• Generating a delegation key

    Generating a delegation key

    Make sure you’re using OpenSSL 1.0.2+, otherwise the keys will be signed with SHA1, which Notary will refuse to import (invalid SHA1 signature algorithm):

    1.  brew install openssl

    Make sure the openssl in your $PATH points to the correct version:

    1.  openssl version
    2. OpenSSL 1.0.2j  26 Sep 2016

    Have the collaborator generate a new key pair on their machine (you can use the Docker-in-Docker container for this):

    1. Create an 256-bit ECC key pair:

      1.  openssl ecparam -name prime256v1 -genkey -out delegation.key -noout

    2. Create a certificate signing request:

      1.  openssl req -new -sha256 -key delegation.key -out delegation.csr

    3. Self-sign the certificate (or, alternatively, sign the csr using an internal CA):

      1.  openssl x509 -req -days 365 -in delegation.csr -signkey delegation.key -out delegation.crt

    4. Import the private key:

      1.  notary -v -s https://127.0.0.1:4443 -d ~/.docker/trust key import delegation.key --role user --gun <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app
      3. Enter passphrase for new user key with ID e93a684 (tuf_keys):
      4. Repeat passphrase for new user key with ID e93a684 (tuf_keys):

      Enter a passphrase generated and stored on a password manager.

    5. Send the public key (delegation.crt) to the repository owner.