, bool, error) {
 		if v := env[alias]; v != "" {

docs/reference/commandline/cli.md

@@ -49,8 +49,8 @@ by the `docker` command line:
   unsuitable for Docker.
 * `DOCKER_RAMDISK` If set this will disable 'pivot_root'.
 * `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote.
-* `DOCKER_TRUST` When set Docker uses notary to sign and verify images.
-  Equates to `--untrusted=false` for build, create, pull, push, run.
+* `DOCKER_CONTENT_TRUST` When set Docker uses notary to sign and verify images.
+  Equates to `--disable-content-trust=false` for build, create, pull, push, run.
 * `DOCKER_TMPDIR` Location for temporary Docker files.
 
 Because Docker is developed using 'Go', you can also use any environment

docs/reference/commandline/create.md

@@ -17,57 +17,57 @@ Creates a new container.
 
     Create a new container
 
-      -a, --attach=[]            Attach to STDIN, STDOUT or STDERR
-      --add-host=[]              Add a custom host-to-IP mapping (host:ip)
-      --blkio-weight=0           Block IO weight (relative weight)
-      -c, --cpu-shares=0         CPU shares (relative weight)
-      --cap-add=[]               Add Linux capabilities
-      --cap-drop=[]              Drop Linux capabilities
-      --cgroup-parent=""         Optional parent cgroup for the container
-      --cidfile=""               Write the container ID to the file
-      --cpu-period=0             Limit CPU CFS (Completely Fair Scheduler) period
-      --cpu-quota=0              Limit CPU CFS (Completely Fair Scheduler) quota
-      --cpuset-cpus=""           CPUs in which to allow execution (0-3, 0,1)
-      --cpuset-mems=""           Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
-      --device=[]                Add a host device to the container
-      --dns=[]                   Set custom DNS servers
-      --dns-search=[]            Set custom DNS search domains
-      -e, --env=[]               Set environment variables
-      --entrypoint=""            Overwrite the default ENTRYPOINT of the image
-      --env-file=[]              Read in a file of environment variables
-      --expose=[]                Expose a port or a range of ports
-      -h, --hostname=""          Container host name
-      --help=false               Print usage
-      -i, --interactive=false    Keep STDIN open even if not attached
-      --ipc=""                   IPC namespace to use
-      -l, --label=[]             Set metadata on the container (e.g., --label=com.example.key=value)
-      --label-file=[]            Read in a line delimited file of labels
-      --link=[]                  Add link to another container
-      --log-driver=""            Logging driver for container
-      --log-opt=[]               Log driver specific options
-      --lxc-conf=[]              Add custom lxc options
-      -m, --memory=""            Memory limit
-      --mac-address=""           Container MAC address (e.g. 92:d0:c6:0a:29:33)
-      --memory-swap=""           Total memory (memory + swap), '-1' to disable swap
-      --memory-swappiness=""     Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
-      --name=""                  Assign a name to the container
-      --net="bridge"             Set the Network mode for the container
-      --oom-kill-disable=false   Whether to disable OOM Killer for the container or not
-      -P, --publish-all=false    Publish all exposed ports to random ports
-      -p, --publish=[]           Publish a container's port(s) to the host
-      --pid=""                   PID namespace to use
-      --privileged=false         Give extended privileges to this container
-      --read-only=false          Mount the container's root filesystem as read only
-      --restart="no"             Restart policy (no, on-failure[:max-retry], always)
-      --security-opt=[]          Security options
-      -t, --tty=false            Allocate a pseudo-TTY
-      --untrusted=true           Skip image verification
-      -u, --user=""              Username or UID
-      --ulimit=[]                Ulimit options
-      --uts=""                   UTS namespace to use
-      -v, --volume=[]            Bind mount a volume
-      --volumes-from=[]          Mount volumes from the specified container(s)
-      -w, --workdir=""           Working directory inside the container
+      -a, --attach=[]               Attach to STDIN, STDOUT or STDERR
+      --add-host=[]                 Add a custom host-to-IP mapping (host:ip)
+      --blkio-weight=0              Block IO weight (relative weight)
+      -c, --cpu-shares=0            CPU shares (relative weight)
+      --cap-add=[]                  Add Linux capabilities
+      --cap-drop=[]                 Drop Linux capabilities
+      --cgroup-parent=""            Optional parent cgroup for the container
+      --cidfile=""                  Write the container ID to the file
+      --cpu-period=0                Limit CPU CFS (Completely Fair Scheduler) period
+      --cpu-quota=0                 Limit CPU CFS (Completely Fair Scheduler) quota
+      --cpuset-cpus=""              CPUs in which to allow execution (0-3, 0,1)
+      --cpuset-mems=""              Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
+      --device=[]                   Add a host device to the container
+      --dns=[]                      Set custom DNS servers
+      --dns-search=[]               Set custom DNS search domains
+      -e, --env=[]                  Set environment variables
+      --entrypoint=""               Overwrite the default ENTRYPOINT of the image
+      --env-file=[]                 Read in a file of environment variables
+      --expose=[]                   Expose a port or a range of ports
+      -h, --hostname=""             Container host name
+      --help=false                  Print usage
+      -i, --interactive=false       Keep STDIN open even if not attached
+      --ipc=""                      IPC namespace to use
+      -l, --label=[]                Set metadata on the container (e.g., --label=com.example.key=value)
+      --label-file=[]               Read in a line delimited file of labels
+      --link=[]                     Add link to another container
+      --log-driver=""               Logging driver for container
+      --log-opt=[]                  Log driver specific options
+      --lxc-conf=[]                 Add custom lxc options
+      -m, --memory=""               Memory limit
+      --mac-address=""              Container MAC address (e.g. 92:d0:c6:0a:29:33)
+      --memory-swap=""              Total memory (memory + swap), '-1' to disable swap
+      --memory-swappiness=""        Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+      --name=""                     Assign a name to the container
+      --net="bridge"                Set the Network mode for the container
+      --oom-kill-disable=false      Whether to disable OOM Killer for the container or not
+      -P, --publish-all=false       Publish all exposed ports to random ports
+      -p, --publish=[]              Publish a container's port(s) to the host
+      --pid=""                      PID namespace to use
+      --privileged=false            Give extended privileges to this container
+      --read-only=false             Mount the container's root filesystem as read only
+      --restart="no"                Restart policy (no, on-failure[:max-retry], always)
+      --security-opt=[]             Security options
+      -t, --tty=false               Allocate a pseudo-TTY
+      --disable-content-trust=true  Skip image verification
+      -u, --user=""                 Username or UID
+      --ulimit=[]                   Ulimit options
+      --uts=""                      UTS namespace to use
+      -v, --volume=[]               Bind mount a volume
+      --volumes-from=[]             Mount volumes from the specified container(s)
+      -w, --workdir=""              Working directory inside the container
 
