# tl;dr; 有关如何部署 Notary 服务器的详细文档,请参阅[运行Notary服务](https://docs.docker.com/notary/running_a_service/)以获取更多信息。在尝试与Notary服务器交互之前,确保 Docker 或 Notary 客户端信任 Notary 服务器的证书。 ```bash # 使用goharbor v2.0.0 搭建docker仓库和notary服务器 # 私有仓库地址 192.168.2.100:8888 # notary服务地址 192.168.2.100:4443 $ ls -l /etc/docker/certs.d/192.168.2.100\:8888/ -rw-r--r-- 1 root root 1306 Jun 26 15:14 ca.crt curl -sfSLk -o /usr/local/bin/notary https://github.com/theupdateframework/notary/releases/download/v0.6.1/notary-Linux-amd64 chmod +x /usr/local/bin/notary ``` ```bash $ docker trust key generate marco --dir ~/.docker/trust Generating key for marco... Enter passphrase for new marco key with ID fc3cf49: Repeat passphrase for new marco key with ID fc3cf49: Successfully generated and loaded private key. Corresponding public key available: /home/jeff/.docker/trust/marco.pub $ tree ~/.docker/ /home/jeff/.docker/ ├── config.json └── trust ├── marco.pub └── private └── fc3cf49404af4c093cd23d676286962a6d803d59c4b9a3da4631cf7bb90771d1.key 2 directories, 3 files $ notary -d ~/.docker/trust/ key list ROLE GUN KEY ID LOCATION ---- --- ------ -------- marco fc3cf49404af4c093cd23d676286962a6d803d59c4b9a3da4631cf7bb90771d1 /home/jeff/.docker/trust/private ################################### my cmd try 1 ##################### docker trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine Adding signer "marco" to 192.168.2.100:8888/library/alpine... Error: error contacting notary server: x509: certificate signed by unknown authority Failed to add signer to: 192.168.2.100:8888/library/alpine ################################### my cmd try 2 ##################### docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine Adding signer "marco" to 192.168.2.100:8888/library/alpine... DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:8888 DEBU[0000] Error pinging notary server "https://192.168.2.100:8888/v2/": Get https://192.168.2.100:8888/v2/: x509: certificate signed by unknown authority DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist Error: error contacting notary server: x509: certificate signed by unknown authority Failed to add signer to: 192.168.2.100:8888/library/alpine mkdir -p /home/jeff/.docker/tls/192.168.2.100:8888 ## 拷贝ca.ert 到 /home/jeff/.docker/tls/192.168.2.100:8888 目录 ################################### my cmd try 3 ##################### docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine Adding signer "marco" to 192.168.2.100:8888/library/alpine... DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:8888 DEBU[0000] crt: /home/jeff/.docker/tls/192.168.2.100:8888/ca.crt DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist DEBU[0000] received HTTP status 404 when requesting root. Initializing signed repository for 192.168.2.100:8888/library/alpine... DEBU[0000] generated ECDSA key with keyID: 8331cc43f1e1f9647eebb00e8d6227f8eb5f0e1d85c692fb0d994ece7c5b4bce DEBU[0000] generated new ecdsa key for role: root and keyID: 8331cc43f1e1f9647eebb00e8d6227f8eb5f0e1d85c692fb0d994ece7c5b4bce You are about to create a new root signing key passphrase. This passphrase will be used to protect the most sensitive key in your signing system. Please choose a long, complex passphrase and be careful to keep the password and the key file itself secure and backed up. It is highly recommended that you use a password manager to generate the passphrase and keep it safe. There will be no way to recover this key. You can find the key in your config directory. Enter passphrase for new root key with ID 8331cc4: Repeat passphrase for new root key with ID 8331cc4: DEBU[0014] generated ECDSA key with keyID: 317d9f4deeaa26e877b4f570a01f969dbe733d74c7edd955f3747e21948fcd0b DEBU[0014] generated new ecdsa key for role: targets and keyID: 317d9f4deeaa26e877b4f570a01f969dbe733d74c7edd955f3747e21948fcd0b Enter passphrase for new repository key with ID 317d9f4: Repeat passphrase for new repository key with ID 317d9f4: Error: trust data missing for remote repository 192.168.2.100:8888/library/alpine or remote repository not found: timestamp key trust data unavailable. Has a notary repository been initialized? Failed to add signer to: 192.168.2.100:8888/library/alpine ################################### my cmd try 4 ##################### export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://192.168.2.100:4443 docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine ################################### my cmd try 5 ##################### docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine Adding signer "marco" to 192.168.2.100:8888/library/alpine... DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:4443 DEBU[0000] crt: /home/jeff/.docker/tls/192.168.2.100:4443/ca.crt DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist DEBU[0000] received HTTP status 404 when requesting root. Initializing signed repository for 192.168.2.100:8888/library/alpine... Enter passphrase for root key with ID 8331cc4: DEBU[0007] generated ECDSA key with keyID: c55b2635ebbdb0c732ebfb05cb0aa7e6fe4dcc1f3167f691b8dcd2070243ed72 DEBU[0007] generated new ecdsa key for role: targets and keyID: c55b2635ebbdb0c732ebfb05cb0aa7e6fe4dcc1f3167f691b8dcd2070243ed72 Enter passphrase for new repository key with ID c55b263: Repeat passphrase for new repository key with ID c55b263: unable to reach trust server at this time: 500. Failed to add signer to: 192.168.2.100:8888/library/alpine ################################### my cmd try 6 ##################### docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine Adding signer "marco" to 192.168.2.100:8888/library/alpine... DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:4443 DEBU[0000] crt: /home/jeff/.docker/tls/192.168.2.100:4443/ca.crt DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist DEBU[0000] received HTTP status 404 when requesting root. Initializing signed repository for 192.168.2.100:8888/library/alpine... Enter passphrase for root key with ID 8331cc4: DEBU[0003] generated ECDSA key with keyID: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a DEBU[0003] generated new ecdsa key for role: targets and keyID: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a Enter passphrase for new repository key with ID ac0a649: Repeat passphrase for new repository key with ID ac0a649: DEBU[0006] got remote timestamp ecdsa key with keyID: 222074c42c69af1d498315ab8e7d004071ed9b1f60c1ccbe41de463c4bab1713 DEBU[0007] got remote snapshot ecdsa key with keyID: 4fb033d12b4c93115595c49fe8bda3dcddccaa88e30bb8e783d76d828433fe04 DEBU[0007] generating new snapshot... DEBU[0007] Saving changes to Trusted Collection. DEBU[0007] signing root... DEBU[0007] sign called with 1/1 required keys DEBU[0007] sign called with 0/0 required keys DEBU[0007] sign targets called for role targets DEBU[0007] sign called with 1/1 required keys DEBU[0007] sign called with 0/0 required keys Successfully initialized "192.168.2.100:8888/library/alpine" DEBU[0007] Adding delegation "targets/marco" with threshold 1, and 1 keys\n DEBU[0007] Adding [] paths to delegation targets/marco\n DEBU[0007] Adding delegation "targets/releases" with threshold 1, and 1 keys\n DEBU[0007] Adding [] paths to delegation targets/releases\n DEBU[0007] entered ValidateRoot with dns: 192.168.2.100:8888/library/alpine DEBU[0007] found the following root keys: [60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0] DEBU[0007] found 1 valid leaf certificates for 192.168.2.100:8888/library/alpine: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] found 1 leaf certs, of which 1 are valid leaf certs for 192.168.2.100:8888/library/alpine DEBU[0007] checking root against trust_pinning config for 192.168.2.100:8888/library/alpine DEBU[0007] checking trust-pinning for cert: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] role has key IDs: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] verifying signature for key ID: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] root validation succeeded for 192.168.2.100:8888/library/alpine DEBU[0007] entered ValidateRoot with dns: 192.168.2.100:8888/library/alpine DEBU[0007] found the following root keys: [60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0] DEBU[0007] found 1 valid leaf certificates for 192.168.2.100:8888/library/alpine: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] found 1 leaf certs, of which 1 are valid leaf certs for 192.168.2.100:8888/library/alpine DEBU[0007] checking root against trust_pinning config for 192.168.2.100:8888/library/alpine DEBU[0007] checking trust-pinning for cert: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] role has key IDs: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] verifying signature for key ID: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] root validation succeeded