{"id":364453,"date":"2021-11-09T15:42:38","date_gmt":"2021-11-09T12:42:38","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it\/"},"modified":"2021-11-09T15:42:38","modified_gmt":"2021-11-09T12:42:38","slug":"how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it\/","title":{"rendered":"#How Docker Image Signing Will Evolve With Notary v2 \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2cbbc45de13\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2cbbc45de13\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it\/#What_is_Notary\" >What is Notary?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it\/#The_Problems_With_v1\" >The Problems With v1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it\/#The_New_v2_Architecture\" >The New v2 Architecture<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it\/#Using_Notary_v2_Today\" >Using Notary v2 Today<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-docker-image-signing-will-evolve-with-notary-v2-cloudsavvy-it\/#Whats_Next_for_Notary_and_Notation\" >What\u2019s Next for Notary and Notation?<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How Docker Image Signing Will Evolve With Notary v2 \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-14717\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/7119bc81.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/7119bc81.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/7119bc81.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Photo of a person signing a document, overlaid with a holographic padlock security iconPhoto of a person signing a document, overlaid with a holographic padlock security icon\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/lock-icon-hologram-woman-signing-contract-1907064805\">VideoFlow\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Signed Docker images enhance ecosystem trust and security by letting users check the images they <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> really originate from you. Despite the clear benefits of signing, uptake among Docker users has been slow and it\u2019s not enabled by default.<\/p>\n<p>Now a new version of the Notary signing system seeks to change that. A multi-vendor working group was established in December 2019 to improve the image signing experience and solve several of the problems with the original implementation. Notary v2 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/notaryproject.dev\/blog\/2021\/announcing-notation-alpha1\">launched in alpha<\/a> form in October 2021. Here\u2019s how it makes signing more compatible with modern container usage patterns.<\/p>\n<h2 id=\"what-is-notary\"><span class=\"ez-toc-section\" id=\"What_is_Notary\"><\/span>What is Notary?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Notary is a project that Docker began in 2015 before donating it to the Cloud Native Computing Foundation (CNCF). The v2 release is being guided by a cross-industry group <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/notaryproject\/meeting-notes\/blob\/main\/meeting-notes-2019.md\">that includes<\/a> Docker, Microsoft, Google, and Amazon.<\/p>\n<p>Notary, also known as Docker Content Trust, provides the mechanisms that sign and verify your container images. The current iteration works by adding your public key to your registry, signing your image with the key\u2019s private counterpart, and then pushing the signed image up to the registry. Other users can verify the image by asking the registry to match its public key against the data they\u2019ve pulled. All this functionality is built into the existing Docker CLI under the <code>docker trust<\/code> command group.<\/p>\n<h2 id=\"the-problems-with-v1\"><span class=\"ez-toc-section\" id=\"The_Problems_With_v1\"><\/span>The Problems With v1<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The original version of Notary was developed before the proliferation of Docker registries observed today. It\u2019s designed for Docker Hub first and foremost whereas today you may be using registries from many different providers. GitHub, GitLab, and popular cloud deployment platforms have all started to offer integrated registries.<\/p>\n<p>Notary currently works in tandem with the registry. If you want to use it with a private registry, you must also deploy your own Notary server. This makes it challenging to use image signing in environments which don\u2019t rely on Docker Hub.<\/p>\n<p>v1 doesn\u2019t work between registries either. The signing data is lost when you pull a public image and then push it to a private registry without an accompanying Notary server. You can\u2019t verify whether the private version stays the same as the original while it\u2019s at rest in your registry. Similarly Notary\u2019s current architecture doesn\u2019t offer support for private networks and air-gapped environments that need to be physically isolated from the outside world.<\/p>\n<h2 id=\"the-new-v2-architecture\"><span class=\"ez-toc-section\" id=\"The_New_v2_Architecture\"><\/span>The New v2 Architecture<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The next generation of Notary takes the design back to the drawing board to create a simpler experience that\u2019s more universally applicable. One of the project\u2019s objectives <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.docker.com\/blog\/notary-v2-project-update\">is to eventually<\/a> reach a state where image signature checks are turned on by default, a move which would help protect many more users from possible image tampering.<\/p>\n<p>Signing data will now be pushed and pulled with image data, removing the separate step. Everything needed to verify an image will move alongside it, maintaining its availability when pushed to another registry or used in an air-gapped environment.<\/p>\n<p>Notary v2 isn\u2019t limited to signing container images either. It works with any artifact stored in an <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/opencontainers\/distribution-spec\">OCI-compatible<\/a> registry. Now you can sign the assets that accompany your images, such as dependency lists in Software Bills of Materials (SBOMs) and the results from image scanning engines. This enforces trust across your entire deployment pipeline by highlighting unauthorized attempts to modify audits and supporting documentation.<\/p>\n<p>One further area where Notary v1 falls short is when it comes to approving an image for use in your own environment. It supports only one signature per image; if a Docker Hub image is signed by its vendor, you can\u2019t add your own signature to mark the image as suitable for your organization.