Securing delivery of docker images via Docker Notary and Docker Content Trust

1. Introduction to Docker
Notary Service
Anshul Patel
Software Developer at Day
Software Debugger at Night

2. What is Digital Signature?
(Ref: https://www.tutorialspoint.com/cryptography/cryptography_digital_signatures.htm )

3. What and Why Notary?
● Provides high levels of trust over digital content via signatures.
● Ensures that provenance of the digital content.
● Guarantees consistency of digital content in software supply chain.
● Creates, manages, and distributes necessary metadata to ensure the integrity and
freshness of your content.
● Notary is hosted by mighty CNCF (Cloud Native Computing Foundation).
● Notary is implementation of The Update Framework (TUF).

4. But.. Why do we require it?
● Attacker(s) keeps giving you the same update file.
● Attacker(s) provides older insecure update.
● Attacker(s) spoofs the new version of file.
● Attacker(s) compromises the key used to sign these files

5. Notary Service Architecture
● Clients
● Notary Server
● Notary Server DB
● Notary Signer
● Notary Signer DB
(Ref: https://docs.docker.com/notary/service_architecture/#architecture-and-components )

6. Notary Server
● Ensures that any uploaded metadata is valid, signed, and self-consistent.
● Generates the timestamp (and sometimes snapshot) metadata.
● Servers the latest valid metadata for any trusted collection to the clients.

7. Notary Signer
● Stores the private signing keys wrapped and encrypted using Javascript
Object Signing and Encryption.
● Performs signing operations with the above keys whenever the Notary server
requests.

8. Notary Service HA
(Ref:
https://docs.docker.com/notary/running_a_service/#rel
ated-information)

9. What and Why Docker Content Trust?
● Part of Docker Daemon Engine.
● Trust is enabled via integration of Notary into Docker Engine.
● When images are pushed to a repository, they are signed with private keys
held by the content publisher.
● When a user interacts with the image for the first time, they establish trust
with that publisher and then all subsequent interactions require a valid
signature verification from that same publisher.
● Protects from image forgery, replay attacks, key compromise.
(Ref: https://blog.docker.com/2015/08/content-trust-docker-1-8/)

10. Docker Content Trust
(Ref: https://blog.docker.com/2015/08/content-trust-docker-1-8/)

11. Key Keys (Pun Intended) for Docker Content Trust
● The Tagging Key:
○ Generated for each new repository the publisher owns.
○ Exported and shared with any person/system that needs the ability to sign content for this
repository.
● The Offline/Root Key:
○ Most import key, forms trust of your repository.
○ Different repositories can use the same Offline key.
○ Required for creating a new repository key or rotating an existing key.
○ Should be kept offline for security.

12. Who uses Notary?
● Cloudflare
● Kolide
● IBM
● Docker Hub
● Compatible with Artifactory
● Financial, Telecom and Healthcare Enterprises.

13. Demo

14. Thanks and Questions ?
Resource: https://gitlab.com/anshulpatel25/notary-meetup