Docker Content Trust Delegation Script

notary_easy_button.sh

#!/bin/bash

# check to see if a cert.pem exists in the current directory
if [ ! -f "cert.pem" ]
then
  echo "ERROR - cert.pem not found (are you in the right directory?)"
  exit 1
fi

# check to see if CA cert exists for your DTR
if [ ! -f "${HOME}/.docker/tls/${DTR_URL}/ca.crt" ]
then
  echo "ERROR - ${HOME}/.docker/tls/${DTR_URL}/ca.crt not found for your DTR (retrieve it from https://${DTR_URL}/ca)"
  exit 1
fi

# get DTR info
read -r -p "DTR FQDN: " DTR_URL
read -r -p "DTR username: " USERNAME
read -r -s -p "DTR password: " PASSWORD; echo
read -r -p "DTR namespace: " NAMESPACE
read -r -p "DTR repo list (space separated): " REPO_LIST

# automatically assume role will be username
export ROLE="${USERNAME}"

# get passphrases for notary operation
read -r -s -p "Root passphrase: " NOTARY_ROOT_PASSPHRASE; echo
read -r -s -p "Targets passphrase: " NOTARY_TARGETS_PASSPHRASE; echo
read -r -s -p "Snapshot passphrase: " NOTARY_SNAPSHOT_PASSPHRASE; echo
read -r -s -p "Delegation passphrase: " NOTARY_DELEGATION_PASSPHRASE; echo

# export env vars
export DTR_URL USERNAME PASSWORD NAMESPACE REPO_LIST NOTARY_ROOT_PASSPHRASE NOTARY_TARGETS_PASSPHRASE NOTARY_SNAPSHOT_PASSPHRASE NOTARY_DELEGATION_PASSPHRASE

# set notary options to make code cleaner
export NOTARY_OPTS="-s https://${DTR_URL} -d ${HOME}/.docker/trust --tlscacert ${HOME}/.docker/tls/${DTR_URL}/ca.crt"

# write expect script
cat > /tmp/notary_expect.exp <<EOL
#!/usr/bin/env expect -f
eval spawn notary \$env(NOTARY_PARAMS)
expect "Enter username: "
send "\$env(USERNAME)\r"
expect "Enter password: "
send "\$env(PASSWORD)\r"
expect eof
EOL

# initialize repos
for i in ${REPO_LIST}
do
  echo -e "\ndelete local data"
  # shellcheck disable=SC2086
  notary ${NOTARY_OPTS} delete "${DTR_URL}"/"${NAMESPACE}"/"${i}"

  echo -e "\ndelete remote data"
  NOTARY_PARAMS="${NOTARY_OPTS} delete ${DTR_URL}/${NAMESPACE}/${i} --remote" expect /tmp/notary_expect.exp

  echo -e "\ninitialize repo"
  NOTARY_PARAMS="${NOTARY_OPTS} init ${DTR_URL}/${NAMESPACE}/${i}" expect /tmp/notary_expect.exp

  echo -e "\npublish staged changes"
  NOTARY_PARAMS="${NOTARY_OPTS} publish ${DTR_URL}/${NAMESPACE}/${i}" expect /tmp/notary_expect.exp

  echo -e "\nrotate snapshot key"
  NOTARY_PARAMS="${NOTARY_OPTS} key rotate ${DTR_URL}/${NAMESPACE}/${i} snapshot --server-managed" expect /tmp/notary_expect.exp

  echo -e "\nadd cert to releases role"
  NOTARY_PARAMS="${NOTARY_OPTS} delegation add -p ${DTR_URL}/${NAMESPACE}/${i} targets/releases --all-paths cert.pem" expect /tmp/notary_expect.exp

  echo -e "\nadd cert to ${ROLE} role"
  NOTARY_PARAMS="${NOTARY_OPTS} delegation add -p ${DTR_URL}/${NAMESPACE}/${i} targets/${ROLE} --all-paths cert.pem" expect /tmp/notary_expect.exp

  echo -e "\nlisting delegations"
  # shellcheck disable=SC2086
  notary ${NOTARY_OPTS} delegation list "${DTR_URL}"/"${NAMESPACE}"/"${i}"
done