for 192.168.2.100:8888/library/alpine DEBU[0007] received HTTP status 404 when requesting root. DEBU[0007] Loading trusted collection. DEBU[0007] entered ValidateRoot with dns: 192.168.2.100:8888/library/alpine DEBU[0007] found the following root keys: [60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0] DEBU[0007] found 1 valid leaf certificates for 192.168.2.100:8888/library/alpine: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] found 1 leaf certs, of which 1 are valid leaf certs for 192.168.2.100:8888/library/alpine DEBU[0007] checking root against trust_pinning config for 192.168.2.100:8888/library/alpine DEBU[0007] checking trust-pinning for cert: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] role has key IDs: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] verifying signature for key ID: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0 DEBU[0007] root validation succeeded for 192.168.2.100:8888/library/alpine DEBU[0007] targets role has key IDs: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a DEBU[0007] verifying signature for key ID: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a DEBU[0007] role targets/marco with no Paths will never be able to publish content until one or more are added DEBU[0007] role targets/releases with no Paths will never be able to publish content until one or more are added DEBU[0007] applied 4 change(s) DEBU[0007] sign targets called for role targets DEBU[0007] sign called with 1/1 required keys DEBU[0007] sign called with 0/0 required keys DEBU[0007] generating new snapshot... DEBU[0007] signing snapshot... DEBU[0007] sign called with 1/1 required keys DEBU[0007] Client does not have the key to sign snapshot. Assuming that server should sign the snapshot. Successfully added signer: marco to 192.168.2.100:8888/library/alpine ################################### my cmd try 7 ##################### export DOCKER_CONTENT_TRUST=0 docker pull docker.io/library/alpine:3.12 export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://192.168.2.100:4443 docker tag alpine:3.12 192.168.2.100:8888/library/alpine:3.12-signed docker push 192.168.2.100:8888/library/alpine:3.12-signed ################################### my cmd try 8 ##################### notary -s https://192.168.2.100:4443 -d ~/.docker/trust --tlscacert ~/.docker/tls/192.168.2.100:4443/ca.crt list 192.168.2.100:8888/library/alpine NAME DIGEST SIZE (BYTES) ROLE ---- ------ ------------ ---- 3.12-signed a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65 528 targets/marco ################################### ################################### ################################### alias dockernotary="notary -c ~/.docker/trust/config.json -d ~/.docker/trust/ -s https://notary-server:4443" # https://docs.docker.com/notary/reference/client-config/ cat ~/.docker/trust/config.json { "trust_dir" : "~/.docker/trust", "remote_server": { "url": "https://my-notary-server.my-private-registry.com", "root_ca": "./fixtures/root-ca.crt", "tls_client_cert": "./fixtures/secure.example.com.crt", "tls_client_key": "./fixtures/secure.example.com.crt" }, "trust_pinning": { "certs": { "docker.com/notary": ["49cf5c6404a35fa41d5a5aa2ce539dfee0d7a2176d0da488914a38603b1f4292"] } } } ``` # ref * [Delegations for content trust | Docker Documentation](https://docs.docker.com/engine/security/trust/trust_delegation/) * [Content trust in Docker | Docker Documentation](https://docs.docker.com/engine/security/trust/content_trust/) * [docker - Can't Signing and pushing trust metadata in Notary - Stack Overflow](https://stackoverflow.com/questions/47887874/cant-signing-and-pushing-trust-metadata-in-notary) * [CNCF的最後一哩路:Notary - 輕鬆小品:PKS與K8S的點滴 - Medium](https://medium.com/%E8%BC%95%E9%AC%86%E5%B0%8F%E5%93%81-pks%E8%88%87k8s%E7%9A%84%E9%BB%9E%E6%BB%B4/cncf%E7%9A%84%E6%9C%80%E5%BE%8C%E4%B8%80%E5%93%A9%E8%B7%AF-notary-71bdd005273) * [Notary client configuration file | Docker Documentation](https://docs.docker.com/notary/reference/client-config/) * [Signing Docker images using Docker Content Trust](https://marcofranssen.nl/signing-docker-images-using-docker-content-trust/) * [Docker Content Trust Implementation Process](https://i.loli.net/2020/06/29/4vjTKZMC75HSay3.jpg) * [Why not use GPG for images signinng?](https://i.loli.net/2020/06/29/q6siuDClLedgBMU.jpg) * [Docker Harbor](https://www.dazhuanlan.com/2019/12/05/5de88bab8dfe4/)