Cli: Docker trust key load does not load key into ~/.docker/trust/private

Bit weird, but seems like the code expects your key to have the "path" header set. Figured this out by looking in Notary's documentation. Was able to import a key formatted like:

-----BEGIN ENCRYPTED PRIVATE KEY-----
role: signer
path: keyid
====REDACTED KEY DATA====
-----END ENCRYPTED PRIVATE KEY-----

Relevant doc: https://godoc.org/github.com/docker/notary/trustmanager#ImportKeys

Also fyi, if you generate the key with notary, the notary key export command will generate a key in this format for you.

It still fails even with Docker Client 19.03.12.
The docker trust key import operation ends successfully even if no key is really imported.
On the other hand, notary key import fails with an ambiguous error: key may be encrypted and does not contain path header and fatal: failed to import all keys: invalid key pem block.
Apparently, bothdocker trust key generate and notary key generate create keys which are not able to import afterwards.
The solution, not documented anywhere, except in the comment above (https://github.com/docker/cli/issues/1095#issuecomment-423707423), is to edit the key and add the path field with the key id.
Example:

-----BEGIN ENCRYPTED PRIVATE KEY-----
role: devops
path: hex_key_id_without_dot_key
====REDACTED KEY DATA====
-----END ENCRYPTED PRIVATE KEY-----

and the key will be imported correctly in the private folder with name as the path specified plus .key (in this case would be: hex_key_id_without_dot_key.key

Ana alternative and better approach is to export the key with notary as explained here: https://github.com/docker/cli/issues/2031

notary -d $HOME/.docker/trust key list
notary -d $HOME/.docker/trust key export --key key-id -o key-name.pem