Skip to content

Add support for registry v3 JWK thumbprint key ID format #401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 15, 2025
Merged

Add support for registry v3 JWK thumbprint key ID format #401

merged 1 commit into from
May 15, 2025

Conversation

evanebb
Copy link
Contributor

@evanebb evanebb commented Feb 13, 2025

Fixes #386.
This is a fairly quick and dirty fix, feel free to burn this PR down :)

As mentioned in that issue, the v3 version of the registry no longer supports libtrust key IDs. There are multiple alternative options to choose from, but the simplest one to implement for this project is using the JWK thumbprint of the public key as the key ID instead.

For every certificate present in the rootcertbundle passed to the registry, it'll add the public key to the trusted keys identified by the JWK thumbprint: https://github.com/distribution/distribution/blob/63d3892315c817c931b88779399a8e9142899a8e/registry/auth/token/accesscontroller.go#L346-L348
So, if you pass this JWK thumbprint in the key ID header in the token, the registry can select the proper signing key using this thumbprint.

This PR allows configuring this through a new directive in the configuration file, namely token.disable_legacy_key_id.
If set to true, it will pass the JWK thumbprint in the key ID header instead of the libtrust key ID. It defaults to false for now, to avoid accidental breakage when updating setups using the v2 registry.

@evanebb
Add support for registry v3 key ID format
914f526 
Signed-off-by: evanebb <git@evanus.nl>
@evanebb evanebb mentioned this pull request Feb 13, 2025
Closed
@choopm
Copy link

choopm commented May 15, 2025

Thanks @evanebb for providing this PR.

I can confirm this fixes the issues when upgrading from registry:2 to registry:3
by using the new config option token.disable_legacy_key_id: true.

@cesanta do you want to take a look at this PR please?

Until this gets merged, one might use the image I built which includes this change:

docker pull ghcr.io/choopm/docker_auth
# or
docker pull ghcr.io/choopm/docker_auth:1.13.0-1-g914f526

https://github.com/users/choopm/packages/container/package/docker_auth

@techknowlogick techknowlogick merged commit 25bdefb into cesanta:main May 15, 2025
4 checks passed
This was referenced Jul 16, 2025
Closed
Merged
RaveNoX pushed a commit to deckhouse/3p-docker_auth that referenced this pull request Aug 27, 2025
@evanebb @RaveNoX
Add support for registry v3 key ID format (cesanta#401)
9dfdbb5 
Signed-off-by: evanebb <git@evanus.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

docker-registry has changed its JWT implementation, no longer supports libtrust key IDs
3 participants
@evanebb @choopm @techknowlogick