By default, Docker / Notary generates new self-signed certificates whenever it pushes to a repo / GUN for the first time. Is there any way to change this behavior, in particular to make the certificates be issued by a user-specified CA?
Just looping back so forum-viewers are up to date: we working on importing certificates and private keys to be used on initializing a repo (tracking issue here https://github.com/docker/notary/issues/731).
Would this new feature also enable the TA to be installed on docker clients look to pull signed metadata from Notary? I have never been a fan of the TOFU concept as it injects a significant weak link in an otherwise very robust security solution. I want to be able to sign with a CA-issued certificate, but be able to configure by docker clients pulling images to only use a per-configured TA.
Hi @lewiada, I just wanted to confirm what you meant by “TA” - are you referring to a “trusted application?” It seems like what you’re interested in is trust-pinning, which we currently have in notary for pinning to certain certificates and CAs. I encourage you to check out https://docs.docker.com/notary/reference/client-config/#/trust-pinning-section-optional for more information.
As mentioned in this thread, we’re working on importing custom certs when initializing a repository (custom root keys has already been merged). Trust-pinning is still notary-only and has not made it into the docker client itself yet.