<\/p>\n<p>Notary v2 adds support for this workflow too. As a downstream image user, you can add new signatures to an image (or any other artifact) which others further down the chain will be able to verify. As an example, it means you\u2019ll be able to verify the following assertions about an image identifying as <code>ubuntu:latest<\/code>:<\/p>\n<ul>\n<li>The image was published to Docker Hub by Canonical and has not been tampered with since.<\/li>\n<li>The image has been signed for use by your organization.<\/li>\n<li>The image hasn\u2019t changed since it was cached to your CI server\u2019s private Docker registry.<\/li>\n<\/ul>\n<p>Notary v2 is capable of maintaining trust through the entire ecosystem, instead of being mostly limited to im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te image pulls from Docker Hub. It encourages you to challenge the traditional assumption that images are \u201csafe\u201d because they\u2019re pulled directly from Docker Hub. Using multiple signatures lets you validate that statement, then record it as your own seal of approval.<\/p>\n<h2 id=\"using-notary-v2-today\"><span class=\"ez-toc-section\" id=\"Using_Notary_v2_Today\"><\/span>Using Notary v2 Today<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Notary v2 isn\u2019t ready for <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a> use yet. Nonetheless the first alpha is available to download. The signing and verification component is called <code>notation<\/code>. It\u2019s currently feature incomplete and offered as a standalone binary that operates independently of the Docker CLI.<\/p>\n<p>Download Notation <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/notaryproject\/notation\/releases\/tag\/v0.7.0-alpha.1\">from its GitHub releases page<\/a>, extract the executable, and place it somewhere on your path. Begin by generating a test signing certificate for your own use:<\/p>\n<pre>notation cert generate-test --default \"my-certificate\"<\/pre>\n<p>Now you can sign images. Notary currently only works with images in a registry. You can use Docker to quickly start a compatible registry on localhost:5000:<\/p>\n<pre>docker run -d -p 5000:5000 ghcr.io\/oras-project\/registry:v0.0.3-alpha<\/pre>\n<p>Build and push your image to your registry, then use Notation to sign it:<\/p>\n<pre>docker build -t localhost:5000\/my-image:latest .&#13;\ndocker push localhost:5000\/my-image:latest&#13;\nnotation sign --plain-http localhost:5000\/my-image:latest<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14722\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/8f95cbf8.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1168\" height=\"64\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You\u2019ve now added your signature to the image. Try to verify it using the <code>verify<\/code> command:<\/p>\n<pre>notation verify --plain-http localhost:5000\/my-image:latest<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14723\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/77f03e4e.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1019\" height=\"61\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This will generate an error because the <code>cert generate-test<\/code> command doesn\u2019t automatically register the generated certificate\u2019s public key. As Notation won\u2019t know the key used to sign the image, validation will fail. You can rectify this by adding your certificate\u2019s public key to Notation, then trying to verify your image again:<\/p>\n<pre>notation cert add --name \"my-certificate\" ~\/.config\/notation\/certificate\/my-certificate.crt&#13;\nnotation verify --plain-http localhost:5000\/my-image:latest<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14724\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/905b8b19.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1187\" height=\"63\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This time Notation should emit the image\u2019s SHA256 signing hash, indicating verification was successful. Now you should be able to pull and verify the image on another machine with Notation installed. Remember to add your certificate\u2019s public key to your second Notation installation.<\/p>\n<p>The <code>--plain-http<\/code> flag in the commands above enables Notation to use HTTP to connect to the registry. This is necessary for these examples where a Docker registry has been created locally for testing purposes. You should omit this flag when connecting to a real TLS-secured registry.<\/p>\n<h2 id=\"whats-next-for-notary-and-notation\"><span class=\"ez-toc-section\" id=\"Whats_Next_for_Notary_and_Notation\"><\/span>What\u2019s Next for Notary and Notation?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Notary v2 is still under development and new capabilities will show up in future Notation builds. Certificate revocation, environment-specific verification policies, and support for registries without ORAS support are <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/oras-project\/oras\">all on the roadmap<\/a>.<\/p>\n<p>There\u2019s currently no stated timeframe for a stable release. Once it arrives, Notary v2 will finally add accessible, resilient, and scalable signing to the container image ecosystem. It should make signature verification usable in many more scenarios, reducing the risk of over-the-wire pull tampering and unauthorized image use.<\/p>\n<p>Once it\u2019s rolled out more broadly, your deployment systems will be able to check if an image is an \u201cofficial\u201d version from its vendor, whether it\u2019s approved for use in your organization, and if it\u2019s got an appropriate security scan result signed with the same key. This will add a welcome layer of extra protection and transparency for security-minded organizations running containers in high risk environments.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14716\/how-docker-image-signing-will-evolve-with-notary-v2\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How Docker Image Signing Will Evolve With Notary v2 \u2013 CloudSavvy IT&#8221; VideoFlow\/Shutterstock.com Signed Docker images enhance ecosystem trust and security by letting users check the images they download really originate from you. Despite the clear benefits of signing, uptake among Docker users has been slow and it\u2019s not enabled by default. Now a new&#8230;<\/p>\n","protected":false},"author":1,"featured_media":364454,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/7119bc81.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-364453","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/364453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=364453"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/364453\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/364454"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=364453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=364453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=364453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}