[bigmac]

We've done a ton of work on image signing. Look in to Docker Content Trust (https://docs.docker.com/engine/security/trust/content_trust/) and Notary (https://github.com/docker/notary). Our signing system is an implementation of The Update Framework (https://theupdateframework.github.io/), which many folks feel pushes the security of signing systems past any other currently deployed systems out there.

The coolest bit here is to be able to do threshold signing. Essentially k-of-n signing for containers and verification gates that only allow containers with enough signatures in order to deploy. For some more background check out the blogpost here: https://blog.docker.com/2016/08/securing-enterprise-software...

Disclaimer: I manage security at Docker.