Docker Image Signing and Verification with Notation and Harbor #430
Conversation
Signed-off-by: Anshdeep <[email protected]>
anshdeep0504
requested review from
FeynmanZhou,
NiazFK,
iamsamirzon,
priteshbandi,
shizhMSFT,
toddysm,
vaninrao10 and
yizha1
as code owners
✅ Deploy Preview for notarydev ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| - When a container image is signed using Notation, a cryptographic signature is generated using private keys held securely by the software producer. | ||
| - This signature acts as a "seal of trust," ensuring the artifact has not been tampered with and originates from the claimed source. | ||
|
|
||
| Notation adheres to industry standards for signing and verification, making it interoperable with various platforms and tools. By using cryptographic algorithms, the tool generates a signature based on the content of the image. |
There was a problem hiding this comment.
| Notation adheres to industry standards for signing and verification, making it interoperable with various platforms and tools. By using cryptographic algorithms, the tool generates a signature based on the content of the image. | |
| Notation adheres to [Notary Project specifications](https://github.com/notaryproject/specifications) for signing and verification, making it interoperable with various platforms and tools. By using cryptographic algorithms, the tool generates a signature based on the [OCI descriptor of the image](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/signature-specification.md#payload). |
| Notation adheres to industry standards for signing and verification, making it interoperable with various platforms and tools. By using cryptographic algorithms, the tool generates a signature based on the content of the image. | ||
|
|
||
| ### Verification Process: | ||
| 1. During verification, the consumer or deployment system checks the signature against the corresponding public key. |
There was a problem hiding this comment.
| 1. During verification, the consumer or deployment system checks the signature against the corresponding public key. | |
| 1. During verification, the consumer or deployment system checks the signature against the corresponding public key and certificates. |
|
|
||
| 2. **Signing Images**: | ||
| - Producers sign container images before pushing them to the Harbor registry. | ||
| - The cryptographic signature is attached to the image metadata. |
There was a problem hiding this comment.
| - The cryptographic signature is attached to the image metadata. | |
| - The cryptographic signature is attached to the image as image metadata. |
|
|
||
| # Signing and Verifying Docker Images with Notation and Harbor | ||
|
|
||
| ## Why is it Important? |
There was a problem hiding this comment.
I think the former part of this document already describes the importance of siging and verification. It is not necessary to repeat it.
|
|
||
| --- | ||
|
|
||
| ## Setting Up Harbor with HTTPS Domain Configuration |
There was a problem hiding this comment.
I would suggest add a link from Harbor on setting up harbor, as this document should focus on signing with Notation, signatures are stored in Harbor referrering to the container images, verifying images, and What is special on Harbor policies.
| ```bash | ||
| notation inspect $IMAGE | ||
| ``` | ||
|
|
There was a problem hiding this comment.
I would recommend add or put a link to the harbor on how to view Notary Project sigantures from Harbor portal, and how Harbor can enable the configuration, so that images not signed cannot be pulled. See https://goharbor.io/docs/main/working-with-projects/project-configuration/implementing-content-trust/#enforce-content-trust, and this is guide from harbor to use Notation https://goharbor.io/docs/main/working-with-projects/working-with-images/sign-images/#use-notation-to-sign-and-verify-artifacts-with-distribution-spec-v11-mode
Signed-off-by: Anshdeep singh <[email protected]>
|
@yizha1 I have updated the file as requested. Let me know if any further changes are needed. |
@anshdeep0504 Would you mind marking those open comments as resolved? |
This PR provides comprehensive documentation on signing and verifying Docker images using Notation and Harbor, addressing Issue #366. The aim is to guide developers through the process of securing container images by signing them cryptographically and ensuring their authenticity before deployment.
Key Contributions:
Elaborated Documentation: The documentation clearly explains the process of signing Docker images using Notation, detailing the steps involved in generating cryptographic keys, signing images, and integrating them with Harbor for secure image management.
Simplified Setup Process: By breaking down complex concepts and processes, the doc provides easy-to-follow instructions, making it accessible even to developers unfamiliar with image signing and content trust. This enables new developers to understand the importance of securing container images and implement the process effectively.
Clarification of Core Concepts: The doc elaborates on the key components involved, including what Docker images, Notation, and Harbor are, and how they work together to create a trusted, tamper-proof image distribution pipeline. This helps bridge the knowledge gap and empowers developers to implement best practices for securing containerized applications.
Best Practices: Detailed guidance on setting up Harbor with HTTPS, configuring trust policies, and using Notation to sign and verify Docker images ensures that developers follow secure practices for managing container images in production.
This documentation resolves Issue #366 by providing clear and thorough guidance on how to sign and verify Docker images, enhancing security and ensuring the integrity of the software supply chain. The resource will help both new and experienced developers implement image signing and verification in their workflows, ensuring a secure deployment process.