Trust sandbox are outdated and not working

There seems to be several issues with the trust sandbox. 

### Issue 1 - Certificate has expired
```
/ # docker pull sandboxregistry:5000/test/trusttest
Using default tag: latest
Error: error contacting notary server: x509: certificate has expired or is not yet valid
```

It expired Mar  9 00:43:17 2019 GMT

### Issue 2 - Image docker.io/docker/trusttest:latest uses outdated schema1
```
/ # docker pull docker/trusttest
Using default tag: latest
latest: Pulling from docker/trusttest
Image docker.io/docker/trusttest:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
```

### My session output
```
user@computer:~/trustsandbox$ docker container exec -it trustsandbox sh
/ # docker pull docker/trusttest
Using default tag: latest
latest: Pulling from docker/trusttest
Image docker.io/docker/trusttest:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
aac0c133338d: Pull complete
a3ed95caeb02: Pull complete
Digest: sha256:50c0cdd0577cc7ab7c78e73a0a89650b222f6ce2b87d10130ecff055981b702f
Status: Downloaded newer image for docker/trusttest:latest
docker.io/docker/trusttest:latest
/ # docker tag docker/trusttest sandboxregistry:5000/test/trusttest:latest
/ # export DOCKER_CONTENT_TRUST=1
/ # export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443
/ # docker pull sandboxregistry:5000/test/trusttest
Using default tag: latest
Error: error contacting notary server: x509: certificate has expired or is not yet valid
/ # docker push sandboxregistry:5000/test/trusttest:latest
The push refers to repository [sandboxregistry:5000/test/trusttest]
5f70bf18a086: Pushed
c22f7bc058a9: Pushed
latest: digest: sha256:7034d197b82fcb07299fda8b05c91d1601ce64f31bc102b1345d03a2953d210a size: 734
Signing and pushing trust metadata
Error: error contacting notary server: x509: certificate has expired or is not yet valid
/ # date
Wed Oct 14 11:15:32 UTC 2020
/ # wget -S https://notaryserver:4443
Connecting to notaryserver:4443 (172.20.0.2:4443)
ssl_client: notaryserver: certificate verification failed: certificate has expired
wget: error getting response: Connection reset by peer
/ # openssl s_client -showcerts -servername notaryserver:4443 -connect notaryserver:4443 </dev/null
CONNECTED(00000003)
depth=2 C = US, ST = CA, L = San Francisco, O = Docker, CN = Notary Testing CA
verify return:1
depth=1 C = US, ST = CA, L = San Francisco, O = Docker, CN = Notary Intermediate Testing CA
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = Docker, CN = notary-server
verify error:num=10:certificate has expired
notAfter=Mar  9 00:43:17 2019 GMT
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = Docker, CN = notary-server
notAfter=Mar  9 00:43:17 2019 GMT
verify return:1
---
Certificate chain
 0 s:C = US, ST = CA, L = San Francisco, O = Docker, CN = notary-server
