Unable to run az acr check-health command on MacOS

Question

I am unable to run a health check using the Azure CLI. I am on MacOS Monterey. Below is the error:

➜ az acr check-health -n <ACR_NAME>
Docker daemon status: available
Docker version: 'Docker version 20.10.12, build 459d0df, platform linux/amd64'
This will pull the image mcr.microsoft.com/mcr/hello-world:latest. Proceed? (y/n): y
Docker pull of 'mcr.microsoft.com/mcr/hello-world:latest' : OK
Azure CLI version: 2.33.1
DNS lookup to <ACR_NAME>.azurecr.io at IP 20.42.66.2 : OK
Challenge endpoint https://<ACR_NAME>.azurecr.io/v2/ : OK
Fetch refresh token for registry '<ACR_NAME>.azurecr.io' : OK
Fetch access token for registry '<ACR_NAME>.azurecr.io' : OK
Helm version: 3.8.0
An error occurred: NOTARY_COMMAND_ERROR
Please verify if notary is installed.

Please refer to https://aka.ms/acr/errors#notary_command_error for more information.

The support URL provided does not lead to anywhere useful.

Not sure if it helps, but I'm able to login to my ACR just fine:

➜ az acr login --name <ACR_NAME>
Login Succeeded

Has anyone else faced this error/issue? What am I missing here?

Answer 1

The message Please verify if notary is installed seems to indicate that notary is just not installed. It used to be bundled with Docker Desktop until a few years ago but now has to be installed separately.

Azure CLI seems to require Notary v0.6.0 and does not work with the latest version. I didn't find any install instruction in the repository, but this worked for me on Windows:

• Download notary-Windows-amd64.exe
• Rename notary-Windows-amd64.exe to notary.exe
• Place notary.exein a folder which you add to the PATH environment variable
• Open a new terminal and try the health-check again to verify that it works

Answer 2

I faced the same issue and fixed it by the following command (installing notary v0.6.1)

$ go install github.com/notaryproject/notary/cmd/notary@v0.6.1

See https://github.com/notaryproject/notary for what the notary is.

...

And well, the command was useless though (sigh

Answer 3

set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 and voila, you won't get NOTARY_COMMAND_ERROR with az acr login command.

Answer 4

According too azure/container-registry| Microsoft Docs.

Azure Container Registry does not officially support the Notary CLI but is compatible with the Notary Server API, which is included with Docker Desktop. Currently Notary version 0.6.0 is recommended

So please try the suggestion provided in comment by @madhuraj.

It looks like a known issue .See if below can be workaround.

Try to enable content trust at the registry level.

Or In Bash

export DOCKER_CONTENT_TRUST=1

Enable content trust for single command

docker build --disable-content-trust=false -t myacr.azurecr.io/myimage:v1 .

In azure CLI

$ docker push myregistry.azurecr.io/myimage:v1

Please check enable registry content trust | Microsoft Docs for further details.

$ docker pull myregistry.azurecr.io/myimage:signed

Or see azure container registry - Stack Overflow reference

set DOCKER_CONTENT_TRUST=1

docker push myregistry.azurecr.io/image:tag

If the issue remains please raise a support request from overview blade > Support + troubleshooting >New Support Request.

References:

1. https://docker-docs-notary
2. Registry authentication options - Azure Container Registry | Microsoft Docs
3. behind-the-scenes - Azure Container Registry | Microsoft Docs