Couldn't add target to targets: could not find necessary signing keys

[shrutianekar]

I am using Jenkins Slave machines to sign and push docker images. I have root-ca crt in the slave machines. export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER= https://personal-server.com:4443 When I sign images, the metadata root key, target and everything is stored in the slave machine. Which gets deleted after some time. So when I run my jenkins job again, it configures new machine and when signing it gives this error.

Signing and pushing trust metadatatime="2020-07-23T03:46:29Z" level=error msg="couldn't add target to targets: could not find necessary signing keys, at least one of these keys must be available: c9ad68929dedfb297b7b3e3c0de3fc2d59c71af69ad67186a89bc41e277701ae"failed to sign artifactory.example.com/docker-registry/image:tag could not find necessary signing keys, at least one of these keys must be available: c9ad68929dedfb297b7b3e3c0de3fc2d59c71af69ad67186a89bc41e277701ae

Why is the data being stored in the client ? Shouldn't it be stored in notary server if I am giving DOCKER_CONTENT_TRUST_SERVER=https://personal-server.com:4443 Please help me out here, stuck on this.

[IAL32]

Why is the data being stored in the client?

Why would it be stored on the server? If every key is stored on the server, we would have a single point of failure (the Server), which can perform basically any action without intervention, which is very bad.

Shouldn't it be stored in notary server if I am giving DOCKER_CONTENT_TRUST_SERVER=https://personal-server.com:4443

No. What the environment variable does is telling the Docker CLI where the trusted content is stored, not the keys.

You need to save the private keys and passphrases somewhere, like Hashicorp Vault, and retrieve them back every time your Jenkins job spins up.