   i:C = US, ST = CA, L = San Francisco, O = Docker, CN = Notary Intermediate Testing CA
-----BEGIN CERTIFICATE-----
MIIFBDCCAuygAwIBAgIJAPlHYZzp1daGMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEPMA0G
A1UEChMGRG9ja2VyMScwJQYDVQQDEx5Ob3RhcnkgSW50ZXJtZWRpYXRlIFRlc3Rp
bmcgQ0EwHhcNMTcwMjE3MDA0MzE3WhcNMTkwMzA5MDA0MzE3WjBbMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xDzANBgNV
BAoTBkRvY2tlcjEWMBQGA1UEAxMNbm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKjbeflOtVrOv0IOeJGKfi5LHH3Di0O2nlZu8AIT
SJbDZPSXoYc+cprpoEWYncbFFC3C94z5xBW5vcAqMhLs50ml5ADl86umcLl2C/mX
8NuZnlIevMCb0mBiavDtSPV3J5DqOk+trgKEXs9g4hyh5Onh5Y5InPO1lDJ+2cEt
VGBMhhddfWRVlV9ZUWxPYVCTt6L0bD9SeyXJVB0dnFhr3xICayhDlhlvcjXVOTUs
ewJLo/L2nq0ve93Jb2smKio27ZGE79bCGqJK213/FNqfAlGUPkhYTfYJTcgjhS1p
lmtgN6KZF6RVXvOrCBMEDM2yZq1mEPWjoT0tn0MkWErDANcCAwEAAaOBuTCBtjAf
BgNVHSMEGDAWgBS6l0MbzVfv/9OdgJ2V2t/f3oOJ3TAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNwYD
VR0RBDAwLoINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVygglsb2NhbGhvc3SH
BH8AAAEwHQYDVR0OBBYEFBQcColyhey0o0RTLiiGAtaRhUIuMA0GCSqGSIb3DQEB
CwUAA4ICAQB04WZaMeF90mQDqiRVhBUkp8HvfEqchP6QLwprZmgbaRi75JksK59x
ynaqgQj61hvN2RzpA1V/YXagmD6dk+GqhgiR+O++k+wb26446qQTSP6jkYRQGUT6
s2Qp0fhgV9eHHZ/27Cl4rEpjYtxd6yVN/DNQapj/h3qejuZ1UDIZhvswfEgiL57f
0W0huPNS6LnSOwoKKgSlA38OGs993BwMJkc+1ikzEcpVcn4l+kjeefnDmguBrxFv
5il7yQ45BxGwR/SLobpehV+XodjNUd8mpdoF9QWr8kibaDPNndhdJLHuzyYatnRe
hDqFA5DqZ+uaSwPyixilDoAXFs81P6UTkGh3EjP7rMbZNYnIHYFYIKpYVu23vbh+
eriCw61YvEcIxqfvtIAVfbxwnXExQWGIDXgkJlfskHh/c4hQ1CWHCgqmO8Hvix1u
OMfhB5LygX+4QANoKMkUUlKv2MC5HXQ7Bg6rCfPioju2nzGIbbUK043UnfJ2yXIh
5g0bKGGdWMr5Qw0at8A2NvR6WvXm6+9gu94rNDGoIPn6umTmFjJCbGhjcyyjxg+k
DO0uhoilX2OkvQHeaBwiy1WM2ETMQBKvkUfq6EUoLsWQTT2NOZiwwEMywwJCb853
LuQjsvxfOFuqEgXEWjrEnhjwDCJFEDqaJAgajmBZ9xU+yUco44U9zQ==
-----END CERTIFICATE-----
 1 s:C = US, ST = CA, L = San Francisco, O = Docker, CN = Notary Intermediate Testing CA
   i:C = US, ST = CA, L = San Francisco, O = Docker, CN = Notary Testing CA
-----BEGIN CERTIFICATE-----
MIIF1TCCA72gAwIBAgIJAKfYxoqVGl7nMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEPMA0G
A1UEChMGRG9ja2VyMRowGAYDVQQDExFOb3RhcnkgVGVzdGluZyBDQTAeFw0xNzAy
MTcwMDQzMTdaFw0yNzAyMTUwMDQzMTdaMGwxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMScw
JQYDVQQDEx5Ob3RhcnkgSW50ZXJtZWRpYXRlIFRlc3RpbmcgQ0EwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/VjDUa9JQLhfnHvonnF+yxsbwJSkFWbad
ci5boMGakJGsjgjDK+IfzzkRNbA3aYSd27UX5Vz+nPyt3BLJHIhlxOW9iDA6nqWb
q/eJn5eV42eXoR+6ttrNzFWLZOTT+v5ZGQJYOKmk4vmZT/xoHTgHlsRshpj3EFRd
PxgolcKMSsZpSD8I2sgUYwh+rmI/nbesZGmb7mjQxMb2jtZPhxlHpSwL79RlFw4f
cS0x7qts0WsZtY8pa3HWxSG0x4uWuNkwivojq0vpsFvynpLY6t7jdb0Vu7iUgMAA
t8AsbCt+uTv4KhyJw5rD7kg+Ad55QqVuTqtwoz0+SBREHm67q8gn/skTQT3ro4pB
nQdlAQDNPBa3JnZvXmLDkgHdVCKZtaarm92L0P5byIUo+UtDA4j+FkkRXLyVC1FU
O3awwbAOIK2/VznRpaKoxEV7p2sp7pkqFIFAX1ALUXQRjuxd2EPuTn4HgMdIta6e
