Signing Container Images with Notary Project
Key Takeaways
Signs container images using the Notary Project specification and tools
Full Transcript
hey I'm Jeremy Rickard I'm an engineer at Microsoft working on container supply chain security things today we're going to talk to toddy about some really cool Technologies from the notary project that can help you sign container images and be a little bit more secure stay tuned for more information [Music] hey toddy we're using a project that I think is called the notary project to sign our containers as part of our build processes can you tell us exactly what that project is and how it works uh sure so uh notary project actually was created quite a while ago so I get I joined the community about a year ago but it is much older so it was initiated around I believe 2017. that's when kind of the uh it got created in GitHub and it was related to kind of the original dev-based notary implementation and Docker content trust so that's how it started however there were certain challenges with kind of the original Turf based implementation and the biggest challenge was that you can not sign images and copy them to another register right so your signatures are tied to the registry where the container images are currently stored uh I believe couple of years after that folks decided that we they need to make that more flexible and and the goal was to create actually a specification for the signatures that can be used between different tools so notary will not be the only one signing those container images and also allow that for example these signatures can be portable between registries um and there were kind of some discussions quite working on the specifications so when I joined last year actually there was a lot of progress made on that and for the last year we managed to not only complete the specification but also get a reference implementation in the form of CLI called notation as well as we have notation libraries that can be used by other open source tools or proprietary vendor tools to actually create signatures that comply with the specification so I actually use the old version or the previous version I guess of the notary project and it had a lot of components it was kind of complicated to use is that the case with this version too no with this version actually is very simple and I'll be happy to demo that uh how you can go and sign an image container image very easily with uh denotation CLI that sounds pretty exciting before we see the demo though is this just a Microsoft Project who else is working on this open source generally has a lot of different people coming in no no so uh notary project is right now the big companies that are collaborating on that are Microsoft AWS or Amazon and Docker but of course we have uh people from other companies and external contributors that are very interested in that we have for example folks from uh venify who are interested to implement plugins for notation and we can talk about that maybe later on we have also smaller companies that are interested to sign their their images we are collaborating with also which is one of the registry vendors so it's not only Microsoft so there are many more participants in the community that's really cool I love the community aspect that you just highlighted on there this all sounds really cool can you show us a demo how this works oh yeah certainly so uh let me switch to um my my screen so uh the first thing I will start is I'll set some environment variables because I don't like uh kind of typing so much so what I'm gonna do is I have a test repository in GitHub container registry uh and I have a image there which has the demo V1 tag and I'll set the environment variable for the uh notation location on my machines uh this is on the Mac and it's in the library application support so um the next thing that I will do is let's see what I have available once again the test image we use a tool called auras to go and actually browse information in the repository so what auras will do is we'll go and actually pull the viable tax for the test image I have notation installed and I have a rc7 which is the pre-release version and I'll show that I don't have any Keys configured to to do a signing so what we will go through is we'll go through how can I uh create a very simple signing key column can actually sign an image and how I can verify this image okay any any questions or should I go get started with that well I have a quick question you're using github's container registry that's that's pretty neat does this work on a lot of other registries can I could I use this on a registry that I'm hosting and maybe my air gap cloud uh of course you can use it as long as the registry is also LCI 1.0 compliant okay so if it is one zero compliant then you can you can use that okay uh let's uh go ahead and actually uh generate the test key so I'll generate a test key this is our first first run experience uh the test key is called wabbit networks so uh that's uh fictitious brand that we use uh there is a convenient command that you can use in notation just to generate the test key and together with the test key it also generates a certificate so when I run the command generates the key you can see that now I have the key available so this is the key that I generated it is set as the default key and you can find