#StackBounty: #docker #notary Docker Trust: could not rotate trust to a new trusted root: failed to validate data with current trusted …

Bounty: 300

I’ve suddenly got this message after a month of docker trust working fine for me via GitLab CI.

I have a Gitlab Runner that mounts the ~/.docker/trust (so its persisted) and pushes it to our QA registry.

tag_image_test:
  stage: tag_image
  script:
    - docker login -u "gitlab-ci-token" -p "$CI_BUILD_TOKEN" $CI_REGISTRY
    - docker pull "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}"
    - export DOCKER_CONTENT_TRUST=1
    - export DOCKER_CONTENT_TRUST_SERVER=$QA_REGISTRY_SIGNER
    - export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=$QA_REGISTRY_SIGNER_ROOT_PASSPHRASE
    - export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$QA_REGISTRY_SIGNER_REPO_PASSPHRASE
    - docker login -u "$QA_REGISTRY_USERNAME" -p "$QA_REGISTRY_PASSWORD" $QA_REGISTRY_URL
    - export PROJ_PATH=$(echo -en $CI_PROJECT_PATH | tr '[:upper:]' '[:lower:]')
    - docker tag "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}" "${QA_REGISTRY_IMAGE}/${PROJ_PATH}:${CI_COMMIT_REF_SLUG}"
    - docker push "${QA_REGISTRY_IMAGE}/${PROJ_PATH}:${CI_COMMIT_REF_SLUG}"

However the push commands ends with:

time="2019-03-18T11:51:14Z" level=debug msg="failed to verify TUF data for: qa.registry.local/mygroup/myimage, valid signatures did not meet threshold for "
time="2019-03-18T11:51:14Z" level=debug msg="downloaded 1.root is invalid: could not rotate trust to a new trusted root: failed to validate data with current trusted certificates"
time="2019-03-18T11:51:14Z" level=debug msg="Client Update (Root): could not rotate trust to a new trusted root: failed to validate data with current trusted certificates"
could not rotate trust to a new trusted root: failed to validate data with current trusted certificates

When I look at the root.json file, the expiry is not for a long time:

"expires":"2029-02-08T15:07:05.172338131Z"

Same for targets.json:

"expires":"2022-02-10T15:07:05.173954376Z"

So I’m at a loss for what is going on and probably don’t understand what it is trying to do. Does anyone have any insight?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.