Docker content trust push failing

bhperry · December 11, 2017, 11:18pm

I am unable to get content trust signing to work from my laptop with private notary and registry services. It works just fine for my coworker, so it’s not an issue with how the notary/registry is set up, but I keep getting the same error when I try to push an image. I have tried clearing my .docker/trust data, but that didn’t change anything. Also went back to a stable version of Docker for Mac, as I had been on edge, but still get the same error.

Client:
Version: 17.09.1-ce
API version: 1.32
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:22:25 2017
OS/Arch: darwin/amd64

Server:
Version: 17.09.1-ce
API version: 1.32 (minimum version 1.12)
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:28:28 2017
OS/Arch: linux/amd64
Experimental: true

Running the following command:

DOCKER_CONTENT_TRUST=1 DOCKER_CONTENT_TRUST_SERVICE=https://my.notary.com docker push my.registry.com/sbox0548769/healthcheck-app:test

Gives this output (with debug mode enabled):
The push refers to a repository [my.registry.com/sbox0548769/healthcheck-app] d0b1a14a0b70: Layer already exists a09947e71dc0: Layer already exists 9c42c2077cde: Layer already exists 625c7a2a783b: Layer already exists 25e0901a71b8: Layer already exists 8aa4fcad5eeb: Layer already exists test: digest: sha256:b3ae52452677295e94c557ea77680f71e985772f9441a3a46c2efe43af7e4561 size: 1568 Signing and pushing trust metadata DEBU[0002] reading certificate directory: /Users/benperry/.docker/tls/my.registry.com DEBU[0002] No yubikey found, using alternative key storage: no library found DEBU[0002] received HTTP status 404 when requesting root. DEBU[0002] No yubikey found, using alternative key storage: no library found DEBU[0002] No yubikey found, using alternative key storage: no library found Enter passphrase for root key with ID 244c031: DEBU[0007] generated ECDSA key with keyID: 7a241e90f7eaf5a1e2cdb11f39dc66cc025ddb471ea2a8dbe5b9949f4715a9aa DEBU[0007] generated new ecdsa key for role: targets and keyID: 7a241e90f7eaf5a1e2cdb11f39dc66cc025ddb471ea2a8dbe5b9949f4715a9aa Enter passphrase for new repository key with ID 7a241e9 (my.registry.com/sbox0548769/healthcheck-app): Repeat passphrase for new repository key with ID 7a241e9 (my.registry.com/sbox0548769/healthcheck-app): Error: trust data missing for remote reository my.registry.com/sbox0548769/healthcheck-app or remote repository not found: timestamp key trust data unavailable. Has a notary repository been initialized?

Everything I’ve found online about this error seemed to be related to being unable to contact the notary-server, not having it running, etc. The server is definitely running and the DNS entry is pointing at the right place (I can curl the server), but my docker push request never even gets to notary (debug level logging shows nothing on the server’s end).

I’m rather stumped at this point, so any insight you might have would be greatly appreciated.