search

docker / cli

The Docker CLI
Apache License 2.0
4.75k stars 1.88k forks source link

Docker trust key load does not load key into ~/.docker/trust/private #1095

Open kyrogue opened 6 years ago

kyrogue commented 6 years ago

Tried running docker key trust load and it does not load the key into ~/.docker/trust/private despite it saying the key is successfully imported, it merely creates trust/private directory but the key file is not present in /private directory

Client:
 Version:      18.03.1-ce
 API version:  1.37
 Go version:   go1.9.5
 Git commit:   9ee9f40
 Built:        Thu Apr 26 07:20:16 2018
 OS/Arch:      linux/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.03.1-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.9.5
  Git commit:   9ee9f40
  Built:        Thu Apr 26 07:23:58 2018
  OS/Arch:      linux/amd64
  Experimental: false
krockpot commented 5 years ago

Bit weird, but seems like the code expects your key to have the "path" header set. Figured this out by looking in Notary's documentation. Was able to import a key formatted like:

-----BEGIN ENCRYPTED PRIVATE KEY-----
role: signer
path: keyid
====REDACTED KEY DATA====
-----END ENCRYPTED PRIVATE KEY-----

Relevant doc: https://godoc.org/github.com/docker/notary/trustmanager#ImportKeys

Also fyi, if you generate the key with notary, the notary key export command will generate a key in this format for you.

krufab commented 3 years ago

It still fails even with Docker Client 19.03.12. The docker trust key import operation ends successfully even if no key is really imported. On the other hand, notary key import fails with an ambiguous error: key may be encrypted and does not contain path header and fatal: failed to import all keys: invalid key pem block. Apparently, bothdocker trust key generate and notary key generate create keys which are not able to import afterwards. The solution, not documented anywhere, except in the comment above (https://github.com/docker/cli/issues/1095#issuecomment-423707423), is to edit the key and add the path field with the key id. Example:

-----BEGIN ENCRYPTED PRIVATE KEY-----
role: devops
path: hex_key_id_without_dot_key
====REDACTED KEY DATA====
-----END ENCRYPTED PRIVATE KEY-----

and the key will be imported correctly in the private folder with name as the path specified plus .key (in this case would be: hex_key_id_without_dot_key.key

Ana alternative and better approach is to export the key with notary as explained here: https://github.com/docker/cli/issues/2031

notary -d $HOME/.docker/trust key list
notary -d $HOME/.docker/trust key export --key key-id -o key-name.pem