how to relate docker trust root key ID to actual root key file

Question

Given that the Docker Content Trust is enabled, I can see the Root Key information when I inspect a repo as below.

[root@lab admin]# docker trust inspect registry.XXXXXX.com/project/nginx --pretty

Signatures for registry.XXXXXX.com/project/nginx

SIGNED TAG   DIGEST                                                             SIGNERS
test         61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa   john
test1        61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa   john
test2        61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa   john

List of signers and their keys for registry.XXXXXX.com/project/nginx

SIGNER    KEYS
john   f20b2f70c3fa

Administrative keys for registry.XXXXXX.com/project/nginx

  Repository Key:       XXXXXXX
  Root Key:     XXXXXXX  <-------------------------------------- this is a hashed value

However, that Root Key value is actually a hashed value, so I can not really confirm the root key used for this repo is or is not the root key file in my ~/.docker/trust/private.

I am wondering is there a way to reveal the relation between this hashed root key id and actual root key file.

Thanks for your help.

score 0 · Answer 1 · answered Feb 18 '22 at 00:11

You can use notary -d ~/.docker/trust key list but if you have more than one root key it can be confusing so every time I generate a root key I rename it to myRepo.key and move it on safe location preferable offline. You will need it only if you want to create or revoke other delegated keys.

how to relate docker trust root key ID to actual root key file

1 Answers1