Pulling signed images


I am playing with signing images. When images are to be signed there is some setup involved with all the keys and notary etc. But pulling and verifying signed images should be effortless right? Just enable DCT by env and it should all work right? I do not need to have any keys configured etc. But I am getting this:

$ DOCKER_CONTENT_TRUST=1 docker -l debug pull docker.io/docker/trusttest:latest
DEBU[0000] reading certificate directory: /home/jad6/.docker/tls/notary.docker.io
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] Making dir path: /home/jad6/.docker/trust/tuf/docker.io/docker/trusttest/changelist
DEBU[0001] received HTTP status 401 when requesting root.
you are not authorized to perform this operation: server returned 401.

I have tried this on three different machines (to eliminate docker setup issue) and also with different images (ubuntu, node…) to eliminate chance that there is something wrong with given repository. I got the same error every time.

Googling this up I have not found anything useful. My docker config.json is empty execpt for dockerhub login if that matters.

Can anybody explain what authorization is involved and fails here? All public keys and signatures required to pull signed image are public right?

Thanks a lot!

It looks like it was resolved

@rimelek You are right. This works now. I can move on to other issues. Thanks for letting me know!