 The `docker create` command creates a writeable container layer over the
 specified image and prepares it for running the specified command.  The

docs/reference/commandline/pull.md

@@ -15,8 +15,8 @@ weight=1
 
     Pull an image or a repository from the registry
 
-      -a, --all-tags=false    Download all tagged images in the repository
-      --untrusted=true        Skip image verification
+      -a, --all-tags=false          Download all tagged images in the repository
+      --disable-content-trust=true  Skip image verification
 
 Most of your images will be created on top of a base image from the
 [Docker Hub](https://hub.docker.com) registry.

docs/reference/commandline/push.md

@@ -15,7 +15,7 @@ weight=1
 
     Push an image or a repository to the registry
 
-    --untrusted=true           Skip image signing
+    --disable-content-trust=true   Skip image signing
 
 Use `docker push` to share your images to the [Docker Hub](https://hub.docker.com)
 registry or to a self-hosted one.

docs/reference/commandline/run.md

@@ -15,61 +15,61 @@ weight=1
 
     Run a command in a new container
 
-      -a, --attach=[]            Attach to STDIN, STDOUT or STDERR
-      --add-host=[]              Add a custom host-to-IP mapping (host:ip)
-      --blkio-weight=0           Block IO weight (relative weight)
-      -c, --cpu-shares=0         CPU shares (relative weight)
-      --cap-add=[]               Add Linux capabilities
-      --cap-drop=[]              Drop Linux capabilities
-      --cgroup-parent=""         Optional parent cgroup for the container
-      --cidfile=""               Write the container ID to the file
-      --cpu-period=0             Limit CPU CFS (Completely Fair Scheduler) period
-      --cpu-quota=0              Limit CPU CFS (Completely Fair Scheduler) quota
-      --cpuset-cpus=""           CPUs in which to allow execution (0-3, 0,1)
-      --cpuset-mems=""           Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
-      -d, --detach=false         Run container in background and print container ID
-      --device=[]                Add a host device to the container
-      --dns=[]                   Set custom DNS servers
-      --dns-search=[]            Set custom DNS search domains
-      -e, --env=[]               Set environment variables
-      --entrypoint=""            Overwrite the default ENTRYPOINT of the image
-      --env-file=[]              Read in a file of environment variables
-      --expose=[]                Expose a port or a range of ports
-      --group-add=[]             Add additional groups to run as
-      -h, --hostname=""          Container host name
-      --help=false               Print usage
-      -i, --interactive=false    Keep STDIN open even if not attached
-      --ipc=""                   IPC namespace to use
-      -l, --label=[]             Set metadata on the container (e.g., --label=com.example.key=value)
-      --label-file=[]            Read in a file of labels (EOL delimited)
-      --link=[]                  Add link to another container
-      --log-driver=""            Logging driver for container
-      --log-opt=[]               Log driver specific options
-      --lxc-conf=[]              Add custom lxc options
-      -m, --memory=""            Memory limit
-      --mac-address=""           Container MAC address (e.g. 92:d0:c6:0a:29:33)
-      --memory-swap=""           Total memory (memory + swap), '-1' to disable swap
-      --memory-swappiness=""     Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
-      --name=""                  Assign a name to the container
-      --net="bridge"             Set the Network mode for the container
-      --oom-kill-disable=false   Whether to disable OOM Killer for the container or not
-      -P, --publish-all=false    Publish all exposed ports to random ports
-      -p, --publish=[]           Publish a container's port(s) to the host
-      --pid=""                   PID namespace to use
-      --privileged=false         Give extended privileges to this container
-      --read-only=false          Mount the container's root filesystem as read only
-      --restart="no"             Restart policy (no, on-failure[:max-retry], always)
-      --rm=false                 Automatically remove the container when it exits
-      --security-opt=[]          Security Options
-      --sig-proxy=true           Proxy received signals to the process
-      -t, --tty=false            Allocate a pseudo-TTY
