Authenticate with OCI-compliant registries
You can use notation to authenticate to an OCI-compliant registry. This is useful for pushing and pulling signed artifacts, as well as inspecting artifacts in registries that do not offer public access.
Important
Currently,notation relies on Docker Credential Store for authentication. Notation requires additional configuration for Docker credential helper if you are using Notation in Linux.
Use notation login to authenticate to an OCI-compliant registry
To authenticate to an OCI-compliant registry, use the notation login command with your registry, username, and password. For example:
notation login -u <username> -p <password> <registry>
Note
If notation login is failing, you may need to configure Docker Credential Store as detailed in the Configure Docker Credential Store for Linux section.
In development and testing environments, you can use environment variables to authenticate to an OCI-compliant registry.
Configure Docker Credential Store for Linux
As a security best practice, you should use a credential helper with a system keychain when using local credentials to access remote repositories.
notation uses Docker Credential Helpers and its protocol as the credential helpers. Currently, using Docker Credential Helpers requires manual installation and configuration in Linux by following the steps below. This configuration will be simplified in Notation v1.0.0.
Install Docker credential helper pass.
mkdir -p ~/bin
curl -Lo ~/bin/docker-credential-pass "https://github.com/docker/docker-credential-helpers/releases/download/v0.7.0/docker-credential-pass-v0.7.0.linux-amd64"
chmod +x ~/bin/docker-credential-pass
Generate and configure GPG key for encryption.
Note
If you have a GPP key already, rungpg --edit-key to trust your key instead.
gpg --full-generate-key
Install and configure pass.
sudo apt update
sudo apt install pass -y
pass init $your_email
Configure Docker credential store in ~/.docker/config.json.
mkdir -p ~/.docker
echo '{"credsStore":"pass"}' > ~/.docker/config.json
chmod 600 ~/.docker/config.json
Use notation login to authenticate to an OCI-compliant registry.
notation login -u <username> <registry>
Configure environment variables to authenticate to an OCI-compliant registry
Warning
Environment variables are not secure and should not be used in a production environment for storing sensitive data such as usernames and passwords.Set the NOTATION_USERNAME and NOTATION_PASSWORD environment variables to authenticate to an OCI-compliant registry.
export NOTATION_USERNAME="YOUR_REGISTRY_USERNAME"
export NOTATION_PASSWORD="YOUR_REGISTRY_PASSWORD"
After the environment variables are set, you can use Notation with your registry without notation login.
For security reasons, unset the environment variables after you are done interacting with the OCI-compliant registry. For example:
unset NOTATION_USERNAME
unset NOTATION_PASSWORD
Use notation logout to log out of an OCI-compliant registry
To log out of an OCI-compliant registry, use the notation logout command with your registry. For example:
notation logout <registry>
OCI-compliant registries
For a full list of OCI-compliant registries compatible with notation, see OCI-compliant registries.