Docker Content Trust中有两个根键吗?
Docker Content Trust中有两个根键吗?
提问于 2019-11-15 11:57:09
我对(DCT)的机制很陌生,对根键有点困惑。当我第一次向一个新的存储库中添加一个签名者时,我被要求为根和存储库键输入密码。之后,在目录~/.docker/trust/private中生成一个具有根键ID的密钥文件。到目前为止还不错,但是当我执行docker trust inspect <repo name>时,我在管理密钥部分下得到了一个不同的根密钥ID。
你能给我解释一下吗?
回答 3
Stack Overflow用户
发布于 2021-05-05 13:42:45
有几个键:
- 签名者密钥
- 存储密钥
- 根键
您可以在~/.docker/trust/private中打开文件以查看每个键的角色。也可以运行notary -d ~/.docker/trust key list
漂亮选项对此也很酷:docker trust inspect --pretty <repo_name>可以获得以下结果
Signatures for repo_name
SIGNED TAG DIGEST SIGNERS
latest def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 test
List of signers and their keys for repo_name
SIGNER KEYS
test c990796d79a9
Administrative keys for repo_name
Repository Key: 06362021113fed73dc5e08e6b5edbe04cf4316193b362b0d8335fab3285fc98b
Root Key: 317f83b55c99e2b8f9d341a3c9a3fc4b1d65d97f52a553020a65cdee85940cf3Stack Overflow用户
发布于 2021-10-31 16:03:36
TLDR;:一个根键用于签名者,另一个用于存储库。
当我试图加载一个密钥来添加签名者时,它会要求我使用密码来加密私钥(root)。
$ docker trust key load --name arif key.pem
Loading key from "key.pem"...
Enter passphrase for new arif key with ID 2817c38:
Repeat passphrase for new arif key with ID 2817c38:
Successfully imported key from key.pem您可以在root中找到加密的.docker/trust/private密钥,如下所示
$ cat ../.docker/trust/private/2817c387b869ede57bd209e40a3dfce967b70eca1eb3739bc58afba44665aaef.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
role: arif
MIHuMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAh/6HbWl/T/SAICCAAw
HQYJYIZIAWUDBAEqBBAZpJBc+C9ABYY6UbMT3YSRBIGgiNT5fX9QqCOrGJ3lb3qw
7JkC/4D0dtp75MYWaMbfYXvNm+muJXmVUpp5vh91onUW8Y8q+ymQTgDq3mN8+HLu
4iRp46wXxilEKUxmXsYln/mxQI+jU7UwTTiLiy6LpR1vpBKdO8hhd/WObW25P+ah
YjslB1P8fe9VeSsorAKM5zDnuaiVhHh7BjgVAiepDvmy/7zO3W7Rso4Kgg0UZkJn
SA==
-----END ENCRYPTED PRIVATE KEY-----然后我尝试在存储库中添加签名者,它会问两件事,
- 新密码用于加密存储库的根密钥----我想签名“
- New passphrase to encrypt **存储库密钥**”
。
$ docker trust signer add --key cert.pem arif ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
Adding signer "arif" to ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy...
Initializing signed repository for ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy...
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID 06665b8:
Repeat passphrase for new root key with ID 06665b8:
Enter passphrase for new repository key with ID b040c66:
Repeat passphrase for new repository key with ID b040c66:
Successfully initialized "ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy"
Successfully added signer: arif to ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy在上面的输出中,我们可以看到两个键的id是06665b8和b040c66。
如果我查看了我的信任目录,我将看到以这两个ids开头的两个键。一个用于存储库的根键,另一个用于目标键。
$ grep role .docker/trust/private/06665b8*.key
role: root
$ grep role .docker/trust/private/b040c66*.key
role: targets现在,如果我检查存储库,我可以看到以下内容,
$ docker trust inspect ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
[
{
"Name": "ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy",
"SignedTags": [],
"Signers": [
{
"Name": "arif",
"Keys": [
{
"ID": "2817c387b869ede57bd209e40a3dfce967b70eca1eb3739bc58afba44665aaef"
}
]
}
],
"AdministrativeKeys": [
{
"Name": "Root",
"Keys": [
{
"ID": "5ed03b461b330c6d722c319bdfaa87e3d8b289a1213569248bdaa616a1a399c6"
}
]
},
{
"Name": "Repository",
"Keys": [
{
"ID": "b040c663463612c99130eca98ec827ef32a3bab73d2976403888443ce87899c6"
}
]
}
]
}
]现在,我们有3把钥匙。一个是签名者根键,另一个是存储库的根键,最后一个是目标键。
$ ls .docker/trust/private/ -1 | wc -l
3您可以在tuf目录中找到有关这些键的所有元数据,
$ cd .docker/trust/tuf/ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy/metadata/
$ ls
root.json snapshot.json targets.json timestamp.json我希望现在说得通了。
Stack Overflow用户
发布于 2022-06-19 08:58:33
用户签名图像
信任钉扎用户签名图像有两种选择:
- 公证根键ID (DCT )仅描述用于对存储库(或者更确切地说是其各自的密钥)签名的根键。这是最初对存储库(即工作站)进行签名的主机上的根键。这可以从通过$ grep -r "root“/信任/私有/(假设您的信任数据位于~/..docker/ trust /*)对存储库进行签名的工作站中检索。预计此规范ID已启动多个映像存储库(mydtr/user1 1/ image 1和mydtr/user1/image2).
)。
# Retrieving Root ID
$ grep -r "root" ~/.docker/trust/private
/home/ubuntu/.docker/trust/private/0b6101527b2ac766702e4b40aa2391805b70e5031c04714c748f914e89014403.key:role: root
# Using a Canonical ID that has signed 2 repos (mydtr/user1/repo1 and mydtr/user1/repo2). Note you can use a Wildcard.
{
"content-trust": {
"trust-pinning": {
"root-keys": {
"mydtr/user1/*": [
"0b6101527b2ac766702e4b40aa2391805b70e5031c04714c748f914e89014403"
]
}
},
"mode": "enforced"
}
}- 公证根密钥ID (DCT证书ID)是描述相同的ID,但每个存储库的ID是唯一的。例如,mydtr/user1 1/image1 1和mydtr/usr1 1/image1 2将具有唯一的证书ID。证书ID可以通过$ docker信任检查命令检索,并被标记为根密钥(引用回公证密钥名称)。这是为不同用户在自己的存储库上签名时设计的,例如,当没有中央签名服务器时。由于cert-id是更细粒度的,所以如果冲突发生在根ID.
之上,它将占优先地位。
# Retrieving Cert ID
$ docker trust inspect mydtr/user1/repo1 | jq -r '.[].AdministrativeKeys[] | select(.Name=="Root") | .Keys[].ID'
9430d6e31e3b3e240957a1b62bbc2d436aafa33726d0fcb50addbf7e2dfa2168
# Using Cert Ids, by specifying 2 repositories by their DCT root ID. Example for using this may be different DTRs or maybe because the repository was initiated on different hosts, therefore having different canonical IDs.
{
"content-trust": {
"trust-pinning": {
"cert-ids": {
"mydtr/user1/repo1": [
"9430d6e31e3b3e240957a1b62bbc2d436aafa33726d0fcb50addbf7e2dfa2168"
],
"mydtr/user2/repo1": [
"544cf09f294860f9d5bc953ad80b386063357fd206b37b541bb2c54166f38d08"
]
}
},
"mode": "enforced"
}
}http://www.myclass5.cn/engine/security/trust/content_trust/
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/58876566
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号