How to Use Notary
Notary is a tool for publishing and managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content. This ability is built on a straightforward key management and signing interface to create signed collections and configure trusted publishers
With Notary anyone can provide trust over arbitrary collections of data. Using The Update Framework (TUF) as the underlying security framework, Notary takes care of the operations necessary to create, manage, and distribute the metadata necessary to ensure the integrity and freshness of your content. To fully understand the content of this blogpost please read carefully these docs: Getting Started with Notary and Use Notary
Note: Notary Server, Notary Signer and Notary DB should be installed first!
Setup:
You should enable docker content trust, It can be done via setting environment variables:
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://<ip-address-of-your-server>
Note that you will not be able to pull images from docker hub until DOCKER_CONTENT_TRUST equals 1
Example:
[root@harbor:~] docker pull busybox
Using default tag: latest
Error: error contacting notary server: received unexpected HTTP status: 500 Internal Server Error
[root@harbor:~] export DOCKER_CONTENT_TRUST=0
[root@harbor:~] docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
03b1be98f3f9: Pull complete
Digest: sha256:3e8fa85ddfef1af9ca85a5cfb714148956984e02f00bec3f7f49d3925a91e0e7
Status: Downloaded newer image for busybox:latest
Usage:
OK, let’s try to test Notary now. First let’s try to pull an unsigned image:
[root@harbor:~] docker pull harbor-test.com/library/opensuse:42.2
No trust data for 42.2
So with DOCKER_CONTENT_TRUST equals 1 we cannot pull the unsigned images anymore.
Now let’s try to sign the image and push it into our repository
[root@harbor:~] docker push harbor-test.com/library/opensuse:42.2
The push refers to a repository [harbor-test.com/library/opensuse]
3900d76accd7: Layer already exists
latest: digest: sha256:21cb851fa47050bacac343b3c87d7042f54a804f5b47fcba0be6873ca3d80ed7 size: 529
Signing and pushing trust metadata
Enter passphrase for root key with ID ce3ef53:
Enter passphrase for new repository key with ID 2719e45 (harbor-test.com/library/opensuse):
Repeat passphrase for new repository key with ID 2719e45 (harbor-test.com/library/opensuse):
Finished initializing "harbor-test.com/library/opensuse"
Successfully signed "harbor-test.com/library/opensuse":42.2
The image was successfully signed and pushed. Now anyone from your team can use this image.
[root@harbor:~] docker pull harbor-test.com/library/opensuse:42.2
Pull (1 of 1): harbor-test.com/library/opensuse:42.2@sha256:b4c4061fd2c55a90735232852efb1a694b396dd41f4152f761eaa1aece07eb22
sha256:b4c4061fd2c55a90735232852efb1a694b396dd41f4152f761eaa1aece07eb22: Pulling from library/opensuse
0b4bc6c2ad2d: Pull complete
Digest: sha256:b4c4061fd2c55a90735232852efb1a694b396dd41f4152f761eaa1aece07eb22
Status: Downloaded newer image for harbor-test.com/library/opensuse@sha256:b4c4061fd2c55a90735232852efb1a694b396dd41f4152f761eaa1aece07eb22
Tagging harbor-test.com/library/opensuse@sha256:b4c4061fd2c55a90735232852efb1a694b396dd41f4152f761eaa1aece07eb22 as harbor-test.com/library/opensuse:42.2