Docker Community Forums

Share and learn in the Docker community.

Verifying DTR Images with Notary CLI


(Rogerbush) #1

I wanted to know if it is possible to use a properly setup Notary client (which accesses the DTR’s notary service) can be used to verify signed images in the DTR.

For example, with Notary CLI, one can do this:

$ cat some-file-already-signed-in-notary | notary verify my-repo latest

And you get the contents back, and a success code ($? => 0) if the file contents match the metadata that was previously computed when the file was added to the notary collection (e.g. metadata for a repo).

Let’s say I wanted to fetch an image from the DTR and verify it, I could do:

$ docker save -o myfile.tar ${ DTR }/my-repo:latest
$ cat myfile.tar | notary verify my-repo latest

This doesn’t work though. It gives me this error:

* fatal: data not present in the trusted collection, sha256 checksum for latest did not match: expected 9c1484df1d2e56d7a2a3e01cfe54a87c60d56670bb868db8cf90c8a0e2326142

I suspect this means that the file that is saved from “docker save” is lacking some component that is used in the digest (i.e. perhaps there are some more files that “docker save” omit, which make the checksum fail).

Does anyone know how to make this work?