-      -u, --user=""              Username or UID (format: <name|uid>[:<group|gid>])
-      --ulimit=[]                Ulimit options
-      --untrusted=true           Skip image verification
-      --uts=""                   UTS namespace to use
-      -v, --volume=[]            Bind mount a volume
-      --volumes-from=[]          Mount volumes from the specified container(s)
-      -w, --workdir=""           Working directory inside the container
+      -a, --attach=[]               Attach to STDIN, STDOUT or STDERR
+      --add-host=[]                 Add a custom host-to-IP mapping (host:ip)
+      --blkio-weight=0              Block IO weight (relative weight)
+      -c, --cpu-shares=0            CPU shares (relative weight)
+      --cap-add=[]                  Add Linux capabilities
+      --cap-drop=[]                 Drop Linux capabilities
+      --cgroup-parent=""            Optional parent cgroup for the container
+      --cidfile=""                  Write the container ID to the file
+      --cpu-period=0                Limit CPU CFS (Completely Fair Scheduler) period
+      --cpu-quota=0                 Limit CPU CFS (Completely Fair Scheduler) quota
+      --cpuset-cpus=""              CPUs in which to allow execution (0-3, 0,1)
+      --cpuset-mems=""              Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
+      -d, --detach=false            Run container in background and print container ID
+      --device=[]                   Add a host device to the container
+      --dns=[]                      Set custom DNS servers
+      --dns-search=[]               Set custom DNS search domains
+      -e, --env=[]                  Set environment variables
+      --entrypoint=""               Overwrite the default ENTRYPOINT of the image
+      --env-file=[]                 Read in a file of environment variables
+      --expose=[]                   Expose a port or a range of ports
+      --group-add=[]                Add additional groups to run as
+      -h, --hostname=""             Container host name
+      --help=false                  Print usage
+      -i, --interactive=false       Keep STDIN open even if not attached
+      --ipc=""                      IPC namespace to use
+      -l, --label=[]                Set metadata on the container (e.g., --label=com.example.key=value)
+      --label-file=[]               Read in a file of labels (EOL delimited)
+      --link=[]                     Add link to another container
+      --log-driver=""               Logging driver for container
+      --log-opt=[]                  Log driver specific options
+      --lxc-conf=[]                 Add custom lxc options
+      -m, --memory=""               Memory limit
+      --mac-address=""              Container MAC address (e.g. 92:d0:c6:0a:29:33)
+      --memory-swap=""              Total memory (memory + swap), '-1' to disable swap
+      --memory-swappiness=""        Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+      --name=""                     Assign a name to the container
+      --net="bridge"                Set the Network mode for the container
+      --oom-kill-disable=false      Whether to disable OOM Killer for the container or not
+      -P, --publish-all=false       Publish all exposed ports to random ports
+      -p, --publish=[]              Publish a container's port(s) to the host
+      --pid=""                      PID namespace to use
+      --privileged=false            Give extended privileges to this container
+      --read-only=false             Mount the container's root filesystem as read only
+      --restart="no"                Restart policy (no, on-failure[:max-retry], always)
+      --rm=false                    Automatically remove the container when it exits
+      --security-opt=[]             Security Options
+      --sig-proxy=true              Proxy received signals to the process
+      -t, --tty=false               Allocate a pseudo-TTY
+      -u, --user=""                 Username or UID (format: <name|uid>[:<group|gid>])
+      --ulimit=[]                   Ulimit options
+      --disable-content-trust=true  Skip image verification
+      --uts=""                      UTS namespace to use
+      -v, --volume=[]               Bind mount a volume
+      --volumes-from=[]             Mount volumes from the specified container(s)
+      -w, --workdir=""              Working directory inside the container
 
 The `docker run` command first `creates` a writeable container layer over the
 specified image, and then `starts` it using the specified command. That is,

integration-cli/docker_cli_create_test.go

@@ -294,7 +294,7 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
 	dockerCmd(c, "rmi", repoName)
 
 	// Try untrusted create to ensure we pushed the tag to the registry
-	createCmd = exec.Command(dockerBinary, "create", "--untrusted=true", repoName)
+	createCmd = exec.Command(dockerBinary, "create", "--disable-content-trust=true", repoName)
 	s.trustedCmd(createCmd)
 	out, _, err = runCommandWithOutput(createCmd)
 	if err != nil {
@@ -302,7 +302,7 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
 	}
 
 	if !strings.Contains(string(out), "Status: Downloaded") {
-		c.Fatalf("Missing expected output on trusted create with --untrusted:\n%s", out)
+		c.Fatalf("Missing expected output on trusted create with --disable-content-trust:\n%s", out)
 	}
 }
 
@@ -366,7 +366,7 @@ func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {
 
 	runAtDifferentDate(elevenYearsFromNow, func() {
 		// Try create
-		createCmd := exec.Command(dockerBinary, "create", "--untrusted", repoName)
+		createCmd := exec.Command(dockerBinary, "create", "--disable-content-trust", repoName)
 		s.trustedCmd(createCmd)
 		out, _, err := runCommandWithOutput(createCmd)
 		if err != nil {

integration-cli/docker_cli_help_test.go

@@ -132,7 +132,7 @@ func (s *DockerSuite) TestHelpTextVerify(c *check.C) {
 			// Check each line for lots of stuff
 			lines := strings.Split(out, "\n")
 			for _, line := range lines {
-				if len(line) > 80 {
+				if len(line) > 90 {
 					c.Fatalf("Help for %q is too long(%d chars):\n%s", cmd,
 						len(line), line)
 				}

integration-cli/docker_cli_pull_test.go

@@ -174,7 +174,7 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
 	dockerCmd(c, "rmi", repoName)
 
