我是Docker内容信任(DCT(机制的新手,对根密钥有点困惑。第一次向新存储库添加签名者时,系统会要求我输入根和存储库密钥的密码短语。之后,在目录~/.docker/trust/private中生成具有根密钥ID的密钥文件。到目前为止还不错,但当我执行docker trust inspect <repo name>时,在管理密钥部分下会得到一个不同的根密钥ID。
你能给我解释一下吗?
有几个键:
- 签名密钥
- 存储库密钥
- 根密钥
您可以在~/.docker/trust/private中打开文件以查看每个键的角色。或者您可以运行notary -d ~/.docker/trust key list
漂亮的选择也很酷:docker trust inspect --pretty <repo_name>得到以下结果
Signatures for repo_name
SIGNED TAG DIGEST SIGNERS
latest def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 test
List of signers and their keys for repo_name
SIGNER KEYS
test c990796d79a9
Administrative keys for repo_name
Repository Key: 06362021113fed73dc5e08e6b5edbe04cf4316193b362b0d8335fab3285fc98b
Root Key: 317f83b55c99e2b8f9d341a3c9a3fc4b1d65d97f52a553020a65cdee85940cf3
TLDR:一个根密钥用于签名者,另一个用于存储库。
当我尝试加载一个密钥来添加签名者时,它会询问我一个密码短语来加密私钥(root(。
$ docker trust key load --name arif key.pem
Loading key from "key.pem"...
Enter passphrase for new arif key with ID 2817c38:
Repeat passphrase for new arif key with ID 2817c38:
Successfully imported key from key.pem
您可以在.docker/trust/private中找到加密的root密钥,如下所示,
$ cat ../.docker/trust/private/2817c387b869ede57bd209e40a3dfce967b70eca1eb3739bc58afba44665aaef.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
role: arif
MIHuMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAh/6HbWl/T/SAICCAAw
HQYJYIZIAWUDBAEqBBAZpJBc+C9ABYY6UbMT3YSRBIGgiNT5fX9QqCOrGJ3lb3qw
7JkC/4D0dtp75MYWaMbfYXvNm+muJXmVUpp5vh91onUW8Y8q+ymQTgDq3mN8+HLu
4iRp46wXxilEKUxmXsYln/mxQI+jU7UwTTiLiy6LpR1vpBKdO8hhd/WObW25P+ah
YjslB1P8fe9VeSsorAKM5zDnuaiVhHh7BjgVAiepDvmy/7zO3W7Rso4Kgg0UZkJn
SA==
-----END ENCRYPTED PRIVATE KEY-----
然后我试图在存储库中添加签名者,它会问两件事,
- 用于加密存储库的根密钥的新密码短语我要签名">
- 用于加密该存储库的**存储库密钥**的新密码短语
$ docker trust signer add --key cert.pem arif ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
Adding signer "arif" to ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy...
Initializing signed repository for ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy...
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID 06665b8:
Repeat passphrase for new root key with ID 06665b8:
Enter passphrase for new repository key with ID b040c66:
Repeat passphrase for new repository key with ID b040c66:
Successfully initialized "ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy"
Successfully added signer: arif to ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
在上面的输出中,我们可以看到两个键的id是06665b8和b040c66。
如果我查看了我的信任目录,我会看到以这两个id开头的两个密钥。一个用于存储库的根密钥,另一个用于目标密钥。
$ grep role .docker/trust/private/06665b8*.key
role: root
$ grep role .docker/trust/private/b040c66*.key
role: targets
现在,如果我检查存储库,我可以看到以下内容,
$ docker trust inspect ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
[
{
"Name": "ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy",
"SignedTags": [],
"Signers": [
{
"Name": "arif",
"Keys": [
{
"ID": "2817c387b869ede57bd209e40a3dfce967b70eca1eb3739bc58afba44665aaef"
}
]
}
],
"AdministrativeKeys": [
{
"Name": "Root",
"Keys": [
{
"ID": "5ed03b461b330c6d722c319bdfaa87e3d8b289a1213569248bdaa616a1a399c6"
}
]
},
{
"Name": "Repository",
"Keys": [
{
"ID": "b040c663463612c99130eca98ec827ef32a3bab73d2976403888443ce87899c6"
}
]
}
]
}
]
现在,我们有三把钥匙。一个是签名者根密钥,另一个是存储库的根密钥,最后一个是目标密钥。
$ ls .docker/trust/private/ -1 | wc -l
3
您可以在tuf目录中找到有关这些密钥的所有元数据,
$ cd .docker/trust/tuf/ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy/metadata/
$ ls
root.json snapshot.json targets.json timestamp.json
我希望它现在有意义。
用户签名图像
有两种用于信任固定用户签名图像的选项:
- 公证规范根密钥ID(DCT根密钥(是一个仅描述用于对存储库进行签名的根密钥(或者更确切地说,其各自的密钥(的ID。这是最初对存储库(即您的工作站(进行签名的主机上的根密钥。这可以通过$grep-r"从对存储库进行签名的工作站检索;根"~/。docker/trust/private/(假设您的信任数据位于~/.docker/trust/*(。预计此规范ID已启动多个映像存储库(mydtr/user1/image1和mydtr/user1/image2(
# Retrieving Root ID
$ grep -r "root" ~/.docker/trust/private
/home/ubuntu/.docker/trust/private/0b6101527b2ac766702e4b40aa2391805b70e5031c04714c748f914e89014403.key:role: root
# Using a Canonical ID that has signed 2 repos (mydtr/user1/repo1 and mydtr/user1/repo2). Note you can use a Wildcard.
{
"content-trust": {
"trust-pinning": {
"root-keys": {
"mydtr/user1/*": [
"0b6101527b2ac766702e4b40aa2391805b70e5031c04714c748f914e89014403"
]
}
},
"mode": "enforced"
}
}
- 公证根密钥ID(DCT证书ID(是一个描述相同内容的ID,但每个存储库的ID都是唯一的。例如,mydtr/user1/image1和mydtr/usr1/image2将具有唯一的证书ID。证书ID可以通过$docker trust inspect命令检索,并标记为根密钥(返回到公证密钥名称(。这是为不同用户对自己的存储库进行签名而设计的,例如,在没有中央签名服务器的情况下。由于证书id更细粒度,因此如果根id发生冲突,它将具有优先权
# Retrieving Cert ID
$ docker trust inspect mydtr/user1/repo1 | jq -r '.[].AdministrativeKeys[] | select(.Name=="Root") | .Keys[].ID'
9430d6e31e3b3e240957a1b62bbc2d436aafa33726d0fcb50addbf7e2dfa2168
# Using Cert Ids, by specifying 2 repositories by their DCT root ID. Example for using this may be different DTRs or maybe because the repository was initiated on different hosts, therefore having different canonical IDs.
{
"content-trust": {
"trust-pinning": {
"cert-ids": {
"mydtr/user1/repo1": [
"9430d6e31e3b3e240957a1b62bbc2d436aafa33726d0fcb50addbf7e2dfa2168"
],
"mydtr/user2/repo1": [
"544cf09f294860f9d5bc953ad80b386063357fd206b37b541bb2c54166f38d08"
]
}
},
"mode": "enforced"
}
}
http://www.myclass5.cn/engine/security/trust/content_trust/