Introduction to Docker
Software Developer at Day
Software Debugger at Night
What is Digital Signature?
(Ref: https://www.tutorialspoint.com/cryptography/cryptography_digital_signatures.htm )
What and Why Notary?
● Provides high levels of trust over digital content via signatures.
● Ensures that provenance of the digital content.
● Guarantees consistency of digital content in software supply chain.
● Creates, manages, and distributes necessary metadata to ensure the integrity and
freshness of your content.
● Notary is hosted by mighty CNCF (Cloud Native Computing Foundation).
● Notary is implementation of The Update Framework (TUF).
But.. Why do we require it?
● Attacker(s) keeps giving you the same update file.
● Attacker(s) provides older insecure update.
● Attacker(s) spoofs the new version of file.
● Attacker(s) compromises the key used to sign these files
Notary Service Architecture
● Notary Server
● Notary Server DB
● Notary Signer
● Notary Signer DB
(Ref: https://docs.docker.com/notary/service_architecture/#architecture-and-components )
● Ensures that any uploaded metadata is valid, signed, and self-consistent.
● Generates the timestamp (and sometimes snapshot) metadata.
● Servers the latest valid metadata for any trusted collection to the clients.
Object Signing and Encryption.
● Performs signing operations with the above keys whenever the Notary server
Notary Service HA
What and Why Docker Content Trust?
● Part of Docker Daemon Engine.
● Trust is enabled via integration of Notary into Docker Engine.
● When images are pushed to a repository, they are signed with private keys
held by the content publisher.
● When a user interacts with the image for the first time, they establish trust
with that publisher and then all subsequent interactions require a valid
signature verification from that same publisher.
● Protects from image forgery, replay attacks, key compromise.
Key Keys (Pun Intended) for Docker Content Trust
● The Tagging Key:
○ Generated for each new repository the publisher owns.
○ Exported and shared with any person/system that needs the ability to sign content for this
● The Offline/Root Key:
○ Most import key, forms trust of your repository.
○ Different repositories can use the same Offline key.
○ Required for creating a new repository key or rotating an existing key.
○ Should be kept offline for security.
Who uses Notary?
● Docker Hub
● Compatible with Artifactory
● Financial, Telecom and Healthcare Enterprises.