Issue with pushing Signed docker image to Azure Container Registry with Content Trust Enabled

Question

I have a Azure Container Registry with content trust enabled and trying to run following commands to push signed image to registry but it is failing for command #2 with the error you are not authorized to perform this operation: server returned 401.

sudo docker trust signer add --key delegation.crt harsh testhlaveva.azurecr.io/hello-world
sudo docker trust signer add --key delegation.crt harsh testhlaveva.azurecr.io/hello-world
sudo docker trust sign testhlaveva.azurecr.io/hello-world:1.0.0-signed
sudo docker trust inspect --pretty testhlaveva.azurecr.io/hello-world

Error Log

harsh@ubuntu:~/Desktop/content_trust/test3_crt$ sudo docker trust signer add --key delegation.crt harsh testhlaveva.azurecr.io/hello-world
Adding signer "harsh" to testhlaveva.azurecr.io/hello-world...
Initializing signed repository for testhlaveva.azurecr.io/hello-world...
Enter passphrase for root key with ID fb3d071: 
Enter passphrase for new repository key with ID 66ae075: 
Repeat passphrase for new repository key with ID 66ae075: 
Successfully initialized "testhlaveva.azurecr.io/hello-world"
you are not authorized to perform this operation: server returned 401.
Failed to add signer to: testhlaveva.azurecr.io/hello-world

Answer 1

Hello @harsh,

Please assign the role AcrImageSigner role to the user on ACR for the user who ever is signing the image

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-content-trust

I was able to repro your exact issue but after assigning AcrImageSigner permission , it was successful.

Before giving the permission:

After giving the permission:

Able to sign successfully:

Regards,

Shiva.