Skip to content

Instantly share code, notes, and snippets.

@eumel8

eumel8/notary.md

Last active May 31, 2020 17:40
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save eumel8/44a66326aa91ea5aea7748f6c3459383 to your computer and use it in GitHub Desktop.
Save eumel8/44a66326aa91ea5aea7748f6c3459383 to your computer and use it in GitHub Desktop.
Download ZIP
How to make trust with Yubikey
Raw
notary.md

How to make trust with Yubikey

  1. Yubikey 5 series with PIV (https://www.yubico.com/product/yubikey-5-nfc)

  2. Ubuntu 18.04

  3. Install Software

 apt install docker.io 
 add-apt-repository ppa:yubico/stable && sudo apt-get update
 apt install yubikey-manager 
 wget http://archive.ubuntu.com/ubuntu/pool/universe/y/yubico-piv-tool/yubico-piv-tool_2.0.0-2_amd64.deb
 dpkg -i yubico-piv-tool_2.0.0-2_amd64.deb
 wget -O /usr/local/bin/notary https://github.com/docker/notary/releases/download/v0.6.1/notary-Linux-amd64 && chmod a+x /usr/local/bin/notary

Older version of yubico-piv-tool won't work correctly. Older version of notary haven't Yubikey Support

  1. Insert Yubikey

  2. Test Yubikey

$ ykman info
Device type: YubiKey 5 NFC
Serial number: 13316569
Firmware version: 5.2.6
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP+FIDO+CCID
NFC interface is enabled.

Applications    USB     NFC
OTP             Enabled Enabled
FIDO U2F        Enabled Enabled
OpenPGP         Enabled Enabled
PIV             Enabled Enabled
OATH            Enabled Enabled
FIDO2           Enabled Enabled

Default Management Key: 102030405060708010203040506070801020304050607080 Default PIN: 123456

  1. Generate key/cert
yubico-piv-tool -s 9c -a generate -k --pin-policy=always --touch-policy=always --algorithm=ECCP256 -o public.pem
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9c -S '/CN=root/' --valid-days=365 -i public.pem -o cert.pem
yubico-piv-tool -k -a import-certificate -s 9c -i cert.pem
  1. Check notary key list
/usr/local/bin/notary -d ~/.docker/trust key list

ROLE    GUN    KEY ID                                                              LOCATION
----    ---    ------                                                              --------
root           8a030f980da58cb3df91bbd1af8ad71ff0573fa1901661f2d752b0d380b20654    yubikey
  1. A simple Dockerfile
FROM alpine
RUN true
  1. Build
DOCKER_CONTENT_TRUST_SERVER=https://notary.docker.io DOCKER_CONTENT_TRUST=1 docker build -t mtr.external.otc.telekomcloud.com/eumel8/alpine:0.0.1 .

DOCKER_CONTENT_TRUST_SERVER=https://notary.external.otc.telekomcloud.com DOCKER_CONTENT_TRUST=1 docker build -t mtr.external.otc.telekomcloud.com/eumel8/test:0.0.3 .
  1. Sign
# DOCKER_CONTENT_TRUST_SERVER=https://notary.external.otc.telekomcloud.com DOCKER_CONTENT_TRUST=1 docker trust sign mtr.external.otc.telekomcloud.com/eumel8/test:0.0.3
INFO[0000] Unsupported x509 PublicKeyAlgorithm: 1
Please touch the attached Yubikey to perform signing.
Enter passphrase for new repository key with ID d8ca7e1:
Repeat passphrase for new repository key with ID d8ca7e1:
Please touch the attached Yubikey to perform signing.
Enter passphrase for new eumel8 key with ID 88ca03e:
Repeat passphrase for new eumel8 key with ID 88ca03e:
Created signer: eumel8
Finished initializing signed repository for mtr.external.otc.telekomcloud.com/eumel8/test:0.0.3
Signing and pushing trust data for local image mtr.external.otc.telekomcloud.com/eumel8/test:0.0.3, may overwrite remote trust data
The push refers to repository [mtr.external.otc.telekomcloud.com/eumel8/test]
50644c29ef5a: Mounted from eumel8/alpine                                                                                                                                    0.0.3: digest: sha256:e51e47319b0aa0d026e773e31ec1ad63d8f48dad6402f34110f2a2deb5f63285 size: 528
Signing and pushing trust metadata
INFO[0059] Unsupported x509 PublicKeyAlgorithm: 1
Enter passphrase for eumel8 key with ID 88ca03e:
Successfully signed mtr.external.otc.telekomcloud.com/eumel8/test:0.0.3
  1. Inspect
# docker trust inspect mtr.external.otc.telekomcloud.com/eumel8/test:0.0.3
INFO[0000] Unsupported x509 PublicKeyAlgorithm: 1
[
    {
        "Name": "mtr.external.otc.telekomcloud.com/eumel8/test:0.0.3",
        "SignedTags": [
            {
                "SignedTag": "0.0.3",
                "Digest": "e51e47319b0aa0d026e773e31ec1ad63d8f48dad6402f34110f2a2deb5f63285",
                "Signers": [
                    "eumel8"
                ]
            }
        ],
        "Signers": [
            {
                "Name": "eumel8",
                "Keys": [
                    {
                        "ID": "88ca03e36ea032948bcf59cbb3624debf22ce7796ccd69f3e0e1dc4b5c3bdf98"
                    }
                ]
            }
        ],
        "AdministrativeKeys": [
            {
                "Name": "Root",
                "Keys": [
                    {
                        "ID": "6d5216e9ce27dda440183f7945b3d26c8990322921fa2ba2bd8a012e1b716b0d"
                    }
                ]
            },
            {
                "Name": "Repository",
                "Keys": [
                    {
                        "ID": "d8ca7e1860f8198f7c300717c73149423d79b05e0e40913f23237a3e1959933c"
                    }
                ]
            }
        ]
    }
]

Reference:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment