Docker pull with Docker Content Trust enabled and Token authentication fails with 401 error

[marc-mueller]

Describe the bug We are currently using the token authentication to pull container images from ACR. The used token has "content/read" and "metadata/read" permissions set for the corresponding repositories. Pulling the images without docker content trust, just works fine. If we enable docker content trust and pull the image, the docker pull command fails with "you are not authorized to perform this operation: server returned 401."

To Reproduce Steps to reproduce the behavior:

1. Create a scope map and provide "content/read" and "metadata/read" rights to the repositories.
2. Create a token an assign it to the scope map.
3. Create a password for the token
4. docker login .azurecr.io --username --password
5. $Env:DOCKER_CONTENT_TRUST=1
6. docker pull .azurecr.io/:
7. Error: "you are not authorized to perform this operation: server returned 401."

Expected behavior The pull permission for a token should also grant the rights to read the signing metadata to verify the image tag.

Screenshots None

Any relevant environment information

• OS: Windows
• Docker version: 20.10.14

Additional context None

[Petrichia]

Same issue

[knoxi]

It's also a really important feature for us, which is not working as expected

Are there any news about an upcoming fix, maybe @Wwwsylvia or @northtyphoon?

[terencet-dev]

Hi @marc-mueller, @Petrichia, @knoxi: Have you opened a support ticket with our team yet?

[To-Ue]

Critical feature for us. Wondering why this is still open.

[marc-mueller]

It has been fixed, the above repro steps are now working correctly.