Description

I'm testing updating to a recent build of docker-registry but I'm getting stuck on the authorization part. The error in the file is:

INFO[0101] failed to verify token: token signed by untrusted key with ID: "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx"

• I've generated a completely new self-signed certificates w/ new a RSA 2048 key
• I've verified the key and certificate modulus matches
• I've verified that both the registry and auth service have the same key and cert, with matching modulus
• I've verified that the auth service is returning a positive response with a JWT token signed by the right key

The auth service is using docker/libtrust to generate the keyid:
https://github.com/cesanta/docker_auth/blob/38e7252690dc31ab7ccd4185a2dead973099f37c/auth_server/server/server.go#L384
https://github.com/cesanta/docker_auth/blob/38e7252690dc31ab7ccd4185a2dead973099f37c/auth_server/server/config.go#L88

So it seems to be docker-registry itself making the determination that the key is untrusted. However it doesn't generate any errors or warnings when loading the key, only when processing the auth response. The error message doesn't provide any hints as to why it is untrusted, and there are no other relevant messages in the log. This last worked using a build of docker-registry from early 2022 (commit c202b9b), the only change is using a March 2024 build (commit 663b430) - though I also tried a newer certificate to see if it gave a different result.

Reproduce

Setting up a local registry can be complex, I'll wait to see if its something simple like docker-registry only supports rsa-4096, or has banned values for common name, etc.

Expected behavior

The server should accept the positive response from the auth server and allow access.

registry version

/usr/bin/docker-registry github.com/distribution/distribution/v3 v3.0.0-alpha.1.m+unknown

Additional Info

No response