leeadh
commented
6 years ago Hi, did you manage to resolve this? I encountered this as well!
Open ase-101 opened 6 years ago
leeadh
commented
6 years ago Hi, did you manage to resolve this? I encountered this as well!
Amojow
commented
4 years ago Hi, I have the same problem. When i push the image the first time, it works but if i push another time the same image, with a different tag, it fails with the same error as yours.
ThetaSinner
commented
4 years ago Same issue here, @ase-101 any chance of an update? :)
shrutianekar
commented
4 years ago Any workarounds for this? Facing the same issue
ase-101
commented
3 years ago I followed below steps and i dont see the above issue now.
notary -s https://notary.docker.io -d ~/.docker/trust init -p docker.io/
notary -s https://notary.docker.io -d ~/.docker/trust key rotate docker.io/
notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/
notary -s https://notary.docker.io -d ~/.docker_signer/trust key import <signer's private key file> --role <_role>
notary -s https://notary.docker.io -d ~/.docker_signer/trust -D addhash -p docker.io/
Initialized keys and the changes must be published to notary server (-p flag).
williamdes
commented
3 years ago Looks like: https://github.com/docker/cli/issues/1095#issuecomment-423707423
if it is, use notary key export -d ~/.docker_signer/trust --key <signer's key id>
williamdes
commented
3 years ago Users, arguments need to be at the right place.. See: https://github.com/sudo-bot/action-docker-sign/commit/b5e19b5d67e736d531534fcd40cb37502be0dcc4#diff-1243c5424efaaa19bd8e813c5e6f6da46316e63761421b3e5f5c8ced9a36e6b6R70
williamdes
commented
8 months ago notary -s https://notary.docker.io/ -d ~/.docker_signer/trust -D addhash -p docker.io/
/ --sha256 -r targets/<_role>
I could not execute this with success until I started to use targets/release. It looks like using this target does not require to use the repository key. Any other delegation would ask me the repository key, and to have it locally.
$ alias dockernotary="notary -c $HOME/.docker/trust/config.json -d $HOME/.docker/trust/ -s https://notary.docker.io" $ dockernotary version notary Version: 0.4.3 Git commit: 9211198
$ docker version Client: Version: 17.07.0-ce-rc4 API version: 1.31 Go version: go1.8.3 Git commit: fe143e3 Built: Tue Aug 22 22:25:58 2017 OS/Arch: linux/amd64
Server: Version: 17.07.0-ce-rc4 API version: 1.31 (minimum version 1.12) Go version: go1.8.3 Git commit: fe143e3 Built: Tue Aug 22 22:27:19 2017 OS/Arch: linux/amd64 Experimental: false
i was able to setup delegation for a repository. Successfully signing the first push
$ export DOCKER_CONTENT_TRUST=1 $ docker push knsrividya/test-repo-1:latest The push refers to a repository [docker.io/knsrividya/test-repo-1] 432b65032b94: Mounted from library/busybox latest: digest: sha256:74f634b1bc1bd74535d5209589734efbd44a25f4e2dc96d78784576a3eb5b335 size: 527 Signing and pushing trust metadata Enter passphrase for user key with ID 3d339ca: Successfully signed "docker.io/knsrividya/test-repo-1":latest
But just few seconds after when i tried pushing another version it is resulting in the below error. $ docker push knsrividya/test-repo-1:v1 The push refers to a repository [docker.io/knsrividya/test-repo-1] f999ae22f308: Mounted from knsrividya/test-repo v1: digest: sha256:8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b size: 524 Signing and pushing trust metadata ERRO[0007] couldn't add target to targets: could not find necessary signing keys, at least one of these keys must be available: a2b973627595c85298d3af92928a2f38d6eb5df852dd5d0c9f17fd8073640096 Failed to sign "docker.io/knsrividya/test-repo-1":v1 - could not find necessary signing keys, at least one of these keys must be available: a2b973627595c85298d3af92928a2f38d6eb5df852dd5d0c9f17fd8073640096 Error: could not find signing keys for remote repository docker.io/knsrividya/test-repo-1, or could not decrypt signing key: could not find necessary signing keys, at least one of these keys must be available: a2b973627595c85298d3af92928a2f38d6eb5df852dd5d0c9f17fd8073640096
When tried using notary addhash also results same kind of error. $ dockernotary addhash -D -p docker.io/knsrividya/test-repo-1 v1 524 --sha256 8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b DEBU[0000] Using the following trust directory: /home/gpguser/.docker/trust/ DEBU[0000] No yubikey found, using alternative key storage: no library found DEBU[0000] Making dir path: /home/gpguser/.docker/trust/tuf/docker.io/knsrividya/test-repo-1/changelist DEBU[0000] Adding target "v1" with sha256 "8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b" and size 524 bytes.
