Getting Started with Notary

Josh Duffney - Sep 23 '22 - - Dev Community

In this tutorial, you'll learn how to sign a Docker image using Notary.

Notary is a CNCF project that allows anyone to have trust over arbitrary collections of data. By using a pair of private and public keys Notary can sign and verify digital artifacts stored in OCI (Open Container Initiative) compliant registries such as container images, a software bill of materials, or scan results. Once signed those artifacts can be promoted across different OCI registries without losing trust in the integrity of the artifact.

Using Notary reduces your chances of introducing compromised artifacts into your environments.

Prerequisites

Setup the local container registry

Before you can begin, you'll need a container registry to push and pull images to and from.

Distribution is an Open-Source registry that supports storing container images using the OCI distribution specification. It provides a simple, secure, and scalable private registry perfect for demonstrating Notary.

Run the following command to start a local instance of a Distribution:

docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v0.0.3-alpha
Enter fullscreen mode Exit fullscreen mode

Build and push a container image

Once you have the Distribution registry up and running, your next step is to build and then push an image to it.

Run the following commands to build and push an image to the registry:

docker build -t localhost:5000/net-monitor:v1 https://github.com/wabbit-networks/net-monitor.git#main
Enter fullscreen mode Exit fullscreen mode

NOTE: You can use any Docker image, but if you don't have one in mind feel free to use the wabbit-networks/net-monitor image.

Install Notation

Notary is the CNCF project name and is often referenced when referring to the process of signing digital artifacts, but Notation is the command line tool that does the heavy lifting. Run the following commands to install Notation.

Download the release files.

curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v0.10.0-alpha.3/notation_0.10.0-alpha.3_linux_amd64.tar.gz
Enter fullscreen mode Exit fullscreen mode

Extract the binary

[ -d ~/bin ] || mkdir ~/bin
tar xvzf notation.tar.gz -C ~/bin notation
Enter fullscreen mode Exit fullscreen mode

Add ~/bin to the PATH variable

export PATH="$HOME/bin:$PATH"
Enter fullscreen mode Exit fullscreen mode

Notation is likely to be made available with normal package managers after it's RC release.

Generate a certificate

Without a certificate Notation doesn't have a way to create new signatures or verify existing ones. And while Notation supports adding existing certificates, it also has a helper command that will generate a new local certificate for you.

Run the following command to generate a new local certificate:

notation cert generate-test --default "wabbit-networks.io"
Enter fullscreen mode Exit fullscreen mode

Using the notation cert genereate-test command automatically adds the key to the certificate to Notation to use for signing, but not the public key of the certificate.

Sign a container image

Now that you have a container image and a certificate to sign with, all that's left is to sign the container image stored on the registry.

Run the following command to sing the image:

notation sign --plain-http localhost:5000/net-monitor:v1
Enter fullscreen mode Exit fullscreen mode

To list all the signatures for the image, use the notation list command.

notation list --plain-http localhost:5000/net-monitor:v1
Enter fullscreen mode Exit fullscreen mode

NOTE: --plain-http is used to access the registry with plain HTTP, by passing the need to provide a username and password or other authentication.

Verify the signature

The notation verify command, as the name implies, verifies OCI artifacts by using the public key of the certificate to ensure the artifact hasn't been modified.

Before you can run the verify command, you'll need to add the public key of the certificate to your Notation configuration.

Run the following command to add the public key:

notation cert add --name "wabbit-networks.io" ~/.config/notation/localkeys/wabbit-networks.io.crt
Enter fullscreen mode Exit fullscreen mode

By default, the notation cert genereate-test command stores the certificates under ~/.config/notation/localkeys.

Next, run the following commands to verify your container image:

notation verify --plain-http localhost:5000/net-monitor:v1
Enter fullscreen mode Exit fullscreen mode

Next steps

To learn more about the Notary, check out the Notary Project on GitHub.

Image
Chamadas HTTP mais Simples com Refit

csharp, dotnet, braziliandevs
Image
Is Tech Burnout Holding You Back? Here's How to Bounce Back

mentalhealth, productivity, habit, growthmindset
Image
Cloud Security And Privacy: Best Practices To Mitigate The Risks

devsecops, security, cloudsecurity
Image
Proxmox Backup by NAKIVO: The Ultimate Solution for VM Data Protection

vm, proxmox, backup, dataprotection
Image
Insights from building my portfolio with Astro

astro, webdev, frontend, programming
Image
Wonder Wallets: Your Gateway to Web3 Magic

web3, cryptocurrency, blockchain, wecoded
Image
Ayurvedic Syrup for UTI Relief: A Step-by-Step Guide to Natural Healing
Image
Cache Eviction Policies | System Design

systemdesignwithzeeshanali
Image
How To Choose The Right Fabric Cream Corner Sofa On The Internet
Image
5 Things Everyone Gets Wrong Regarding Repair Bifold Door Top Roller
Image
Using Dependabot without triggering Workflow runs on default branch

github, dependabot, devops
Image
Kreatywne kanapy: Jak wybrać idealne miejsce na relaks w twoim domu
Image
A secure authentication in nodejs with mongodb database.

node, mongodb, javascript, express
Image
The Reason Why Asbestos Claims After Death Will Be Everyone's Desire In 2023
Image
Hal yang Harus Dicegah Saat Main Judi Online Bola
Image
Teknik Untung Taruhan Judi Online Buat Pemula
Image
5 Things That Everyone Is Misinformed About In Regards To Spare Van Keys
Image
Why Nobody Cares About Asbestos Claims Lawyers
Image
Why All The Fuss Over Fabric Cream Corner Sofa?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player