Open kyrogue opened 6 years ago
Bit weird, but seems like the code expects your key to have the "path" header set. Figured this out by looking in Notary's documentation. Was able to import a key formatted like:
-----BEGIN ENCRYPTED PRIVATE KEY-----
role: signer
path: keyid
====REDACTED KEY DATA====
-----END ENCRYPTED PRIVATE KEY-----
Relevant doc: https://godoc.org/github.com/docker/notary/trustmanager#ImportKeys
Also fyi, if you generate the key with notary, the notary key export
command will generate a key in this format for you.
It still fails even with Docker Client 19.03.12.
The docker trust key import
operation ends successfully even if no key is really imported.
On the other hand, notary key import fails with an ambiguous error: key may be encrypted and does not contain path header
and fatal: failed to import all keys: invalid key pem block
.
Apparently, bothdocker trust key generate
and notary key generate
create keys which are not able to import afterwards.
The solution, not documented anywhere, except in the comment above (https://github.com/docker/cli/issues/1095#issuecomment-423707423), is to edit the key and add the path field with the key id.
Example:
-----BEGIN ENCRYPTED PRIVATE KEY-----
role: devops
path: hex_key_id_without_dot_key
====REDACTED KEY DATA====
-----END ENCRYPTED PRIVATE KEY-----
and the key will be imported correctly in the private folder with name as the path specified plus .key
(in this case would be: hex_key_id_without_dot_key.key
Ana alternative and better approach is to export the key with notary as explained here: https://github.com/docker/cli/issues/2031
notary -d $HOME/.docker/trust key list
notary -d $HOME/.docker/trust key export --key key-id -o key-name.pem
Tried running
docker key trust load
and it does not load the key into~/.docker/trust/private
despite it saying the key is successfully imported, it merely creates trust/private directory but the key file is not present in /private directory