registry-image-resource icon indicating copy to clipboard operation
registry-image-resource copied to clipboard

Published 20 hours ago verified publisher icon concourse

Notary server returned 401

Open ananth07reddy opened this issue 4 years ago • 6 comments

I am able to push in the command line as shown in the screenshot

registry-image

But when I try this in the concourse, I am having an error as shown in the below screenshot

I have used the eample pipleline from here concourse_error

Please kindly provide me a solution to fix this issue

ananth07reddy avatar Dec 16 '20 15:12 ananth07reddy

What does your resource definition looks like? The example pipeline will not work as is since it doesn't set the content_trust field which is required to sign the image

chenbh avatar Jan 04 '21 15:01 chenbh

Hi @chenbh,

Thanks for your reply. As far as I understood, repository_key and repository_key_id can be fetched after the notary sign has done. But how can I get this key and key_id beforehand to pass to the build? The remaining parameters can set without a problem. Please kindly, explain to me how can I get those values beforehand to pass to the pipeline

content_trust: repository_key_id: ((registry_key_id)) --> How can I get this id before pass it to the build? repository_key: ((registry_key)) --> How can I get this key? repository_passphrase: ((registry_passphrase)) server: ((notary_server_address)) tls_key: ((notary_tls_key)) tls_cert:: ((notary_tls_cert))

ananth07reddy avatar Jan 05 '21 09:01 ananth07reddy

You should be able to generate new private keys by running docker trust key generate according to https://docs.docker.com/engine/security/trust/#signing-images-with-docker-content-trust

chenbh avatar Jan 05 '21 15:01 chenbh

@ananth07reddy @chenbh I have the same problem.

One thing I am noticing, there is no way to pass the signers passphrase, which in my case, the signer I have generated has a passphrase.

You can add a REPO passphrase, but the signer itself, I don't see an option for it.

Also, just to be clear, key_id and key are obtained after generating the new signer from ~/.docker/trust/private for the key and listing the keys from notary using notary key list

DandyDeveloper avatar Jan 18 '21 03:01 DandyDeveloper

@chenbh Nevermind, it is not the signer passphrase missing. I'm still getting a 401 even after I adjust the image to hardcode the password.

I'm still experimenting.

DandyDeveloper avatar Jan 18 '21 06:01 DandyDeveloper

@chenbh I came back to this. I still CANNOT figure this out. It just seems broken to me.... The commands you should be using in the library are working locally.

DandyDeveloper avatar Jan 21 '22 07:01 DandyDeveloper