diff --git a/cli/command/trust/sign_test.go b/cli/command/trust/sign_test.go
index 0880e8d7..fdfaec73 100644
--- a/cli/command/trust/sign_test.go
+++ b/cli/command/trust/sign_test.go
@@ -1,13 +1,12 @@
 package trust
 
 import (
+	"bytes"
 	"encoding/json"
 	"io/ioutil"
 	"os"
 	"testing"
 
-	"bytes"
-
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/internal/test"
diff --git a/e2e/trust/main_test.go b/e2e/trust/main_test.go
new file mode 100644
index 00000000..5881adcd
--- /dev/null
+++ b/e2e/trust/main_test.go
@@ -0,0 +1,17 @@
+package trust
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+)
+
+func TestMain(m *testing.M) {
+	if err := environment.Setup(); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+	os.Exit(m.Run())
+}
diff --git a/e2e/trust/sign_test.go b/e2e/trust/sign_test.go
new file mode 100644
index 00000000..06910147
--- /dev/null
+++ b/e2e/trust/sign_test.go
@@ -0,0 +1,84 @@
+package trust
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/gotestyourself/gotestyourself/fs"
+	"github.com/gotestyourself/gotestyourself/icmd"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	notaryURL    = "https://notary-server:4443"
+	alpineImage  = "registry:5000/alpine:3.6"
+	alpineSha    = "641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d"
+	busyboxImage = "registry:5000/busybox:1.27.2"
+	busyboxSha   = "030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af"
+	localImage   = "registry:5000/signlocal:v1"
+	signImage    = "registry:5000/sign:v1"
+)
+
+func TestSignLocalImage(t *testing.T) {
+	dir := setupConfigFile(t)
+	defer dir.Remove()
+	icmd.RunCmd(icmd.Command("docker", "pull", alpineImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", alpineImage, signImage).Assert(t, icmd.Success)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "trust", "sign", signImage),
+		withTrustAndPassphrase("root_password", "repo_password", dir))
+	result.Assert(t, icmd.Success)
+	assert.Contains(t, result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", alpineSha))
+
+}
+
+func TestSignWithLocalFlag(t *testing.T) {
+	dir := setupConfigFile(t)
+	defer dir.Remove()
+	setupTrustedImageForOverwrite(t, dir)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "trust", "sign", "--local", localImage),
+		withTrustAndPassphrase("root_password", "repo_password", dir))
+	result.Assert(t, icmd.Success)
+	assert.Contains(t, result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", busyboxSha))
+}
+
+func withTrustAndPassphrase(rootPwd, repositoryPwd string, dir fs.Dir) func(cmd *icmd.Cmd) {
+	return func(cmd *icmd.Cmd) {
+		env := append(os.Environ(),
+			"DOCKER_CONTENT_TRUST_SERVER="+notaryURL,
+			"DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="+rootPwd,
+			"DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="+repositoryPwd,
+			"DOCKER_CONFIG="+dir.Path(),
+		)
+		cmd.Env = append(cmd.Env, env...)
+	}
+}
+
+func setupConfigFile(t *testing.T) fs.Dir {
+	dir := fs.NewDir(t, "trust_test", fs.WithMode(0700), fs.WithFile("config.json", `
+	{
+		"auths": {
+			"registry:5000": {
+				"auth": "ZWlhaXM6cGFzc3dvcmQK"
+			},
+			"https://notary-server:4443": {
+				"auth": "ZWlhaXM6cGFzc3dvcmQK"
+			}
+		}
+	}
+	`))
+	return *dir
+}
+
+func setupTrustedImageForOverwrite(t *testing.T, dir fs.Dir) {
+	icmd.RunCmd(icmd.Command("docker", "pull", alpineImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", alpineImage, localImage).Assert(t, icmd.Success)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "-D", "trust", "sign", localImage),
+		withTrustAndPassphrase("root_password", "repo_password", dir))
+	result.Assert(t, icmd.Success)
+	assert.Contains(t, result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", alpineSha))
+	icmd.RunCommand("docker", "tag", busyboxImage, localImage).Assert(t, icmd.Success)
+}