Generating a delegation key

Make sure you’re using OpenSSL 1.0.2+, otherwise the keys will be signed with SHA1, which Notary will refuse to import (invalid SHA1 signature algorithm):

  1. brew install openssl

Make sure the openssl in your $PATH points to the correct version:

  1. openssl version
  2. OpenSSL 1.0.2j 26 Sep 2016

Have the collaborator generate a new key pair on their machine (you can use the Docker-in-Docker container for this):

  1. Create an 256-bit ECC key pair:

    1. openssl ecparam -name prime256v1 -genkey -out delegation.key -noout
  2. Create a certificate signing request:

    1. openssl req -new -sha256 -key delegation.key -out delegation.csr
  3. Self-sign the certificate (or, alternatively, sign the csr using an internal CA):

    1. openssl x509 -req -days 365 -in delegation.csr -signkey delegation.key -out delegation.crt
  4. Import the private key:

    1. notary -v -s https://127.0.0.1:4443 -d ~/.docker/trust key import delegation.key --role user --gun <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app
    2. Enter passphrase for new user key with ID e93a684 (tuf_keys):
    3. Repeat passphrase for new user key with ID e93a684 (tuf_keys):

    Enter a passphrase generated and stored on a password manager.

  5. Send the public key (delegation.crt) to the repository owner.