Removing Delegations and Contributor Keys with Troubleshooting

Adding signer "jeff" to registry.example.com/admin/demo... Enter passphrase for repository key with ID b0014f8: Successfully added signer: jeff to registry.example.com/admin/demo ``` Check to prove that the delegation (Signer) now contains multiple Key IDs. ```console $ docker trust inspect --pretty registry.example.com/admin/demo No signatures for registry.example.com/admin/demo List of signers and their keys for registry.example.com/admin/demo SIGNER KEYS jeff 1091060d7bfd, 5570b88df073 Administrative keys for registry.example.com/admin/demo Repository Key: b0014f8e4863df2d028095b74efcb05d872c3591de0af06652944e310d96598d Root Key: 64d147e59e44870311dd2d80b9f7840039115ef3dfa5008127d769a5f657a5d7 ``` ### Removing a delegation If you need to remove a delegation, including the contributor keys that are attached to the `targets/releases` role, you can use the `$ docker trust signer remove` command. > [!NOTE] > > Tags that were signed by the removed delegation will need to be resigned > by an active delegation ```console $ docker trust signer remove ben registry.example.com/admin/demo Removing signer "ben" from registry.example.com/admin/demo... Enter passphrase for repository key with ID b0014f8: Successfully removed ben from registry.example.com/admin/demo ``` #### Troubleshooting 1) If you see an error that there are no usable keys in `targets/releases`, you will need to add additional delegations using `docker trust signer add` before resigning images. ```text WARN[0000] role targets/releases has fewer keys than its threshold of 1; it will not be usable until keys are added to it ``` 2) If you have added additional delegations already and are seeing an error message that there are no valid signatures in `targest/releases`, you will need to resign the `targets/releases` delegation file with the Notary CLI. ```text WARN[0000] Error getting targets/releases: valid signatures did not meet threshold for targets/releases ``` Resigning the delegation file is done with the `$ notary witness` command ```console $ notary witness registry.example.com/admin/demo targets/releases --publish ``` More information on the `$ notary witness` command can be found [here](https://github.com/theupdateframework/notary/blob/master/docs/advanced_usage.md#recovering-a-delegation) ### Removing a contributor's key from a delegation As part of rotating keys for a delegation, you may want to remove an individual key but retain the delegation. This can be done with the Notary CLI. Remember you will have to remove the key from both the `targets/releases` role and the role specific to that signer `targets/<name>`. 1) We will need to grab the Key ID from the Notary Server ```console $ notary delegation list registry.example.com/admin/demo ROLE PATHS KEY IDS THRESHOLD ---- ----- ------- --------- targets/jeff "" <all paths> 8fb597cbaf196f0781628b2f52bff6b3912e4e8075720378fda60d17232bbcf9 1 1091060d7bfd938dfa5be703fa057974f9322a4faef6f580334f3d6df44c02d1 targets/releases "" <all paths> 8fb597cbaf196f0781628b2f52bff6b3912e4e8075720378fda60d17232bbcf9 1 1091060d7bfd938dfa5be703fa057974f9322a4faef6f580334f3d6df44c02d1 ``` 2) Remove from the `targets/releases` delegation ```console $ notary delegation remove registry.example.com/admin/demo targets/releases 1091060d7bfd938dfa5be703fa057974f9322a4faef6f580334f3d6df44c02d1 --publish Auto-publishing changes to registry.example.com/admin/demo Enter username: admin Enter password: Enter passphrase for targets key with ID b0014f8:

This section covers removing delegations and individual contributor keys in Docker Trust. It explains using `$ docker trust signer remove` and provides troubleshooting steps for issues like unusable keys or invalid signatures, including resigning the `targets/releases` delegation file with `$ notary witness`. It also details removing specific keys from both `targets/releases` and signer-specific roles using the Notary CLI, requiring key IDs obtained from `notary delegation list`.