2. What is Digital Signature?
(Ref: https://www.tutorialspoint.com/cryptography/cryptography_digital_signatures.htm )
3. What and Why Notary?
● Provides high levels of trust over digital content via signatures.
● Ensures that provenance of the digital content.
● Guarantees consistency of digital content in software supply chain.
● Creates, manages, and distributes necessary metadata to ensure the integrity and
freshness of your content.
● Notary is hosted by mighty CNCF (Cloud Native Computing Foundation).
● Notary is implementation of The Update Framework (TUF).
4. But.. Why do we require it?
● Attacker(s) keeps giving you the same update file.
● Attacker(s) provides older insecure update.
● Attacker(s) spoofs the new version of file.
● Attacker(s) compromises the key used to sign these files
5. Notary Service Architecture
● Clients
● Notary Server
● Notary Server DB
● Notary Signer
● Notary Signer DB
(Ref: https://docs.docker.com/notary/service_architecture/#architecture-and-components )
6. Notary Server
● Ensures that any uploaded metadata is valid, signed, and self-consistent.
● Generates the timestamp (and sometimes snapshot) metadata.
● Servers the latest valid metadata for any trusted collection to the clients.
7. Notary Signer
● Stores the private signing keys wrapped and encrypted using Javascript
Object Signing and Encryption.
● Performs signing operations with the above keys whenever the Notary server
requests.
9. What and Why Docker Content Trust?
● Part of Docker Daemon Engine.
● Trust is enabled via integration of Notary into Docker Engine.
● When images are pushed to a repository, they are signed with private keys
held by the content publisher.
● When a user interacts with the image for the first time, they establish trust
with that publisher and then all subsequent interactions require a valid
signature verification from that same publisher.
● Protects from image forgery, replay attacks, key compromise.
(Ref: https://blog.docker.com/2015/08/content-trust-docker-1-8/)
11. Key Keys (Pun Intended) for Docker Content Trust
● The Tagging Key:
○ Generated for each new repository the publisher owns.
○ Exported and shared with any person/system that needs the ability to sign content for this
repository.
● The Offline/Root Key:
○ Most import key, forms trust of your repository.
○ Different repositories can use the same Offline key.
○ Required for creating a new repository key or rotating an existing key.
○ Should be kept offline for security.
12. Who uses Notary?
● Cloudflare
● Kolide
● IBM
● Docker Hub
● Compatible with Artifactory
● Financial, Telecom and Healthcare Enterprises.