 	// Try untrusted pull to ensure we pushed the tag to the registry
-	pullCmd = exec.Command(dockerBinary, "pull", "--untrusted=true", repoName)
+	pullCmd = exec.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName)
 	s.trustedCmd(pullCmd)
 	out, _, err = runCommandWithOutput(pullCmd)
 	if err != nil {
@@ -182,7 +182,7 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
 	}
 
 	if !strings.Contains(string(out), "Status: Downloaded") {
-		c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out)
+		c.Fatalf("Missing expected output on trusted pull with --disable-content-trust:\n%s", out)
 	}
 }
 
@@ -246,7 +246,7 @@ func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {
 
 	runAtDifferentDate(elevenYearsFromNow, func() {
 		// Try pull
-		pullCmd := exec.Command(dockerBinary, "pull", "--untrusted", repoName)
+		pullCmd := exec.Command(dockerBinary, "pull", "--disable-content-trust", repoName)
 		s.trustedCmd(pullCmd)
 		out, _, err := runCommandWithOutput(pullCmd)
 		if err != nil {

integration-cli/docker_cli_push_test.go

@@ -182,15 +182,15 @@ func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C)
 	// tag the image and upload it to the private registry
 	dockerCmd(c, "tag", "busybox", repoName)
 
-	pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName)
+	pushCmd := exec.Command(dockerBinary, "push", "--disable-content-trust", repoName)
 	s.trustedCmdWithServer(pushCmd, "example/")
 	out, _, err := runCommandWithOutput(pushCmd)
 	if err != nil {
-		c.Fatalf("trusted push with no server and --untrusted failed: %s\n%s", err, out)
+		c.Fatalf("trusted push with no server and --disable-content-trust failed: %s\n%s", err, out)
 	}
 
 	if strings.Contains(string(out), "Error establishing connection to notary repository") {
-		c.Fatalf("Missing expected output on trusted push with --untrusted:\n%s", out)
+		c.Fatalf("Missing expected output on trusted push with --disable-content-trust:\n%s", out)
 	}
 }
 
@@ -252,7 +252,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) {
 	}
 
 	if !strings.Contains(string(out), "Status: Downloaded") {
-		c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out)
+		c.Fatalf("Missing expected output on trusted pull with --disable-content-trust:\n%s", out)
 	}
 }
 

integration-cli/docker_cli_run_test.go

@@ -2566,7 +2566,7 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
 	dockerCmd(c, "rmi", repoName)
 
 	// Try untrusted run to ensure we pushed the tag to the registry
-	runCmd = exec.Command(dockerBinary, "run", "--untrusted=true", repoName)
+	runCmd = exec.Command(dockerBinary, "run", "--disable-content-trust=true", repoName)
 	s.trustedCmd(runCmd)
 	out, _, err = runCommandWithOutput(runCmd)
 	if err != nil {
@@ -2574,7 +2574,7 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
 	}
 
 	if !strings.Contains(string(out), "Status: Downloaded") {
-		c.Fatalf("Missing expected output on trusted run with --untrusted:\n%s", out)
+		c.Fatalf("Missing expected output on trusted run with --disable-content-trust:\n%s", out)
 	}
 }
 
@@ -2620,7 +2620,7 @@ func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {
 
 	runAtDifferentDate(elevenYearsFromNow, func() {
 		// Try run
-		runCmd := exec.Command(dockerBinary, "run", "--untrusted", repoName)
+		runCmd := exec.Command(dockerBinary, "run", "--disable-content-trust", repoName)
 		s.trustedCmd(runCmd)
 		out, _, err := runCommandWithOutput(runCmd)
 		if err != nil {

integration-cli/trust_server.go

@@ -130,11 +130,11 @@ func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, sna
 
 func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) {
 	env := []string{
-		"DOCKER_TRUST=1",
-		fmt.Sprintf("DOCKER_TRUST_SERVER=%s", server),
-		fmt.Sprintf("DOCKER_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
-		fmt.Sprintf("DOCKER_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
-		fmt.Sprintf("DOCKER_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
+		"DOCKER_CONTENT_TRUST=1",
+		fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server),
+		fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
+		fmt.Sprintf("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
+		fmt.Sprintf("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
 	}
 	cmd.Env = append(os.Environ(), env...)
 }