我对 Docker 内容信任 (DCT) 机制不熟悉,对根密钥有点困惑。第一次将签名者添加到新存储库时,系统会要求我输入 root 和存储库密钥的密码。之后在目录中生成一个带有根密钥 ID 的密钥文件~/.docker/trust/private。到目前为止一切顺利,但是当我执行时,我在管理密钥部分docker trust inspect <repo name>下获得了不同的根密钥 ID 。
你能给我解释一下吗?
问问题
239 次
2 回答
0
TLDR;: 一个根密钥用于签名者,另一个用于存储库。
当我尝试加载密钥以添加签名者时,它会询问我一个密码来加密私钥 ( root)。
$ docker trust key load --name arif key.pem
Loading key from "key.pem"...
Enter passphrase for new arif key with ID 2817c38:
Repeat passphrase for new arif key with ID 2817c38:
Successfully imported key from key.pem
您可以在下面找到加密的root密钥.docker/trust/private,
$ cat ../.docker/trust/private/2817c387b869ede57bd209e40a3dfce967b70eca1eb3739bc58afba44665aaef.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
role: arif
MIHuMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAh/6HbWl/T/SAICCAAw
HQYJYIZIAWUDBAEqBBAZpJBc+C9ABYY6UbMT3YSRBIGgiNT5fX9QqCOrGJ3lb3qw
7JkC/4D0dtp75MYWaMbfYXvNm+muJXmVUpp5vh91onUW8Y8q+ymQTgDq3mN8+HLu
4iRp46wXxilEKUxmXsYln/mxQI+jU7UwTTiLiy6LpR1vpBKdO8hhd/WObW25P+ah
YjslB1P8fe9VeSsorAKM5zDnuaiVhHh7BjgVAiepDvmy/7zO3W7Rso4Kgg0UZkJn
SA==
-----END ENCRYPTED PRIVATE KEY-----
然后我尝试将签名者添加到存储库中,它会询问两件事,
- 用于加密我要签名的存储库的根密钥的新密码”
- 用于为该确切存储库加密 **存储库密钥 ** 的新密码。
$ docker trust signer add --key cert.pem arif ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
Adding signer "arif" to ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy...
Initializing signed repository for ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy...
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID 06665b8:
Repeat passphrase for new root key with ID 06665b8:
Enter passphrase for new repository key with ID b040c66:
Repeat passphrase for new repository key with ID b040c66:
Successfully initialized "ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy"
Successfully added signer: arif to ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
在上面的输出中,我们可以看到两个键的 id 是06665b8和b040c66。
如果我查看我的信任目录,我会看到两个以这两个 ID 开头的密钥。一个用于存储库的根密钥,另一个用于目标密钥。
$ grep role .docker/trust/private/06665b8*.key
role: root
$ grep role .docker/trust/private/b040c66*.key
role: targets
现在,如果我检查存储库,我可以看到以下内容,
$ docker trust inspect ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy
[
{
"Name": "ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy",
"SignedTags": [],
"Signers": [
{
"Name": "arif",
"Keys": [
{
"ID": "2817c387b869ede57bd209e40a3dfce967b70eca1eb3739bc58afba44665aaef"
}
]
}
],
"AdministrativeKeys": [
{
"Name": "Root",
"Keys": [
{
"ID": "5ed03b461b330c6d722c319bdfaa87e3d8b289a1213569248bdaa616a1a399c6"
}
]
},
{
"Name": "Repository",
"Keys": [
{
"ID": "b040c663463612c99130eca98ec827ef32a3bab73d2976403888443ce87899c6"
}
]
}
]
}
]
所以现在,我们有 3 个键。一个是签名者根密钥,另一个是存储库的根密钥,最后一个是目标密钥。
$ ls .docker/trust/private/ -1 | wc -l
3
tuf您可以在目录中找到有关这些键的所有元数据,
$ cd .docker/trust/tuf/ec2-3-67-179-58.eu-central-1.compute.amazonaws.com/docker/haproxy/metadata/
$ ls
root.json snapshot.json targets.json timestamp.json
我希望现在有意义。
于 2021-10-31T16:03:36.923 回答
0
有几个键:
- 签名者密钥
- 存储库密钥
- 根密钥
您可以打开文件~/.docker/trust/private以查看每个键的作用。或者你可以运行notary -d ~/.docker/trust key list
漂亮的选项也很酷:
docker trust inspect --pretty <repo_name>得到以下结果
Signatures for repo_name
SIGNED TAG DIGEST SIGNERS
latest def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748 test
List of signers and their keys for repo_name
SIGNER KEYS
test c990796d79a9
Administrative keys for repo_name
Repository Key: 06362021113fed73dc5e08e6b5edbe04cf4316193b362b0d8335fab3285fc98b
Root Key: 317f83b55c99e2b8f9d341a3c9a3fc4b1d65d97f52a553020a65cdee85940cf3
于 2021-05-05T13:42:45.127 回答