A docker pull command may fail against a Nexus repository. The error message reported to the client includes a message such as
"Error response from daemon: missing signature key"
Nexus is improperly downgrading the manifest to V1 due to a bug parsing the "Accept" header values received from the docker client. The docker client is expecting a V2 manifest style response containing a signature attribute.
We have seen this happen primarily when docker client requests sent through a reverse proxy in front of Nexus which is terminating SSL. We believe this to be because multiple Accept headers sent by the docker client may be collapsed into a single Accept header to Nexus, triggering the bug.