我的书签
添加书签
移除书签- Importing a delegation certificate
Importing a delegation certificate
As a repository owner:
Add the delegation key to the repository using the
targets/releasespath, as this is what Docker searches for when signing an image (firsttargets, thentargets/releases:❯ notary delegation -D -v -s https://127.0.0.1:4443 -d ~/.docker/trust add <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app targets/releases delegation.crt --all-pathsAddition of delegation role targets/releases with keys [e93a68479026f002b9dedb35f563cf5abc50aecd18b2205ad296d3101c0d3c21], with paths ["" <all paths>], to repository "<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app" staged for next publish.
Check the unpublished (staged) changes:
❯ notary -D -v -s https://127.0.0.1:4443 -d ~/.docker/trust status <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/appUnpublished changes for <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app:# ACTION SCOPE TYPE PATH- ------ ----- ---- ----0 create targets/releases delegation1 create targets/releases delegation
Publish the queued changes:
❯ notary -v -s https://127.0.0.1:4443 -d ~/.docker/trust publish <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/appPushing changes to <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/appEnter passphrase for targets key with ID 79a6fca:Successfully published changes for repository <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app
Enter the previously created
targetsrepository key passphrase.Confirm the delegation list looks correct:
❯ notary -v -s https://127.0.0.1:4443 -d ~/.docker/trust delegation list <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/appROLE PATHS KEY IDS THRESHOLD---- ----- ------- ---------targets/releases "" <all paths> 61a6430… 1
