I am playing with signing images. When images are to be signed there is some setup involved with all the keys and notary etc. But pulling and verifying signed images should be effortless right? Just enable DCT by env and it should all work right? I do not need to have any keys configured etc. But I am getting this:
$ DOCKER_CONTENT_TRUST=1 docker -l debug pull docker.io/docker/trusttest:latest DEBU reading certificate directory: /home/jad6/.docker/tls/notary.docker.io DEBU No yubikey found, using alternative key storage: no library found DEBU Making dir path: /home/jad6/.docker/trust/tuf/docker.io/docker/trusttest/changelist DEBU received HTTP status 401 when requesting root. you are not authorized to perform this operation: server returned 401.
I have tried this on three different machines (to eliminate docker setup issue) and also with different images (ubuntu, node…) to eliminate chance that there is something wrong with given repository. I got the same error every time.
Googling this up I have not found anything useful. My docker
config.json is empty execpt for dockerhub login if that matters.
Can anybody explain what authorization is involved and fails here? All public keys and signatures required to pull signed image are public right?
Thanks a lot!