By default, Docker / Notary generates new self-signed certificates whenever it pushes to a repo / GUN for the first time. Is there any way to change this behavior, in particular to make the certificates be issued by a user-specified CA?

Trust-pinning allows pulling clients to validate any certificates used to sign digests read from Notary against a specified CA. This would be incredibly useful in ensuring the integrity of pulls from Notary, but only if there is some way for the pushing clients to sign the certificates in the first place

Thanks for any insight.

Just looping back so forum-viewers are up to date: we working on importing certificates and private keys to be used on initializing a repo (tracking issue here https://github.com/docker/notary/issues/731).

Would this new feature also enable the TA to be installed on docker clients look to pull signed metadata from Notary? I have never been a fan of the TOFU concept as it injects a significant weak link in an otherwise very robust security solution. I want to be able to sign with a CA-issued certificate, but be able to configure by docker clients pulling images to only use a per-configured TA.

tx

Hi @lewiada, I just wanted to confirm what you meant by “TA” - are you referring to a “trusted application?” It seems like what you’re interested in is trust-pinning, which we currently have in notary for pinning to certain certificates and CAs. I encourage you to check out https://docs.docker.com/notary/reference/client-config/#/trust-pinning-section-optional for more information.

As mentioned in this thread, we’re working on importing custom certs when initializing a repository (custom root keys has already been merged). Trust-pinning is still notary-only and has not made it into the docker client itself yet.