Adding Keys to Docker Trust Store and Managing Delegations

Finally you will need to add the private key into your local Docker trust store. ```console $ docker trust key load delegation.key --name jeff Loading key from "delegation.key"... Enter passphrase for new jeff key with ID 8ae710e: Repeat passphrase for new jeff key with ID 8ae710e: Successfully imported key from delegation.key ``` ### Viewing local delegation keys To list the keys that have been imported in to the local Docker trust store we can use the Notary CLI. ```console $ notary key list ROLE GUN KEY ID LOCATION ---- --- ------ -------- root f6c6a4b00fefd8751f86194c7d87a3bede444540eb3378c4a11ce10852ab1f96 /home/ubuntu/.docker/trust/private jeff 9deed251daa1aa6f9d5f9b752847647cf8d705da0763aa5467650d0987ed5306 /home/ubuntu/.docker/trust/private ``` ## Managing delegations in a Notary Server When the first delegation is added to the Notary Server using `$ docker trust`, we automatically initiate trust data for the repository. This includes creating the notary target and snapshots keys, and rotating the snapshot key to be managed by the notary server. More information on these keys can be found [here](trust_key_mng.md) When initiating a repository, you will need the key and the passphrase of a local Notary Canonical Root Key. If you have not initiated a repository before, and therefore don't have a Notary root key, `$ docker trust` will create one for you. > [!IMPORTANT] > > Be sure to protect and back up your [Notary Canonical Root Key](trust_key_mng.md). ### Initiating the repository To upload the first key to a delegation, at the same time initiating a repository, you can use the `$ docker trust signer add` command. This will add the contributor's public key to the `targets/releases` delegation, and create a second `targets/<name>` delegation. For DCT the name of the second delegation, in the below example `jeff`, is there to help you keep track of the owner of the keys. In more advanced use cases of Notary additional delegations are used for hierarchy. ```console $ docker trust signer add --key cert.pem jeff registry.example.com/admin/demo Adding signer "jeff" to registry.example.com/admin/demo... Initializing signed repository for registry.example.com/admin/demo... Enter passphrase for root key with ID f6c6a4b: Enter passphrase for new repository key with ID b0014f8: Repeat passphrase for new repository key with ID b0014f8: Successfully initialized "registry.example.com/admin/demo" Successfully added signer: jeff to registry.example.com/admin/demo ``` You can see which keys have been pushed to the Notary server for each repository with the `$ docker trust inspect` command. ```console $ docker trust inspect --pretty registry.example.com/admin/demo No signatures for registry.example.com/admin/demo List of signers and their keys for registry.example.com/admin/demo SIGNER KEYS jeff 1091060d7bfd Administrative keys for registry.example.com/admin/demo Repository Key: b0014f8e4863df2d028095b74efcb05d872c3591de0af06652944e310d96598d Root Key: 64d147e59e44870311dd2d80b9f7840039115ef3dfa5008127d769a5f657a5d7 ``` You could also use the Notary CLI to list delegations and keys. Here you can clearly see the keys were attached to `targets/releases` and `targets/jeff`. ```console $ notary delegation list registry.example.com/admin/demo ROLE PATHS KEY IDS THRESHOLD ---- ----- ------- --------- targets/jeff "" <all paths> 1091060d7bfd938dfa5be703fa057974f9322a4faef6f580334f3d6df44c02d1 1

The private key can be added into the local Docker trust store using `$ docker trust key load`. To list the imported keys, use the Notary CLI command `$ notary key list`. When the first delegation is added to the Notary Server, trust data is initiated, requiring a Notary Canonical Root Key. If not present, `$ docker trust` will create one. The `$ docker trust signer add` command uploads a contributor's public key and creates delegations. `$ docker trust inspect` shows keys pushed to the Notary server. The Notary CLI can also list delegations and keys.