If you would like to use Binary Authorisation in your own release processes, and with your own attestors and attestations, we recommend that you follow these steps for each Docker image:

Pull the image from your Docker registry.

Verify that the image is attested with Thought Machine’s public GPG key (see Pulling Docker images overview).

Retag the image with your Docker registry.

Push the image to your Docker registry.

Reattest the destination image with your own attestor.

An example client release script is provided in Example client release script for attesting images in your Docker registry. It is also supplied as mirror_images.sh in the Additional setup files folder with the documentation in the Release pack.