notary: Debugging "no valid signing keys for delegation roles" error

I’m pretty sure the problem is between the chair and the computer here, but I wanted to get a better understanding of how notary works so that I can easily pinpoint solutions when something like this happens.

I got the delegation working for the targets/releases role (using docker:dind to test the pushes) but somehow I lost the ability of signing releases on the host machine with root (YubiKey).

The error is:

Failed to sign "foo.com/bar":1.0.0 - no valid signing keys for delegation roles
no valid signing keys for delegation roles

If the list delegations on that GUN, it’s true that I don’t see my delegation role there (just the other’s machine one, which continues to be able to push).

However, notary <…> key list gives me this:

targets    ...oo.com/bar    05209e8a98a5f584e1e13ec088670d4c49ab7db11c9156b77542f1588c099a09    /Users/foobar/.docker/trust/private

That same key id appears when I use -D -v and do delegation list foo.com/bar:

DEBU[0000] Loading targets...
DEBU[0000] targets role has key IDs: 05209e8a98a5f584e1e13ec088670d4c49ab7db11c9156b77542f1588c099a09
DEBU[0000] verifying signature for key ID: 05209e8a98a5f584e1e13ec088670d4c49ab7db11c9156b77542f1588c099a09
DEBU[0000] successfully verified cached targets

Where did the link get broken? Could it have been an experimentation with snapshot key rotation?

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 21 (8 by maintainers)

Most upvoted comments

I’ll get to your comment in a few seconds, but just found on the repository advanced usage .md:

If delegation roles exist but the user does not have signing keys, the push will fail. If no delegation roles exist, the push will attempt to sign with the base targets role.

Since I’ve added a delegation role, I think Docker 1.11+ will stop using the targets role.

+1
ruimarinho on Dec 6, 2016

hi @ruimarinho, we’d be happy to help!

Docker Content Trust has an opinionated view of delegations because once you’ve added delegations for a role, it will attempt to only sign tags into a delegation. So the error you’re seeing for foo.com/bar is saying that Docker Content Trust knows that there are delegations set up for this repository and it can’t find any delegation keys to sign with on the local machine.

Do you have a delegation key on that box? It appears from the notary key list output you’ve provided that you only have the targets key. In this case, you could generate and add a new key to your delegation and you can do this because you have the targets key locally and the snapshot key is rotated to the server. You could then use this newly added delegation key to sign foo.com/bar with Docker Content Trust on your machine.

Does this help? Please let us know if there’s anything that is unclear. Here are the docs for more information about Docker Content Trust with delegations.

+1
riyazdf on Dec 5, 2016
Read more comments on GitHub
← OneClick-macOS-Simple-KVM: VM does not start from virt-manager
notary: delegation roles doesn't publish successfully →