Signing docker images with delegation key only

460 views Asked by At

I'm trying following scenario.

On my laptop I have created a delegation key. On a server I have created the target and authorized my delegation key Now when signing my Docker image via docker trust I'm getting following error.

An error occurred during validation: rpc error: code = 5 desc = key 6505d5d177b8ad1868d721f0043d0f16f4fc7cdbf27a0940c6f1ef52a95b15b9 not found

This 6505…. key is the private key for the target on the other machine, which I don’t have on my current machine.

Is what I'm trying even possible? Do I somehow have to synchronize all the keys to be able to do this?

Wanted to keep the targets on a server for backup reasons as well for limiting who has access to those keys.

I have also filed a related github ticket.

https://github.com/theupdateframework/notary/issues/1558

1

There are 1 answers

0
Marco On BEST ANSWER

I found the solution.

What is required to make this happen is to have the notary-server manage the snapshot.

By default this certificate is managed by the client.

See the fix here.

https://github.com/philips-labs/dct-notary-admin/commit/bc0269d93370e2d3d474abdeaca6b0146a440144

Now a client only needs the delegation key once thei delegation key is authorized on the given target.