Stack Overflow
Stack Overflow

Questions tagged [notary]

Notary is a tool for publishing and managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content. This ability is built on a straightforward key management and signing interface to create signed collections and configure trusted publishers.

41 questions
5
votes
2 answers

Docker Trust: could not rotate trust to a new trusted root: failed to validate data with current trusted certificates

I've suddenly got this message after a month of docker trust working fine for me via GitLab CI. I have a Gitlab Runner that mounts the ~/.docker/trust (so its persisted) and pushes it to our QA registry. tag_image_test: stage: tag_image …
Tim
  • 2,968
  • 5
  • 29
  • 55
4
votes
0 answers

How to use Docker Content Trust to sign multi-arch images built with docker buildx?

I am trying to build, sign, and push a multi-arch container image using a Harbor registry with Notary. Following the steps in https://www.cncf.io/blog/2021/07/28/enforcing-image-trust-on-docker-containers-using-notary/ I was able to get the simple…
Spencer Small
  • 91
  • 1
  • 1
  • 5
4
votes
1 answer

Signing docker images with delegation key only

I'm trying following scenario. On my laptop I have created a delegation key. On a server I have created the target and authorized my delegation key Now when signing my Docker image via docker trust I'm getting following error. An error occurred…
Marco
  • 4,817
  • 5
  • 34
  • 75
4
votes
3 answers

Docker Trust Initialization

When the initial trust on docker content trust with notary on tuf is initialized I understand how TUF, Notary and Content Trust works. But what is not clear to me is, how the initial trust is setup. How do I know, that the first pull is not a…
Flo
  • 2,699
  • 4
  • 24
  • 46
4
votes
2 answers

notary returns Error: unknown shorthand flag: 'r' in -r

I want to use delegates with DOCKER CONTENT TRUST. I generated the delegate.crt/key on the collaborator's machine and now I am trying to rotate the snapshot key with: notary key rotate localhost:5000/ubuntu snapshot -r => Error: unknown shorthand…
BiltiuLena
  • 93
  • 1
  • 2
  • 8
3
votes
3 answers

Are there two root keys in Docker Content Trust?

I am new to the mechanism of Docker Content Trust (DCT) and a bit confused about the root key. The first time I add a signer to a new repository I am asked to enter passphrases for the root and repository key. After that a key file with the root key…
Joe
  • 287
  • 3
  • 13
3
votes
2 answers

How to debug failing docker image signing with the Docker Hub registry/notary?

Since today I haven't been able to push new signed images to a Docker Hub private repository due to image signing failing. I have Docker Content Trust enabled. I don't know of any significant changes in my environment that could affect this, except…
Matti Mäki
  • 31
  • 3
3
votes
2 answers

How do we setup docker notary-server, notary-signer, and notary-client for private registry such as nexus?

I have setup below infrastructure for notary: notary server notary signer mariadb database for both "notary server" and "notary signer" using docker-compose. I would like to use my private docker registry (nexus) which is deployed in different…
chinmay
  • 31
  • 1
  • 6
3
votes
2 answers

Add environment variable to ECS host

I am trying to set an environment variable in the EC2 instance hosting ECS containers. The environment variable should be readable by the docker client on the EC2 instance at run time. I know it's possible to add userData like so: #!/bin/sh echo…
cyc115
  • 635
  • 2
  • 14
  • 27
2
votes
1 answer

How to generate custom Docker Content Trust root key

I have little idea in security aspects in and outside docker world. As the document states, I tried the below command docker trust key generate jeff Whenever I run this command first time it will automatically generate a root key. Isn't it…
JibinNajeeb
  • 784
  • 1
  • 10
  • 31
2
votes
1 answer

Corda BFT notary cluster halts after one replica goes down

TL;DR - BFT cluster with 4-5 notary nodes grinds to a halt when one replica is killed. I ran the notary demo and the Raft cluster (with 3 notary nodes) behaved as expected - when I kill the leader, there's an election and the notary cluster…
qlfu_qlfu
  • 21
  • 2
1
vote
1 answer

Is there a generic container signature validation method?

Does anyone have a good solution for a generic container signature verification? From what I've seen (please correct any mistakes) Docker Hub uses signatures based on "Notary", that needs docker RedHat use their own signing mechanism, that needs…
Max Allan
  • 859
  • 1
  • 8
  • 25
1
vote
0 answers

How Docker Image consumer validate image origin

with docker content trust enabled, an image without trust metadata will not be downloaded. However, in the case where the trust metadata is present, the image will be pulled, so how does an image consumer validates the origin of the pulled image?…
yzftnt
  • 83
  • 1
  • 6
1
vote
0 answers

Docker --build-arg ignored when using Content Trust in FROM instruction

I'd like to build an image using ARG and DOCKER_CONTENT_TRUST activated, with Docker v18.06.1-ce Dockerfile: ARG tag FROM busybox:${tag} Run docker build --build-arg tag=1.33.1 . OK Then, active Content Trust export DOCKER_CONTENT_TRUST=1 Re-run…
Jean-Baptiste Martin
  • 851
  • 8
  • 30
1
vote
1 answer

Ordering of transactions in corda

I have a doubt regarding the ordering of transactions by the notary in corda. For instance, if there are two partys partyA and partyB, consuming a same input state, sends a txn at the same time to corda, how does this work? whether this transactions…
Hari Prasath
  • 31
  • 1
1
2 3