Last active
October 15, 2021 17:43
-
-
Save tvon/f6fc87ac537664ad3be55aa59c0e72fa to your computer and use it in GitHub Desktop.
Fetch the public key used to sign an image in Notary.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Fetches the root public key used to sign an image in Notary, e.g. to configure Connaisseur. | |
| # | |
| # E.g.: | |
| # ./fetch-root-key.sh https://notary.docker.io docker.io/securesystemsengineering/connaisseur | |
| NOTARY=${1:-https://notary.docker.io} | |
| IMAGE=${2:-docker.io/library/alpine} | |
| TMP=$(mktemp -d) | |
| echo "# NOTARY: ${NOTARY}" >&2 | |
| echo "# IMAGE: ${IMAGE}" >&2 | |
| echo "# TMP: ${TMP}" >&2 | |
| # Populate $TMP/trust/tuf/ metadata | |
| notary -s $NOTARY -d $TMP list $IMAGE 2>&1 > /dev/null | |
| # Fetch keyid of root | |
| ROOTID=$(cat "${TMP}/tuf/${IMAGE}/metadata/root.json" | jq -r '.signed.roles.root.keyids[]') | |
| # Fetch encoded certificate | |
| ROOTB64=$(cat "${TMP}/tuf/${IMAGE}/metadata/root.json" | jq -r ".signed.keys.${ROOTID}.keyval.public") | |
| # Decode certificate | |
| echo -n $ROOTB64 | base64 --decode > $TMP/root.cer | |
| # Generate public key from certificate | |
| openssl x509 -inform pem -in $TMP/root.cer -pubkey -noout |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment