Official VinylDNS Docker images are signed when being pushed to Docker Hub. Docs for Docker Content Trust can be found at https://docs.docker.com/engine/security/trust/content_trust/.
Content trust is enabled through the DOCKER_CONTENT_TRUST
environment variable, which must be set to 1. It is recommended that
in your ~/.bashrc
, you have export DOCKER_CONTENT_TRUST=1
by default, and if you ever want to turn it off for a
Docker command, add the --disable-content-trust
flag to the command, e.g. docker pull --disable-content-trust ...
.
There are multiple Docker repositories on Docker Hub under the vinyldns organization. Namely:
- vinyldns/api: images for vinyldns core api engine
- vinyldns/portal: images for vinyldns web client
- vinyldns/bind9: images for local DNS server used for testing
The offline root key and repository keys are managed by the core maintainer team. The keys managed are:
- root key: also known as the offline key, used to create the separate repository signing keys
- api key: used to sign tagged images in vinyldns/api
- portal key: used to sign tagged images in vinyldns/portal
- bind9 key: used to sign tagged images in the vinyldns/bind9
These keys are named in a .key format, e.g. 5526ecd15bd413e08718e66c440d17a28968d5cd2922b59a17510da802ca6572.key, do not change the names of the keys.
Docker expects these keys to be saved in ~/.docker/trust/private
. Each key is encrypted with a passphrase, that you
must have available when pushing an image.
If you don't have one already, make an account on Docker Hub. Get added as a Collaborator to vinyldns/api, vinyldns/portal, and vinyldns/bind9
Someone with our keys can sign images when pushing, but instead of sharing those keys we can utilize notary to delegate image signing permissions in a safer way. Notary will have you make a public-private key pair and upload your public key. This way you only need your private key, and a developer's permissions can easily be revoked.
If you do not already have notary:
- Download the latest release for your machine at https://github.com/theupdateframework/notary/releases,
for example, on a mac download the precompiled binary
notary-Darwin-amd64
- Rename the binary to notary, and choose a location where it will live,
e.g.
cd ~/Downloads/; mv notary-Darwin-amd64 notary; mv notary ~/Documents/notary; cd ~/Documents
- Make it executable, e.g.
chmod +x notary
- Add notary to your path, e.g.
vim ~/.bashrc
, addexport PATH="$PATH":<path to notary>
- Create a
~/.notary/config.json
with
{
"trust_dir" : "~/.docker/trust",
"remote_server": {
"url": "https://notary.docker.io"
}
}
You can test notary with notary -s https://notary.docker.io -d ~/.docker/trust list docker.io/vinyldns/api
, in which
you should see tagged images for the VinylDNS API
Note: you'll pretty much always use the
-s https://notary.docker.io -d ~/.docker/trust
args when running notary, it will be easier for you to alias a command likenotarydefault
tonotary -s https://notary.docker.io -d ~/.docker/trust
in your.bashrc
cd
to a directory where you will save your delegation keys and certs- Generate your private key:
openssl genrsa -out delegation.key 2048
- Generate your public key:
openssl req -new -sha256 -key delegation.key -out delegation.csr
, all fields are optional, but when it gets to your email it makes sense to add that - Self-sign your public key (valid for one year):
openssl x509 -req -sha256 -days 365 -in delegation.csr -signkey delegation.key -out delegation.crt
- Change the
delegation.crt
to some unique name, likemy-name-vinyldns-delegation.crt
- Give your
my-name-vinyldns-delegation.crt
to someone that has the root keys and passphrases so they can upload your delegation key to the repository
This expects you to have the root keys and passphrases for the Docker repositories
- List current keys:
notary -s https://notary.docker.io -d ~/.docker/trust delegation list docker.io/vinyldns/api
- Add team member's public key:
notary delegation add docker.io/vinyldns/api targets/releases <team members delegation crt path> --all-paths
- Push key:
notary publish docker.io/vinyldns/api
- Repeat above steps for
docker.io/vinyldns/portal
Add their key ID to the table below, it can be viewed with notary -s https://notary.docker.io -d ~/.docker/trust delegation list docker.io/vinyldns/api
.
