Docker Community Forums

Share and learn in the Docker community.

How to recover target keys in docker trust for private registry

Hi All,

unknowinly while doing my linux machine clean i have ran rm -rf * inside "~/.docker/trust/ " folder so i lost my registry target keys and root keys.

Here i use AWS ECR private registry. so because i have deleted the target keys it starts throwing me below error

The push refers to repository [31***********.dkr.ecr.us-east-2.amazonaws.com/tvs-container]
9c27e219663c: Layer already exists
14.0: digest: sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 size: 525
Signing and pushing trust metadata
ERRO[0005] couldn’t add target to targets: could not find necessary signing keys, at least one of these keys must be available: 1aacc92d82f3d0b8da12471ae1e863574d37af145ba5a6f4a350cfdbdc94a64b
failed to sign 31***********.dkr.ecr.us-east-2.amazonaws.com/tvs-container:14.0: could not find necessary signing keys, at least one of these keys must be available: 1aacc92d82f3d0b8da12471ae1e863574d37af145ba5a6f4a350cfdbdc94a64b

I don’t have my signing keys in trust.

I have deleted the complete registry and tried creating new but still it doesn’t help me out.

if i run docker trust inpect it still shows me old entry
[root@cer-2 private]# docker trust inspect 31*************.dkr.ecr.us-east-2.amazonaws.com/tvs-container --pretty

Signatures for 31*************.dkr.ecr.us-east-2.amazonaws.com/tvs-container

SIGNED TAG DIGEST SIGNERS
latest e3c894f93413122556efcaec434443bfc091af68b307a320f060e73459381524 (Repo Admin)

Administrative keys for 313487485676.dkr.ecr.us-east-2.amazonaws.com/tvs-container

Repository Key: 1aacc92d82f3d0b8da12471ae1e863574d37af145ba5a6f4a350cfdbdc94a64b
Root Key: 6b6f040885a0c5a7cb1ad231938e146093e94cf1e3fe2638c7971f61e33dff94

i need to used the same docker engine to push signed images for the same registry with same name.

is there any way i can recover this ? tried rpm uninstall and install still no help

docker version:-

[root@-cer-2 private]# docker version
Client: Docker Engine - Community
Version: 19.03.12
API version: 1.40
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:46:54 2020
OS/Arch: linux/amd64
Experimental: false

Server: Docker Engine - Community
Engine:
Version: 19.03.12
API version: 1.40 (minimum version 1.12)
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:45:28 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683

All the Docker trust keys are stored encrypted using the passphrase you provide on creation. Even so, you should still take care of the location where you back them up. Good practice is to create two encrypted USB keys.

It is very important that you back up your keys to a safe, secure location. Loss of the repository key is recoverable; loss of the root key is not.

The Docker client stores the keys in the ~/.docker/trust/private directory. Before backing them up, you should tar them into an archive:

$ umask 077; tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private; umask 022