algorithm rsa not supported for create key

[DrissiReda]

I'm using the docker images 0.6.1-2. By the way any reason why the most recent docker image is 2 years old? Any specific reason why the 0.7.0 hasn't been pushed? Not important for me right now though just wondering.

I tried :

notary -s https://notary-server.notary:4443 -d ~/.docker/trust --tlscacert notaryfixtures/root-ca.crt init private-registry.local:30005/collection

I get this output:

Root key found, using: bab92a2c19d9eee89252396686e88f98e479e6d4846f3b836bac03aba4d9a747
Enter passphrase for root key with ID bab92a2: 
Enter passphrase for new targets key with ID 09d2db7: 
Repeat passphrase for new targets key with ID 09d2db7: 
Enter passphrase for new snapshot key with ID b4cda61: 
Repeat passphrase for new snapshot key with ID b4cda61: 

* fatal: unable to reach trust server at this time: 500.

When I checked the logs of notary-server I find this relevant bit:

{"go.version":"go1.12.8","http.request.host":"notary-server.notary:4443","http.request.id":"ecb5e20f-9ea9-4963-94a9-40551bbced9c","http.request.method":"GET","http.request.remoteaddr":"10.244.0.0:51876","http.request.uri":"/v2/private-registry.local:30005/collection/_trust/tuf/timestamp.key","http.request.useragent":"Go-http-client/1.1","level":"error","msg":"unknown: unknown error: rpc error: code = 2 desc = algorithm rsa not supported for create key","time":"2021-04-12T10:38:01Z"}

I'm indeed using rsa for the certificates, but since it's an option I don't understand why it would completely prevent me from using notary. Why am I getting : algorithm rsa not supported for create key ?

If I change trust_service.key_algorithm from "rsa" to "ecdsa" then my root ca isn't recognized and notary-server isn't functional.

Also is there any way to completely disable notary's TLS?

In case you need my conf:

server-conf

    {
      "server": {
        "http_addr": ":4443",
        "tls_key_file": "/tls/notary-server.key",
        "tls_cert_file": "/tls/notary-server.crt"
      },
      "trust_service": {
        "type": "remote",
        "hostname": "notary-signer.notary",
        "port": "7899",
        "tls_ca_file": "/tls/root-ca.crt",
        "key_algorithm": "rsa",
        "tls_client_cert": "/tls/notary-server.crt",
        "tls_client_key": "/tls/notary-server.key"
      },
      "logging": {
        "level": "debug"
      },
      "storage": {
        "backend": "postgres",
        "db_url": "postgres://postgres:postgres@postgres5432/notaryserver?sslmode=disable"
      },
      "caching": {
        "max_age": {
          "current_metadata": "300",
          "consistent_metadata": "31536000"
        }
      },
      "repositories": {
        "gun_prefixes": ["docker.io/","private-registry:30005/", "private-registry.local:30005/"]
      }
    }

signer-conf

    {
      "server": {
        "grpc_addr": ":7899",
        "tls_cert_file": "/tls/notary-signer.crt",
        "tls_key_file": "/tls/notary-signer.key",
        "client_ca_file": "/tls/root-ca.crt"
      },
      "logging": {
        "level": "debug"
      },
      "storage": {
        "backend": "postgres",
        "db_url": "postgres://postgres:postgres@postgres5432/notarysigner?sslmode=disable",
        "default_alias": "alias"
      }
    }

[stefan-zh]

Notary dropped support for RSA key generation in 2017, however RSA keys can still be imported: #1191
Similar issue: #1277

[DrissiReda]

But since you kept RSA key external support, then can I manually create my keys for init collection? So I can avoid this error.

[stefan-zh]

@DrissiReda I am not a maintainer of Notary, but I think you can init a collection with keys like this:
notary init example.com/collection --rootkey /path/to/root-key.key --rootcert /path/to/root-key.crt