Skip to content

Instantly share code, notes, and snippets.

@mbentley
Last active August 24, 2021 20:02
Show Gist options
  • Save mbentley/b5c432dcd9dfc61e122a3ee0d4a1c6f1 to your computer and use it in GitHub Desktop.
Save mbentley/b5c432dcd9dfc61e122a3ee0d4a1c6f1 to your computer and use it in GitHub Desktop.
Docker Content Trust Demo (January 2017)
### set environment variables
DTR_URL="ddcbeta.mac"
# Make sure you have downloaded DTR's CA (if the certs are not trusted by valid root CA on your client already) and are placed in the path specified by --tlscacert
# The DTR's CA cert can be downloaded from https://${DTR_URL}/ca
# If it is already trusted, you can leave of the --tlscacert argument
alias notary="notary -s https://${DTR_URL} -d ~/.docker/trust --tlscacert ~/.docker/tls/${DTR_URL}/ca.crt"
REPO="admin/signtest"
USERNAME="admin"
### admin
# get certificate from client bundle, send public key to the admin
# note: this path is where i have my extracted client bundle that i want to create the delegation for
cd ~/ucp-bundles/local
# initialize repo
notary init ${DTR_URL}/${REPO}
# rotate snapshot key
notary key rotate ${DTR_URL}/${REPO} -r snapshot
# setup releases role
notary delegation add ${DTR_URL}/${REPO} targets/releases cert.pem --all-paths
# setup user role
notary delegation add ${DTR_URL}/${REPO} targets/${USERNAME} cert.pem --all-paths
# publish changes
notary publish ${DTR_URL}/${REPO}
### regular user
# import private key
notary key import key.pem
### enable DCT
export DOCKER_CONTENT_TRUST=1
### tag and push image
docker tag hello-world ${DTR_URL}/${REPO}:latest
docker push ${DTR_URL}/${REPO}:latest
### verify image is signed
notary list ${DTR_URL}/${REPO} -r targets/releases
notary list ${DTR_URL}/${REPO} -r targets/admin
### now you can deploy your application in UCP. Enable content trust policy enforcement and enjoy
### you can do further things like unsign an image
### unsign image
notary remove -p ${DTR_URL}/${REPO} latest -r targets/releases
notary remove -p ${DTR_URL}/${REPO} latest -r targets/admin
### verify image is no longer signed
notary list ${DTR_URL}/${REPO} -r targets/releases
notary list ${DTR_URL}/${REPO} -r targets/admin
### reset environment
# remove local and remote trust data
notary delete ${DTR_URL}/${REPO}
notary delete ${DTR_URL}/${REPO} --remote
# remove local keys
for i in $(notary key list | grep ${REPO} | awk '{print $3}'); do echo -e "yes\n" | notary key remove ${i}; done
# optionally remove images from dtr
< manually remove images from dtr >
# remove trust data from UCP (this is required if you delete the trust data completely as UCP doesn't purge the data from etcd)
# remove for versions earlier than UCP 3.0.x
ssh root@ddcbeta docker exec -i ucp-kv etcdctl --endpoint https://127.0.0.1:2379 --ca-file /etc/docker/ssl/ca.pem --cert-file /etc/docker/ssl/cert.pem --key-file /etc/docker/ssl/key.pem rm --recursive /notary/v1/ddcbeta.mac/${REPO}
# remove for UCP 3.0.x and above
ssh root@ddcbeta docker exec -i -e ETCDCTL_API=3 ucp-kv etcdctl --endpoints https://127.0.0.1:2379 --cert /etc/docker/ssl/cert.pem --key /etc/docker/ssl/key.pem --cacert /etc/docker/ssl/ca.pem del notary/v1/dddcbeta.mac/${REPO} --prefix
# the above probably doesn't work on newer versions of UCP; i have not tested this in a while though
@wheestermans
Copy link

I followed your procedure above to setup the notary for signing images, I received the information from Patrick van der Bleek [email protected]

But when publishing

docker push dockerdtrtest.toyota-europe.com/toyota/npaqit:2.5.S
The push refers to a repository [dockerdtrtest.toyota-europe.com/toyota/npaqit]
993e1301adb2: Layer already exists
6c793a5a796b: Layer already exists
4c59820c0be8: Layer already exists
f184b64b35e1: Layer already exists
6cf0dec25122: Layer already exists
fcf1efe44016: Layer already exists
938bbb7ef863: Layer already exists
e1a69b1ffb24: Layer already exists
e2d76b35cac9: Layer already exists
2b1afc6a929d: Layer already exists
774d6a563464: Layer already exists
fb9754e6a625: Layer already exists
25d5f19b5012: Layer already exists
f499e61ab8d1: Layer already exists
3e84929b5aed: Layer already exists
aac74411648a: Layer already exists
c9885413e7c3: Layer already exists
f356e6dc4c62: Layer already exists
0cabc19de93a: Layer already exists
d406d5dbafa4: Layer already exists
e2bedbb83887: Layer already exists
29ecdc3dad40: Layer already exists
42c62c9219f5: Layer already exists
37e23a762111: Layer already exists
ca5a1d288af5: Layer already exists
f0c1f4e9919a: Layer already exists
d850ff930363: Layer already exists
d086e46473e6: Layer already exists
e330d7128ee7: Layer already exists
c798e7615b7e: Layer already exists
879cbd6fa56e: Layer already exists
267cc0f8ff47: Layer already exists
3183d7f10b8a: Layer already exists
7599e3440b41: Layer already exists
5a97dbfb904f: Layer already exists
2.5.S: digest: sha256:d216922feb0a625e282b50bc2a5582bb6f4336262c45eebb57142eae97d1794a size: 7627
Signing and pushing trust metadata
WARN[0019] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
WARN[0019] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0019] Could not publish Repository since we could not update: x509: certificate signed by unknown authority
Failed to sign "dockerdtrtest.toyota-europe.com/toyota/npaqit":2.5.S - x509: certificate signed by unknown authority
Error: error contacting notary server: x509: certificate signed by unknown authority

can you advise me in possible causes?

Regards
Walter

@wheestermans
Copy link

These are the commands executed

notary init dockerdtrtest.toyota-europe.com/toyota/npaqit
notary key rotate dockerdtrtest.toyota-europe.com/toyota/npaqit -r snapshot
notary delegation add dockerdtrtest.toyota-europe.com/toyota/npaqit targets/releases cert.pem --all-paths
notary delegation add dockerdtrtest.toyota-europe.com/toyota/npaqit targets/docker cert.pem --all-paths
notary publish dockerdtrtest.toyota-europe.com/toyota/npaqit
notary key import key.pem
export DOCKER_CONTENT_TRUST=1
docker tag dockerdtrtest.toyota-europe.com/toyota/npaqit:2.5 dockerdtrtest.toyota-europe.com/toyota/npaqit:2.5.S
docker push dockerdtrtest.toyota-europe.com/toyota/npaqit:2.5.S

Regards
Walter

@mbentley
Copy link
Author

@wheestermans - Sorry, I did not get a notification about your reply. The reason is probably because your client that is doing the pushing doesn't trust the DTR's self signed CA. Your engine pushing trusts it but your local client does not. That is why the CA cert is placed in ~/.docker/tls/<fqdn.to.dtr>/ca.crt so that it will allow the local client to use that for the trust chain. Sorry it wasn't clear in the instructions as to why the cert was placed there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment