5.3 KiB
Notary client configuration file
This document is for power users of the Notary client, or for those who are running their own service who want to facilitate CLI interaction or specify custom options.
The configuration file for Notary client normally resides at ~/.notary/config.json,
but the path to a different configuration file can be specified using the
-c or --configFile command line flag.
Overview of the file
A configuration file consists of the following sections:
| trust_dir | TUF key and metadata directory | (optional) |
| remote_server | remote Notary Server configuration | (optional) |
In addition please see the optional password environment variables that the Notary client can take for ease of use.
An example (full) client configuration file.
{
"trust_dir" : "~/.docker/trust",
"remote_server": {
"url": "https://my-notary-server.my-private-registry.com",
"root-ca": "./fixtures/root-ca.crt",
"tls_client_cert": "./fixtures/secure.example.com.crt",
"tls_client_key": "./fixtures/secure.example.com.crt"
}
}
trust_dir section (optional)
The trust_dir specifies the location (as an absolute path or a path
relative to the directory of the configuration file) where the TUF metadata
and private keys will be stored.
This is normally defaults to ~/.notary, but specifying ~/.docker/trust
facilitates interoperability with content trust.
Note that this option can be overridden with the command line flag --trustDir.
remote_server section (optional)
The remote_server specifies how to connect to a Notary server to download
metadata updates and publish metadata changes.
Remote server example:
"remote_server": {
"url": "https://my-notary-server.my-private-registry.com",
"root-ca": "./fixtures/root-ca.crt",
"tls_client_cert": "./fixtures/secure.example.com.crt",
"tls_client_key": "./fixtures/secure.example.com.crt"
}
| Parameter | Required | Description |
|---|---|---|
url |
no | URL of the Notary server: defaults to https://notary.docker.io This configuration option can be overridden with the command line flag `-s` or `--server`. |
root-ca |
no | The path to the file containing the root CA with which to verify the TLS certificate of the Notary server, for example if it is self-signed. The path is relative to the directory of the configuration file. This configuration option can overridden with the command line flag `--tlscacert`, which would specify a path relative to the current working directory where the Notary client is invoked. |
tls_client_cert |
no | The path to the client certificate to use for mutual TLS with
the Notary server. Must be provided along with This configuration option can overridden with the command line flag `--tlscert`, which would specify a path relative to the current working directory where the Notary client is invoked. |
tls_client_key |
no | The path to the client key to use for mutual TLS with
the Notary server. Must be provided along with This configuration option can overridden with the command line flag `--tlskey`, which would specify a path relative to the current working directory where the Notary client is invoked. |
Environment variables (optional)
The following environment variables containing signing key passphrases can be used to facilitate Notary client CLI interaction. If provided, these passwords will be used initially to sign TUF metadata. If the passphrase is incorrect, you will be prompted to enter the correct passphrase.
| Environment Variable | Description |
|---|---|
NOTARY_ROOT_PASSPHRASE |
The root/offline key passphrase |
NOTARY_TARGETS_PASSPHRASE |
The targets (an online) key passphrase |
NOTARY_SNAPSHOT_PASSPHRASE |
The snapshot (an online) key passphrase |