It will be the one that didn't show up when you ran step one of this section
Name | Key ID |
---|---|
Nima Eskandary | 66027c822d68133da859f6639983d6d3d9643226b3f7259fc6420964993b499a, cdca33de91c54f801d89240d18b5037e274461ba1c88c10451070c97e9f665b4 |
Rebecca Star | 04285e24d3b9a8b614b34da229669de1f75c9faa471057e8b4a7d60aac0d5bf5 |
Michael Ly | dd3a5938fc927de087ad4b59d6ac8f62b6502d05b2cc9b0623276cbac7dbf05b |
- Run
notary key import <path to private delegation key> --role user
- You will have to create a passphrase for this key that encrypts it at rest. Use a password generator to make a strong password and save it somewhere safe, like apple keychain or some other password manager
- From now on
docker push
will be try to sign images with the delegation key if it was configured for that Docker repository
The core module is pushed to oss.sonatype.org under io.vinyldns
To be able to push to sonatype you will need the pgp key used to sign the module. We use a blackbox repo to share this key and its corresponding passphrase. Follow these steps to set it up properly on your local
-
Ensure you have a gpg key setup on your machine by running
gpg -K
, if you do not then rungpg --gen-key
to create one, note you will have to generate a strong passphrase and save it in some password manager -
Make sure you have blackbox, on mac this would be
brew install blackbox
-
Clone our blackbox repo, get the git url from another maintainer
-
Run
blackbox_addadmin <the email associated with your gpg key>
-
Commit your changes to the blackbox repo and push to master
-
Have an existing admin pull the repo and run
gpg --keyring keyrings/live/pubring.kbx --export | gpg --import
, andblackbox_update_all_files
-
Have the existing admin commit and push those changes to master
-
Back to you - pull the changes, and now you should be able to read those files
-
Run
blackbox_edit_start vinyldns-sonatype-key.asc.gpg
to temporarily decrypt the sonatype signing key -
Run
gpg --import vinyldns-sonatype-key.asc
to import the sonatype signing key to your keyring -
Run
blackbox_edit_end vinyldns-sonatype-key.asc.gpg
to re-encrypt the sonatype signing key -
Run
blackbox_cat vinyldns-sonatype.txt.gpg
to view the passphrase for that key - you will need this passphrase handy when releasing -
Create a file
~/.sbt/1.0/vinyldns-gpg-credentials
with the contentrealm=GnuPG Key ID host=gpg [email protected] password=ignored-must-use-pinentry
-
Add credenial configuration to global sbt setting in
~/.sbt/1.0/credential.sbt
with the contentcredentials += Credentials(Path.userHome / ".sbt" / "1.0" / "vinyldns-gpg-credentials")
We are using sbt-release to run our release steps and auto-bump the version in version.sbt
. The bin/release.sh
script will first run functional tests, then kick off sbt release
, which also runs unit and integration tests before
running the release
- Follow Docker Content Trust to setup a notary delegation for yourself
- Follow Sonatype Credentials to setup the sonatype pgp signing key on your local
- Make sure you're logged in to Docker with
docker login
- Export
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE
in your env with your notary key passphrase - Run
bin/release.sh
Note: the arg "skip-tests" will skip unit, integration and functional testing before a release - You will be asked to confirm the version which originally comes from
version.sbt
. NOTE: if the version ends withSNAPSHOT
, then the docker latest tag won't be applied and the core module will only be published to the sonatype staging repo. - When it comes to the sonatype stage, you will need the passphrase handy for the signing key, Sonatype Credentials
- Assuming things were successful, make a pr since sbt release auto-bumped
version.sbt
and made a commit for you