Addition of target "v1" by sha256 hash to repository "docker.io/knsrividya/test-repo-1" staged for next publish. DEBU[0000] No yubikey found, using alternative key storage: no library found Auto-publishing changes to docker.io/knsrividya/test-repo-1 DEBU[0000] Making dir path: /home/gpguser/.docker/trust/tuf/docker.io/knsrividya/test-repo-1/changelist DEBU[0000] entered ValidateRoot with dns: docker.io/knsrividya/test-repo-1 DEBU[0000] found the following root keys: [9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637] DEBU[0000] found 1 valid leaf certificates for docker.io/knsrividya/test-repo-1: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for docker.io/knsrividya/test-repo-1 DEBU[0000] checking root against trust_pinning config%!(EXTRA string=docker.io/knsrividya/test-repo-1) DEBU[0000] checking trust-pinning for cert: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] role has key IDs: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] verifying signature for key ID: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] root validation succeeded for docker.io/knsrividya/test-repo-1 DEBU[0000] entered ValidateRoot with dns: docker.io/knsrividya/test-repo-1 DEBU[0000] found the following root keys: [9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637] DEBU[0000] found 1 valid leaf certificates for docker.io/knsrividya/test-repo-1: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for docker.io/knsrividya/test-repo-1 DEBU[0000] checking root against trust_pinning config%!(EXTRA string=docker.io/knsrividya/test-repo-1) DEBU[0000] checking trust-pinning for cert: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] role has key IDs: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] verifying signature for key ID: 9ea5e7e303ed363e6514893c6bae70e870e024b3b21a57327363077be1229637 DEBU[0000] root validation succeeded for docker.io/knsrividya/test-repo-1 Enter username: collaborators username Enter password: collaborators password DEBU[0031] 200 when retrieving metadata for root DEBU[0031] updating TUF client DEBU[0031] Loading timestamp... DEBU[0032] 200 when retrieving metadata for timestamp DEBU[0032] timestamp role has key IDs: 68d8618f15a747063f7d2688b6f31070978ef98de4fc1f349d6f53c8e61a250a DEBU[0032] verifying signature for key ID: 68d8618f15a747063f7d2688b6f31070978ef98de4fc1f349d6f53c8e61a250a DEBU[0032] timestamp role has key IDs: 68d8618f15a747063f7d2688b6f31070978ef98de4fc1f349d6f53c8e61a250a DEBU[0032] verifying signature for key ID: 68d8618f15a747063f7d2688b6f31070978ef98de4fc1f349d6f53c8e61a250a DEBU[0032] successfully verified downloaded timestamp DEBU[0032] Loading snapshot... DEBU[0032] snapshot role has key IDs: 8e1f296112ed43551b49f9183b27847024255034f488a1474d422b3f65293986 DEBU[0032] verifying signature for key ID: 8e1f296112ed43551b49f9183b27847024255034f488a1474d422b3f65293986 DEBU[0032] successfully verified cached snapshot DEBU[0032] Loading targets... DEBU[0032] targets role has key IDs: a2b973627595c85298d3af92928a2f38d6eb5df852dd5d0c9f17fd8073640096 DEBU[0032] verifying signature for key ID: a2b973627595c85298d3af92928a2f38d6eb5df852dd5d0c9f17fd8073640096 DEBU[0032] successfully verified cached targets DEBU[0032] Loading targets/releases... DEBU[0032] targets/releases role has key IDs: b21e5a3de8a8f34475197507d76b9d747ecfb712990ab2483c18b26c48cf5b84 DEBU[0032] verifying signature for key ID: b21e5a3de8a8f34475197507d76b9d747ecfb712990ab2483c18b26c48cf5b84 DEBU[0032] successfully verified cached targets/releases DEBU[0032] changelist add: v1 DEBU[0032] No yubikey found, using alternative key storage: no library found DEBU[0032] No yubikey found, using alternative key storage: no library found ERRO[0032] couldn't add target to targets: could not find necessary signing keys, at least one of these keys must be available: a2b973627595c85298d3af92928a2f38d6eb5df852dd5d0c9f17fd8073640096 DEBU[0032] error attempting to apply change #0: create, on scope: targets path: v1 type: target DEBU[0032] Error applying changelist
i also see below error code ERRO[0042] couldn't add target to targets: could not find necessary signing keys, at least one of these keys must be available: a2b973627595c85298d3af92928a2f38d6eb5df852dd5d0c9f17fd8073640096
Here is the docker trust directory in collaborators machine $ tree .docker/
Can someone please help me in resolving this issue.