heya,
in case anyone else gets stuck here my issue was that docker was looking
for keys in {workspace}/.docker as opposed to /home/jenkins/.docker.
mr. jenkins was creating a new root and repo key with each build and did
not find the delegation key i was trying to use (which was in
/home/jenkins/.docker).
On Wednesday, 12 June 2019 03:54:57 UTC+8, Albert Domenech wrote:
>
> I have an unsolved annoying issue regarding Jenkins pipelines and Docker
> Content Trust, I hope someone can give me a hand with it.
>
> I'm using Harbor as private registry and I activated Content Trust on my
> laptop's Docker daemon. Whenever I push a new Image to the registry
> manually from the shell, the daemon signs the Image as expected using my
> local signing keys.
>
> Then I followed the delegation process to allow Jenkins user to do the
> same. I created specific signing keys for it and added them to the registry
> from my laptop, so now Jenkins user is an allowed signer for specific
> projects.
>
> If I create and push new images from the Jenkins OS user shell, everything
> goes as expected also, meaning that the images are signed and pushed to the
> registry with all the meta info needed.
>
> The problem comes when I try to do the same from a Pipeline, for some
> strange reason, Docker is not able to find the signing keys, so the image
> is pushed but not signed. I tried in different ways, but always with the
> same result. "no valid signing keys for delegation roles"
>
> Curious thing that I observed is that "docker trust inspect ..." works
> both ways (from shell and pipeline) and shows Jenkins user as an allowed
> signer, but "notary key list" only works from the pipeline if I add
> "--configFile
> ~/.notary/config.json" parameter that in fact points to the default
> configuration path
>
> Here a partial extract from the stage I'm using:
>
> script {
> withEnv(['DOCKER_CONTENT_TRUST=1','DOCKER_CONTENT_TRUST_SERVER=
> https://harbor.example.com:4443']) {
> withCredentials([usernamePassword(credentialsId:
> "harbor_jenkins_credentials", usernameVariable: "HARBOR_USERNAME",
> passwordVariable: "HARBOR_PASSWORD")]) {
> sh "docker login --username=$HARBOR_USERNAME
> --password=$HARBOR_PASSWORD harbor.example.com"
> }
> withCredentials([string(credentialsId:
> 'docker-content-trust-repository-passphrase', variable:
> 'DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE'),
> string(credentialsId: 'docker-content-trust-root-passphrase', variable:
> 'DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE')]) {
> sh """#!/bin/bash
> printenv
> notary --configFile ~/.notary/config.json key list
> docker trust inspect --pretty harbor.example.com/services/test
> docker push harbor.example.com/services/test:${nextTag}
> <http://harbor.example.com/services/test:$%7BnextTag%7D>
> docker push harbor.example.com/services/test:${commitHash}
> <http://harbor.example.com/services/test:$%7BcommitHash%7D>
> docker push harbor.example.com/services/test:latest
> """
> }
> }
> }
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/dd6831c0-7abe-47e3-a055-57812e8d4891%40googlegroups.com.
