connaisseur icon indicating copy to clipboard operation
connaisseur copied to clipboard

Published 20 hours ago verified publisher icon sse-secure-systems

Getting the public root key doesn't work for private registry

Open xopham opened this issue 3 years ago • 4 comments

Currently the get-public-root-key utility does not allow to provide authentication credentials. This is discussed in the GitHub Discussion mentioned below:

Discussed in https://github.com/sse-secure-systems/connaisseur/discussions/252

Originally posted by apopaa August 10, 2021 Method of getting public root key described in Getting the public root key does not work for images in Azure Container Registry: > docker run --rm docker.io/securesystemsengineering/get-public-root-key -i apopa/testimage3 -s myregistry.azurecr.io Traceback (most recent call last): File "/app/get_root_key.py", line 54, in root_key_id, root_key = asyncio.run( File "/usr/local/lib/python3.9/asyncio/runners.py", line 44, in run return loop.run_until_complete(main) File "/usr/local/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete return future.result() File "/app/get_root_key.py", line 16, in get_pub_root_key root_td = await notary.get_trust_data(image, TUFRole("root")) File "/app/connaisseur/validators/notaryv1/notary.py", line 100, in get_trust_data raise UnreachableError( connaisseur.exceptions.UnreachableError: {'message': 'Unable to reach notary host no.', 'context': {'notary_name': 'no', 'tuf_role': 'root', 'detection_mode': False}}

xopham avatar Aug 11 '21 07:08 xopham

got same issue. may be there is workaround to use connaisseur with self-hosted notary server?

aegorushkov avatar Dec 30 '21 06:12 aegorushkov

@aegorushkov fix for this issue is still pending. However, does the workaround described in the discussion above work for you? Otherwise, there used to be manual instructions to extract the public key from the machine it was created on: https://github.com/sse-secure-systems/connaisseur/blob/v1.5.0/setup/README.md#set-your-public-key-as-trust-anchor

Let us know if that helps :pray:

xopham avatar Dec 30 '21 12:12 xopham

I'm getting two of the root keys, tho) Will try both, but also, curl method didn't worked: curl -u "user:password" "https://docker-registry/devops/alpine:4443/v2/docker-registry/devops/alpine/_trust/tuf/root.json" with my own parameters returned me {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"docker-registry/devops/alpine","Action":"pull"}]}]} may be there is self-managed DB of authorized users on Notary (not Harbor)? I've tried all the combinations of users/passwords(

aegorushkov avatar Dec 30 '21 13:12 aegorushkov 

Server auth using Basic with user 'user'
> GET /v2/docker-registry/devops/alpine/_trust/tuf/root.json HTTP/1.1
> Host: docker-registry01.corp.isbc.ru:4443
> Authorization: Basic a3ViZXJfeWM6JTc1UEd7Pldhc3JGdTk=
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Thu, 30 Dec 2021 13:21:06 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 187
< Connection: keep-alive

aegorushkov avatar Dec 30 '21 13:12 aegorushkov