Publisher Public key for docker notary

Question

I am using docker notary to establish a trust in the images I download from my private docker registry. While I am able to work out all(push, pull) quite well while I am running on one single host. However in a multi-node(server/client) situation I am just wondering how to get the publishers public key. This publisher key will be than run alongside docker engine pull from a client host. Here the server host has the registry as well as docker-notary server/signer.

Regards Ashish

Answer 1

Docker Content Trust (powered by Notary) by default will perform TOFUs when downloading trust data for an image - the "s" for indicating this is over HTTPS.

If you're using standalone Notary, you can provide trust-pinning configuration to pin to a specific public key or CA against a publisher's TUF root key (though importing certs to Notary repos is WIP, and scheduled for next point release).

I encourage you to check out the relevant Notary client config information and this PR for more information about how to set this up in Notary -- Docker Content Trust integration is WIP.

Answer 2

I am also new to Notary and coming up to speed. My understanding of Notary (which is built on TUF) is TOFU (trust on first use). So what you need is to be able to connect over SSL to the Notary server, which will then download the publisher certs automatically. You trust what you get the first time (hence, TOFU) and then after that the publisher certs are used to validate all future verification / key updates / etc.