how to relate docker trust root key ID to actual root key file

Question

Given that the Docker Content Trust is enabled, I can see the Root Key information when I inspect a repo as below.

[root@lab admin]# docker trust inspect registry.XXXXXX.com/project/nginx --pretty

Signatures for registry.XXXXXX.com/project/nginx

SIGNED TAG   DIGEST                                                             SIGNERS
test         61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa   john
test1        61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa   john
test2        61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa   john

List of signers and their keys for registry.XXXXXX.com/project/nginx

SIGNER    KEYS
john   f20b2f70c3fa

Administrative keys for registry.XXXXXX.com/project/nginx

  Repository Key:       XXXXXXX
  Root Key:     XXXXXXX  <-------------------------------------- this is a hashed value

However, that Root Key value is actually a hashed value, so I can not really confirm the root key used for this repo is or is not the root key file in my ~/.docker/trust/private.

I am wondering is there a way to reveal the relation between this hashed root key id and actual root key file.

Thanks for your help.

Answer 1

You can use notary -d ~/.docker/trust key list but if you have more than one root key it can be confusing so every time I generate a root key I rename it to myRepo.key and move it on safe location preferable offline. You will need it only if you want to create or revoke other delegated keys.