[x] I searched existing issues before opening this one
Expected behavior
Successfully pull signed images with content trust that can be pulled using docker 17.12.01
Client:
Version: 17.12.0-ol
API version: 1.35
Go version: go1.9.2
Git commit: 8ba4efb
Built: Wed Jan 3 17:28:19 2018
OS/Arch: linux/amd64
Server:
Engine:
Version: 17.12.0-ol
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: 8ba4efb
Built: Wed Jan 3 17:30:43 2018
OS/Arch: linux/amd64
Experimental: false
DOCKER_CONTENT_TRUST=1 DOCKER_CONTENT_TRUST_SERVER=https://notary.mydomain.com docker -D pull harbor.mydomain.com/devops/docker-image:1
DEBU[0000] reading certificate directory: /home/cloud-user/.docker/tls/notary.mydomain.com
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] Making dir path: /home/cloud-user/.docker/trust/tuf/harbor.mydomain.com/devops/docker-image/changelist
DEBU[0000] entered ValidateRoot with dns: harbor.mydomain.com/devops/docker-image
DEBU[0000] found the following root keys: [4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62]
DEBU[0000] found 1 valid leaf certificates for harbor.mydomain.com/devops/docker-image: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for harbor.mydomain.com/devops/docker-image
DEBU[0000] checking root against trust_pinning config for harbor.mydomain.com/devops/docker-image
DEBU[0000] checking trust-pinning for cert: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] role has key IDs: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] verifying signature for key ID: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] root validation succeeded for harbor.mydomain.com/devops/docker-image
DEBU[0000] entered ValidateRoot with dns: harbor.mydomain.com/devops/docker-image
DEBU[0000] found the following root keys: [4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62]
DEBU[0000] found 1 valid leaf certificates for harbor.mydomain.com/devops/docker-image: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for harbor.mydomain.com/devops/docker-image
DEBU[0000] checking root against trust_pinning config for harbor.mydomain.com/devops/docker-image
DEBU[0000] checking trust-pinning for cert: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] role has key IDs: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] verifying signature for key ID: 4d47c025b3ff10d885c6d1b16bdfd8872fe4b62e61abc11e3aaf19c62bdb6a62
DEBU[0000] root validation succeeded for harbor.mydomain.com/devops/docker-image
DEBU[0000] updating TUF client
DEBU[0000] Loading timestamp...
DEBU[0000] 200 when retrieving metadata for timestamp
DEBU[0000] timestamp role has key IDs: 4faefce8ddce916a062098283de03c61d9706e6ed077f7628f5aa11efa317da1
DEBU[0000] verifying signature for key ID: 4faefce8ddce916a062098283de03c61d9706e6ed077f7628f5aa11efa317da1
DEBU[0000] timestamp role has key IDs: 4faefce8ddce916a062098283de03c61d9706e6ed077f7628f5aa11efa317da1
DEBU[0000] verifying signature for key ID: 4faefce8ddce916a062098283de03c61d9706e6ed077f7628f5aa11efa317da1
DEBU[0000] successfully verified downloaded timestamp
DEBU[0000] Loading snapshot...
DEBU[0000] snapshot role has key IDs: 96c88e8dcb7c391ecb2c4b5480501ff622201ebd1b5cee229062980e7af60913
DEBU[0000] verifying signature for key ID: 96c88e8dcb7c391ecb2c4b5480501ff622201ebd1b5cee229062980e7af60913
DEBU[0000] successfully verified cached snapshot
DEBU[0000] Loading targets...
DEBU[0000] targets role has key IDs: 1d9827b66b4778143d4b08b0bd7b30be671f36a88a4c2a9915355e9c945fa6b3
DEBU[0000] verifying signature for key ID: 1d9827b66b4778143d4b08b0bd7b30be671f36a88a4c2a9915355e9c945fa6b3
DEBU[0000] successfully verified cached targets
DEBU[0000] retrieving target for targets role
Pull (1 of 1): harbor.mydomain.com/devops/docker-image:1@sha256:6cf607e372339090d81b5f05d043d21469c7d91dbbb4680ec0d7d213c829044c
sha256:6cf607e372339090d81b5f05d043d21469c7d91dbbb4680ec0d7d213c829044c: Pulling from devops/docker-image
...
Digest: sha256:6cf607e372339090d81b5f05d043d21469c7d91dbbb4680ec0d7d213c829044c
Status: Downloaded newer image for harbor.mydomain.com/devops/docker-image@sha256:6cf607e372339090d81b5f05d043d21469c7d91dbbb4680ec0d7d213c829044c
Tagging harbor.mydomain.com/devops/docker-image@sha256:6cf607e372339090d81b5f05d043d21469c7d91dbbb4680ec0d7d213c829044c as harbor.mydomain.com/devops/docker-image:1
Actual behavior
Docker 18.03.01 fails to pull with content trust.
Client:
Version: 18.03.1-ol
API version: 1.37
Go version: go1.9.4
Git commit: 0d51d18
Built: Wed Aug 22 21:59:42 2018
OS/Arch: linux/amd64
Experimental: false
Orchestrator: swarm
Server:
Engine:
Version: 18.03.1-ol
API version: 1.37 (minimum version 1.12)
Go version: go1.9.4
Git commit: 0d51d18
Built: Wed Aug 22 22:03:05 2018
OS/Arch: linux/amd64
Experimental: false
control sample: ok if no content trust:
DOCKER_CONTENT_TRUST=0 docker -D pull harbor.mydomain.com/devops/docker-image:1
Trying to pull repository harbor.mydomain.com/devops/docker-image ...
1: Pulling from harbor.mydomain.com/devops/docker-image
...
BDigest: sha256:6cf607e372339090d81b5f05d043d21469c7d91dbbb4680ec0d7d213c829044c
Status: Downloaded newer image for harbor.mydomain.com/devops/docker-image:1
fail with content trust:
DOCKER_CONTENT_TRUST=1 DOCKER_CONTENT_TRUST_SERVER=https://notary.mydomain.com docker -D pull harbor.mydomain.com/devops/docker-image:1
DEBU[0000] reading certificate directory: /home/wu105/.docker/tls/notary.mydomain.com
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] Making dir path: /home/wu105/.docker/trust/tuf/harbor.mydomain.com/devops/docker-image/changelist
DEBU[0000] received HTTP status 401 when requesting root.
you are not authorized to perform this operation: server returned 401.
Steps to reproduce the behavior
See above for the pulling actions.
The above are verbatim except the registry/notary urls and the image name.
The image is signed and pushed into the registry/notary using docker 18.03.01:
Expected behavior
Successfully pull signed images with content trust that can be pulled using docker 17.12.01
Actual behavior
Docker 18.03.01 fails to pull with content trust.
Steps to reproduce the behavior
See above for the pulling actions.
The above are verbatim except the registry/notary urls and the image name. The image is signed and pushed into the registry/notary using docker 18.03.01: