According to Docker Documentation: Manage keys for content trust, the root key is :
Root of content trust for an image tag. When content trust is enabled, you create the root key once. Also known as the offline key, because it should be kept offline.
I don't know the exact meaning of "once". Do I only have one chance to set the root key? If dismissing subsequent consequences of these uploaded repositories, what should I do to reset it?
CodePudding user response:
The keys are trust on first use, so if you change the root key for a repo, anyone that has previously trusted that key would need to have that information removed, which involves changing everywhere that has previously run this image. The notary server itself also needs to have it's data of this repository purged. It may be easier to create a new repository.
Realize that Content Trust currently points to Notary v1 which is soon to be phased out. Project sigstore has cosign already available, Notary v2 is being designed, and I've yet to come across a significant production infrastructure using Content Trust. Even the images in the Docker Library haven't been signed in over a year, so if you enable Content Trust, you'll find that image pulls revert to very old images missing any recent security patches.