Does 'docker trust key load' support GPG-generated keys?

[themediapot]

• I have tried with the latest version of my channel (Stable or Edge)
• I have uploaded Diagnostics
• Diagnostics ID: 864A35CC-89F3-4D4C-97EE-0382122E0391/20190603095252

Expected behavior

docker trust key load gpg-secret-key.pem --name kevin
When executing above command, it should accept PEM file as indicated in https://docs.docker.com/engine/security/trust/content_trust/

Actual behavior

It asked for passphase, and upon entering the correct passphase:

Loading key from "/Users/kevin/.gnupg/pkcs12/gpg-secret-key.pem"...
Enter passphrase for encrypted key:
Passphrase incorrect. Please retry.

Information

To use my gpg keypair to produce necessary PAM file, i followed instructions on http://sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL#c21688.

I have also tried encoding passphrase with utf-8 and cp850 to no avail, with:

gpgsm -o cert.p12 --p12-charset utf-8 --export-secret-key-p12 _keyid_
gpgsm -o cert.p12 --p12-charset cp850 --export-secret-key-p12 _keyid_

I can reproduce this reliably across my environments.

• macOS Version: 10.14.5
• gpg (GnuPG/MacGPG2) 2.2.10
• libgcrypt 1.8.3

Diagnostic logs

See attached.
20190603095252.zip

Steps to reproduce the behavior

1. gpg --list-secret-keys --with-keygrip`
2. gpgsm --gen-key -o temporary.cert

• Existing Key
• use keygrip from gpg output
• fill the X509 values
• CN=computer1,O=organisation1,L=city1,C=country1
• create a self signed certificate

3. gpgsm --import temporary.cert
4. gpgsm --list-keys

• find the key just imported

5. gpgsm -o cert.p12 --export-secret-key-p12 ${KEY_ID}
6. docker trust key load gpg-secret-key.pem --name name1

[justincormack]

I need to dig into this a bit more, but at a guess you are running into the issue golang/go#8860 that Go cannot decrypt pkcs8 encrypted keys, only ones with PEM encryption at present. It looks like there may be other Go libraries that can work with these though, so it might be possible at add support.

[themediapot]

Thanks mate that'd be appreciated! just read golang/go#8860. Does unencrypted keys means exporting the PEM file with no passphrases?

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked