March-9th-2018, 08:43 PM
Yes you misunderstood it. When netPI wants to pull an image from a repository server, then this server needs reply with a certificate that is trusted and cross signed by a CA. So the CA signature is a thing the server has to guarantee, not netPI. It is like you go to a https:// supported web site and your browser reports "this site is insecure". Usually in your browser you have to trust it anyway or decline. With netPI as it is implemented today, you can't select to trust it anyway even if is not authorized by a CA.
My example just shows you how you get a CA for a server for free. Of course if you want to have a long term CA certificate you have to get a certificate from https://www.globalsign.com/en/certificat...t-signing/ for example that lasts 10 years. But this is a matter of costs.
We understood the demand that Docker has to trust also untrusted repos ... then it is like you accept in your browser to continue to load an untrusted https:// web site. But at the moment we don't have it.
Thx
armin
My example just shows you how you get a CA for a server for free. Of course if you want to have a long term CA certificate you have to get a certificate from https://www.globalsign.com/en/certificat...t-signing/ for example that lasts 10 years. But this is a matter of costs.
We understood the demand that Docker has to trust also untrusted repos ... then it is like you accept in your browser to continue to load an untrusted https:// web site. But at the moment we don't have it.
Thx
armin
„You never fail until you stop trying.“, Albert Einstein (1879 - 1955)