xnZjTxcehUzpSxMBEnlfSNmYvSWD6enMDr0ZuRU1L5ZnLU6RibBtMREqfTaHAygf
kPBRO6AHB+K5OPK5yVwzp4G8yve5FAUo0YnNTnaIYs7ZYL14eOzPH3RIkRE+F8hB
A8YB5vFEAbjto/ZxeikvCVk6jNuuvw5mbHN9yHIfD7qI1pPY54EIEGgxVZGwaJTj
mRKvTbf6JQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFMXa5XX+ba5Jf0YRuL6UqjtU
QS5ZMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA4GA1UdDwEB/wQEAwIBRjAdBgNVHQ4EFgQUupdDG81X7//TnYCdldrf
396Did0wDQYJKoZIhvcNAQELBQADggIBAEKzd2/OInjHpFNmqJnuAvrFJPQHhwAQ
CUv4HwLqMdRbKLhAF2Xc687K0rJaW6ZpvvCWP/bsgzDi7bcti+sbpRtutL98ollq
NtqEBW7pW3ljvQteBHiXCPzHmSdKBG5B972mFvIi1k9NpeHcEz4y9q5s9BBW5hIu
6UwKIQSZ/dQGsukgQXe3lXJ/MjRg/QK0U1Xn/ABknm75vMbdc7L+WLvmrEY11NAy
3vso6qm7k2elDLUVmqIwMU+r9pfGZFi0nQCxfiRhW1hZyDxzpngBZFnRppiO+2CX
u16yiJfipD5wHZc1NjZ1WQ+XuoUhDgV1yzGpgRGtUdX4fByEUqNZb1GbY6UdIjmx
LvwT2SJnEcv9irGlQU2D4mm5oXgeZXJhxP3gMxEtw9bZS3tUDMWkMD5GCdo8T+FB
tjlGIe8Uh8R4wn33EYDMq+qFeUe+NiMDsVcFIlKWSwCRvmsTB3gvTYYkssuyS65Y
8Ngdsy5GIBhMEsLnZNdwmP7NJ41CECqlojK9tQeu8KAhB7xsKibbwPUbec7whQFl
82vOLgag7Fn3V1eVonqxk7uBt0nriV39/hXifPwBRo3WLoVLUTs+IAOiLapLAb6o
LCQV7ymBRptOyj9bPPYV+NJrfr/5IlkNamioWlbzH3SJdvyp5ldZH/2vciItlO3s
ALNmRewqFkXD
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = CA, L = San Francisco, O = Docker, CN = notary-server

issuer=C = US, ST = CA, L = San Francisco, O = Docker, CN = Notary Intermediate Testing CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3361 bytes and written 412 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F576B1306D0A09167321782864819D1E6292F6DEA8CA17FA274478042675396B
    Session-ID-ctx:
    Master-Key: 7AFD38F5FECA692C1D65059153F4A3992702782AEEF3B3C909DE8678380F2F45FEF9275318A4AEB1CF35E2605BD6BCE8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 10 6e b3 26 75 6f 68 c9-ea 65 d9 98 db d4 9f 8f   .n.&uoh..e......
    0010 - 6e 2b 2c eb d9 67 87 bb-28 11 70 93 1f e6 0c 5f   n+,..g..(.p...._
    0020 - 4b 87 b1 c7 0a 88 fb e7-30 53 34 0c ff dd ae 20   K.......0S4....
    0030 - e9 24 a6 a1 0e 97 ed 76-90 da 19 40 0d 19 1f 14   .$.....v...@....
    0040 - f1 ca c2 e3 92 8b a9 c6-e7 04 e5 48 15 76 d7 7b   ...........H.v.{
    0050 - 72 5c ce 2a 9d ea 85 2c-05 e1 18 21 04 8b 92 17   r\.*...,...!....
    0060 - 5b 7a 5d 35 16 78 8b 44-51 4e ff 96 80 68 dd 20   [z]5.x.DQN...h.
    0070 - a1 6a 45 cf 67 21 6b df-                          .jE.g!k.

    Start Time: 1602674626
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---
DONE
/ #
```

File: [engine/security/trust/trust_sandbox.md](https://docs.docker.com/engine/security/trust/trust_sandbox/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trust sandbox are outdated and not working #11539

Issue 1 - Certificate has expired

Issue 2 - Image docker.io/docker/trusttest:latest uses outdated schema1

My session output

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development