diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index c33870d652..fd82810f1f 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -121,7 +121,7 @@ First we will add the delegation private key to the local Docker trust repository. (By default this is stored in `~/.docker/trust/`). If you are generating delegation keys with `$ docker trust key generate`, the private key is automatically added to the local trust store. If you are importing a separate -key, such as one from the UCP you will need to use the +key, such as one from a UCP Client Bundle you will need to use the `$ docker trust key load` command. ``` @@ -156,7 +156,6 @@ Adding signer "jeff" to dtr.example.com/admin/demo... Enter passphrase for new repository key with ID 10b5e94: ``` - Finally, we will use the delegation private key to sign a particular tag and push it up to the registry. @@ -216,7 +215,6 @@ Enter passphrase for signer key with ID 8ae710e: Successfully deleted signature for dtr.example.com/admin/demo:1 ``` - ## Runtime Enforcement with Docker Content Trust > Note this only applies to Docker Enterprise Engine 18.09 or newer. This diff --git a/engine/security/trust/deploying_notary.md b/engine/security/trust/deploying_notary.md index df3aad7157..8303a8653a 100644 --- a/engine/security/trust/deploying_notary.md +++ b/engine/security/trust/deploying_notary.md @@ -8,14 +8,14 @@ The easiest way to deploy Notary Server is by using Docker Compose. To follow th 1. Clone the Notary repository. - git clone git@github.com:docker/notary.git + git clone https://github.com/theupdateframework/notary.git 2. Build and start Notary Server with the sample certificates. docker-compose up -d - For more detailed documentation about how to deploy Notary Server, see the [instructions to run a Notary service](/notary/running_a_service.md) as well as [the Notary repository](https://github.com/docker/notary) for more information. + For more detailed documentation about how to deploy Notary Server, see the [instructions to run a Notary service](/notary/running_a_service.md) as well as [the Notary repository](https://github.com/theupdateframework/notary) for more information. 3. Make sure that your Docker or Notary client trusts Notary Server's certificate before you try to interact with the Notary server. See the instructions for [Docker](../../reference/commandline/cli.md#notary) or @@ -25,4 +25,4 @@ for [Notary](https://github.com/docker/notary#using-notary) depending on which o Check back here for instructions after Notary Server has an official stable release. To get a head start on deploying Notary in production, see -[the Notary repository](https://github.com/docker/notary). +[the Notary repository](https://github.com/theupdateframework/notary). diff --git a/engine/security/trust/trust_delegation.md b/engine/security/trust/trust_delegation.md index 46a48639a4..597df51387 100644 --- a/engine/security/trust/trust_delegation.md +++ b/engine/security/trust/trust_delegation.md @@ -18,10 +18,37 @@ initialise a repository, manage the repository keys, and when a collaborator gets added with `docker trust signer add` we will add their key to the `targets/releases` delegation automatically. -## Configuring the Notary CLI +## Configuring the Docker Client -Some of the more advanced features of DCT require the Notary -CLI. To install and configure the Notary CLI: +By default the `$ docker trust` commands are expecting the Notary server URL +to be the same as the Docker Registry URL specified in the image tag. When +using the Docker Hub or Docker Trusted Registry this is the case as a internal +proxy redirects the request, however for self hosted environments or 3rd party +registries you will need to specify an alternative URL for the notary server. +This is done with: + +``` +export DOCKER_CONTENT_TRUST_SERVER=https://: +``` + +If you do not export this variable in self hosted environments you may see +errors such as: + +``` +$ docker trust signer add --key cert.pem jeff dtr.example.com/admin/demo +Adding signer "jeff" to dtr.example.com/admin/demo... +[...] +Error: trust data missing for remote repository dtr.example.com/admin/demo or remote repository not found: timestamp key trust data unavailable. Has a notary repository been initialized? + +$ docker trust inspect dtr.example.com/admin/demo --pretty +WARN[0000] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely +[...] +``` + +## Configuring the Notary Client + +Some of the more advanced features of DCT require the Notary CLI. To install and +configure the Notary CLI: 1) Download the [client](https://github.com/theupdateframework/notary/releases) and ensure that it is available on your path @@ -154,16 +181,17 @@ jeff 9deed251daa1aa6f9d5f9b752847647cf8d705da ## Managing Delegations in a Notary Server -DCT handles initiating a repository with trust data for you, -including rotating low level keys like the target and the snapshot key to the -remote Notary server. This is all done the first time you add a delegation -public key to the Notary server. +When the first Delegation is added to the Notary Server using `$ docker trust`, +we automatically initiate trust data for the repository. This includes creating +the notary target and snapshots keys, and rotating the snapshot key to be +managed by the notary server. More information on these keys can be found +[here](./trust_key_mng.md) When initiating a repository, you will need the key and the passphrase of a local Notary Canonical Root Key. If you have not initiated a repository before, and therefore don't have a Notary root key, `$ docker trust` will create one for you. -> Be sure to protect your [Notary Canonical Root Key](./trust_key_mng.md) +> Be sure to protect and backup your [Notary Canonical Root Key](./trust_key_mng.md) ### Initiating the Repository