The Notary project is an open-source project created by Docker that provides a way to digitally sign and verify container images. It aims to enhance security and trust in the container ecosystem by allowing users to sign their images with cryptographic signatures and verify their authenticity during image pull operations.
With Notary, users can establish a trust model where image publishers sign their images and consumers can verify the authenticity and integrity of those images before deploying them. This helps prevent the deployment of tampered or malicious container images.
The Notary project comprises a server and a client for running and interacting with trusted collections. See the service architecture documentation for more information.
Notary aims to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server, which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content.
With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.
Consumers, having acquired the publisher’s public key through a secure channel, can then communicate with any Notary server or (insecure) mirror, relying only on the publisher’s key to determine the validity and integrity of the received content.
Notary relies on a combination of public key cryptography and a distributed trust model using a collection of online servers called “trust anchors.” These trust anchors store the public keys of image publishers and provide a source of truth for verifying the authenticity of images.
The project also integrates with Docker Content Trust (DCT), which enforces image signature verification during the image pull process. Docker clients can be configured to only pull and run signed images, ensuring the use of trusted images throughout the software supply chain.
Notary is designed to work with any container registry that supports the Docker Registry HTTP API V2, providing flexibility for users to sign and verify images regardless of the underlying registry implementation.
Notary Architecture
Example client-server-signer interaction
Scenarios notary fit and problems we solve for
Why the Notary Project is unique
Reference
- https://notaryproject.dev/
- https://github.com/notaryproject/notary
- https://github.com/notaryproject/notary/blob/master/docs/service_architecture.md
- https://www.cncf.io/projects/notary/
- https://github.com/notaryproject/notary
- https://notaryproject.dev/docs/
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