# cleanup
rm /tmp/notary_expect.exp

# instruct user to import their private key
echo "Make sure to import the private key on the client performing the signing:"
echo "notary -d ~/.docker/trust key import key.pem"

notary_manual_steps_linux.txt

# set environment variables to make the commands below portable
export DTR_URL="dtr.demo.dckr.org"
export NOTARY_OPTS="-d ${HOME}/.docker/trust -s https://${DTR_URL} --tlscacert ${HOME}/.docker/tls/${DTR_URL}/ca.crt"
export NAMESPACE="demo"
export REPO="dcttest"
export ROLE="dev"

# create directory and download CA from DTR for self-signed
mkdir -p ${HOME}/.docker/tls/${DTR_URL}
curl -sSLk https://${DTR_URL}/ca > ${HOME}/.docker/tls/${DTR_URL}/ca.crt

# remove data; local and remote
notary ${NOTARY_OPTS} delete ${DTR_URL}/${NAMESPACE}/${REPO} --remote

# initialize repository in notary
notary ${NOTARY_OPTS} init ${DTR_URL}/${NAMESPACE}/${REPO}

# publish locally staged changes
notary ${NOTARY_OPTS} publish ${DTR_URL}/${NAMESPACE}/${REPO}

# rotate snapshot key and change it to server managed
notary ${NOTARY_OPTS} key rotate ${DTR_URL}/${NAMESPACE}/${REPO} snapshot --server-managed

# create delegation for 'targets/releases' role
notary ${NOTARY_OPTS} delegation add -p ${DTR_URL}/${NAMESPACE}/${REPO} targets/releases --all-paths cert.pem

# create delegation for 'targets/${ROLE}' role
notary ${NOTARY_OPTS} delegation add -p ${DTR_URL}/${NAMESPACE}/${REPO} targets/${ROLE} --all-paths cert.pem

# show delegations
notary ${NOTARY_OPTS} delegation list ${DTR_URL}/${NAMESPACE}/${REPO}

notary_manual_steps_windows.txt

# set environment variables to make the commands below portable
$env:DTR_URL = "dtr.demo.dckr.org"
$env:NAMESPACE = "demo"
$env:REPO = "dcttest"
$env:ROLE = "dev"

# remove data; local and remote
notary -d ${HOME}\.docker\trust -s https://${env:DTR_URL} delete ${env:DTR_URL}/${env:NAMESPACE}/${env:REPO} --remote

# initialize repository in notary
notary -d ${HOME}\.docker\trust -s https://${env:DTR_URL} init ${env:DTR_URL}/${env:NAMESPACE}/${env:REPO}

# publish locally staged changes
notary -d ${HOME}\.docker\trust -s https://${env:DTR_URL} publish ${env:DTR_URL}/${env:NAMESPACE}/${env:REPO}

# rotate snapshot key and change it to server managed
notary -d ${HOME}\.docker\trust -s https://${env:DTR_URL} key rotate ${env:DTR_URL}/${env:NAMESPACE}/${env:REPO} snapshot --server-managed

# create delegation for 'targets/releases' role
notary -d ${HOME}\.docker\trust -s https://${env:DTR_URL} delegation add -p ${env:DTR_URL}/${env:NAMESPACE}/${env:REPO} targets/releases --all-paths cert.pem

# create delegation for 'targets/${ROLE}' role
notary -d ${HOME}\.docker\trust -s https://${env:DTR_URL} delegation add -p ${env:DTR_URL}/${env:NAMESPACE}/${env:REPO} targets/${env:ROLE} --all-paths cert.pem

# show delegations
notary -d ${HOME}\.docker\trust -s https://${env:DTR_URL} delegation list ${env:DTR_URL}/${env:NAMESPACE}/${env:REPO}

# import key
notary -d ${HOME}\.docker\trust key import key.pem

$env:DOCKER_CONTENT_TRUST = "1"