We'd like to establish a trusted chain. However, currently the bitbucket-server image is unsigned.

% docker trust inspect atlassian/bitbucket-server
[]
No signatures or cannot access atlassian/bitbucket-server

The main security concern is to be sure the image pulled from dockerhub are signed by Atlassian by the private key which is stored security on the vendor side.

If Atlassian can sign the images before push them to the dockerhub, we can pull they security, and in case the image doesn't have a valid signature we drop it.