The Notary project is an open-source project created by Docker that provides a way to digitally sign and verify container images. It aims to enhance security and trust in the container ecosystem by allowing users to sign their images with cryptographic signatures and verify their authenticity during image pull operations.
With Notary, users can establish a trust model where image publishers sign their images and consumers can verify the authenticity and integrity of those images before deploying them. This helps prevent the deployment of tampered or malicious container images.
The Notary project comprises a server and a client for running and interacting with trusted collections. See the service architecture documentation for more information.
Notary aims to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server, which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content.
With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.
Consumers, having acquired the publisher’s public key through a secure channel, can then communicate with any Notary server or (insecure) mirror, relying only on the publisher’s key to determine the validity and integrity of the received content.
Notary relies on a combination of public key cryptography and a distributed trust model using a collection of online servers called “trust anchors.” These trust anchors store the public keys of image publishers and provide a source of truth for verifying the authenticity of images.
The project also integrates with Docker Content Trust (DCT), which enforces image signature verification during the image pull process. Docker clients can be configured to only pull and run signed images, ensuring the use of trusted images throughout the software supply chain.
Notary is designed to work with any container registry that supports the Docker Registry HTTP API V2, providing flexibility for users to sign and verify images regardless of the underlying registry implementation.
Notary Architecture
Example client-server-signer interaction
Scenarios notary fit and problems we solve for
Why the Notary Project is unique
Reference
- https://notaryproject.dev/
- https://github.com/notaryproject/notary
- https://github.com/notaryproject/notary/blob/master/docs/service_architecture.md
- https://www.cncf.io/projects/notary/
- https://github.com/notaryproject/notary
- https://notaryproject.dev/docs/
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- What is Mobile Virtual Network Operator? - April 18, 2024
- What is Solr? - April 17, 2024
- Difference between UBUNTU and UBUNTU PRO - April 17, 2024
