I have an unsolved annoying issue regarding Jenkins pipelines and Docker Content Trust, I hope someone can give me a hand with it.
I'm using Harbor as private registry and I activated Content Trust on my laptop's Docker daemon. Whenever I push a new Image to the registry manually from the shell, the daemon signs the Image as expected using my local signing keys.
Then I followed the delegation process to allow Jenkins user to do the same. I created specific signing keys for it and added them to the registry from my laptop, so now Jenkins user is an allowed signer for specific projects.
If I create and push new images from the Jenkins OS user shell, everything goes as expected also, meaning that the images are signed and pushed to the registry with all the meta info needed.
The problem comes when I try to do the same from a Pipeline, for some strange reason, Docker is not able to find the signing keys, so the image is pushed but not signed. I tried in different ways, but always with the same result.
"no valid signing keys for delegation roles"Curious thing that I observed is that
"docker trust inspect ..." works both ways (from shell and pipeline) and shows Jenkins user as an allowed signer, but
"notary key list" only works from the pipeline if I add
"--configFile ~/.notary/config.json" parameter that in fact points to the default configuration path
Here a partial extract from the stage I'm using: