Delegate image signingEstimated reading time: 2 minutes
Instead of signing all the images yourself, you can delegate that task to other users.
A typical workflow looks like this:
- A repository owner creates a repository in DTR, and initializes the trust metadata for that repository
- Team members download a UCP client bundle and share their public key certificate with the repository owner
- The repository owner delegates signing to the team members
- Team members can sign images using the private keys in their UCP client bundles
In this example, the IT ops team creates and initializes trust for the
dev/nginx. Then they allow users in the QA team to push and sign images in
Create a repository and initialize trust
A member of the IT ops team starts by configuring their Notary CLI client.
Then they create the
initialize the trust metadata for that repository, and grant
write access to members of the QA team, so that they can push images to that
Ask for the public key certificates
The member of the IT ops team then asks the QA team for their public key certificate files that are part of their UCP client bundle.
If they don’t have a UCP client bundle, they can download a new one.
Delegate image signing
When delegating trust, you associate a public key certificate with a role name. UCP requires that you delegate trust to two different roles:
<role>is the UCP team the user belongs to
In this example we’ll delegate trust to
# Delegate trust, and add that public key with the role targets/releases notary delegation add --publish \ dtr.example.org/dev/nginx targets/releases \ --all-paths <user-1-cert.pem> <user-2-cert.pem> # Delegate trust, and add that public key with the role targets/admin notary delegation add --publish \ dtr.example.org/dev/nginx targets/qa \ --all-paths <user-1-cert.pem> <user-2-cert.pem>
Now members from the QA team just have to configure their Notary CLI client
with UCP private keys
to be able to push and sign images into the