CODEWITHSUNDEEP
dockerpkinotarytuf
Marco
Marco

Reputation: 5109

Signing docker images with delegation key only

I'm trying following scenario.

On my laptop I have created a delegation key. On a server I have created the target and authorized my delegation key Now when signing my Docker image via docker trust I'm getting following error.

An error occurred during validation: rpc error: code = 5 desc = key 6505d5d177b8ad1868d721f0043d0f16f4fc7cdbf27a0940c6f1ef52a95b15b9 not found

This 6505…. key is the private key for the target on the other machine, which I don’t have on my current machine.

Is what I'm trying even possible? Do I somehow have to synchronize all the keys to be able to do this?

Wanted to keep the targets on a server for backup reasons as well for limiting who has access to those keys.

I have also filed a related github ticket.

https://github.com/theupdateframework/notary/issues/1558

Upvotes: 4

Views: 528

Answers (2)

William Desportes
William Desportes

Reputation: 1711

notary -d ~/.docker/trust/ -s https://notary.docker.io key rotate docker.io/botsudo/action-docker-compose snapshot -r

This will remove the need of a snapshot key as said on the Docker docs.

If your repository was created using a version of Docker Engine prior to 1.11, then before adding any delegations, you should rotate the snapshot key to the server so that collaborators don't need your snapshot key to sign and publish tags:

Upvotes: 0

Marco
Marco

Reputation: 5109

I found the solution.

What is required to make this happen is to have the notary-server manage the snapshot.

By default this certificate is managed by the client.

See the fix here.

https://github.com/philips-labs/dct-notary-admin/commit/bc0269d93370e2d3d474abdeaca6b0146a440144

Now a client only needs the delegation key once thei delegation key is authorized on the given target.

Upvotes: 1

Related Questions