it on your local machine now uh what are the discussion here so this experience is only for for testing uh notation right we do not recommend using the test key actually to assign your production images we can go through the production experience later on but this is how you can very easily get started with notation CLI as I said together with the test key there is also a certificate created that can be used to verify the images that you are signing so once you do that the only thing you need to do is you need to say notation sign you can choose the signature format we support two different signature formats one is the Cozy and the other one is jws uh both of course have uh different applications and you can choose between those uh the Cozy one we're looking at more kind of a broader application on this type of signatures like for example course is developed for iot workloads and it's very uh performant and efficient format so the only thing you need to do after you have the test key and the testing uh certificate you need to also sign it right once I do that the image that is in GitHub container registry is already signed so I can list this you can see that this is the image we always identify the image by its digest and this is the signature that is attached to the image after we do the signing so any questions so far or we can go and actually look at the verification how we can do the verification I want to see the verification let's go okay uh the one thing that you need to do before you do a verification is you need to create a trust policy so in this trust policy you specify uh what exactly do you trust right then because this is my kind of first first run experience with notation I'll just create a simple transport receipt that I will trust my uh test key uh the trust policy is a simple Json file that needs to be put in the location where notation is and as I mentioned so it has the trust policy name uh it specifies which repository this transparency applies to and you can put more than one repository here right so if you want your uh the key that you are signing to be trusted for multiple repositories you can actually put them here and also specifies which certificate is trusted so once I create this trust policy I can just run notation verify the image and you will receive that this is successfully verified so that is how simple it is to actually sign and verify images using the notation CLI that's really cool it didn't seem like there were a lot of moving Parts there could I maybe have different policies for different registries you said you could have multiple Registries for that policy if I wanted to have a different start for different ones can I do that yeah certainly so the trust policies you can have as many threat policies as you want and you can have more let's say your test uh registry your production registry your development registry you can create different press policies and you can use different keys to sign the images that actually go to these Registries and then respectively verify them on any uh runtime or workloads that you deploy that's really cool I'm I'm excited to learn more about this as we go go a little deeper later on oh certainly I'll be happy to maybe show you how you can do that in production and how you can develop plugins in the future cool that sounds great
Original Description
Join Jeremy Rickard (Azure Container Upstream) and Toddy Mladenov (Azure Cloud Native & Ecosystem) to learn about Notary Project. In this episode, you will about Notary Project specification and tools and how you can sign a container image within seconds.
Notary is an Open-Source project available at http://github.com/notaryproject/notaryproject
For more information, check out these additional resources:
Project : Notary | Signing and verifying artifacts. Safeguarding the software delivery security from development to deployment. (notaryproject.dev)
Project Twitter Account : https://twitter.com/NotaryProject
Project Slack Channel : https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/
Demo scripts: cssc-pipeline/demos/podcasts at development · toddysm/cssc-pipeline (github.com)
📌 Let's connect:
Toddy | https://linkedin.com/in/toddysm
Jeremy R | https://www.linkedin.com/in/jrrickard
Subscribe to the Open at Microsoft: https://aka.ms/OpenAtMicrosoft
Open at Microsoft Playlist: https://aka.ms/OpenAtMicrosoftPlaylist
📅New episode every Tuesday!
00:00:00 Introduction
00:02:30 What's in version 2
00:03:55 Demo - How it works
00:10:00 What's next
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Microsoft Developer · Microsoft Developer · 7 of 60
1
2
3
4
5
6
▶
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Prepare for the DP-300 exam & the Azure Database Administrator Associate cert | Data Exposed
Microsoft Developer
What I Wish I Knew ... about landing a job in tech
Microsoft Developer
Igniting Developer Innovation with Vector Search
Microsoft Developer
Combining the power of vector search with Azure OpenAI then revolutionize image search with vectors!
Microsoft Developer
What I Wish I Knew ... about finding your place in tech
Microsoft Developer
Fluent UI React Insights: Accessible by default
Microsoft Developer
Signing Container Images with Notary Project
Microsoft Developer
What I Wish I Knew ... about finding your place in tech
Microsoft Developer
What programming languages does GitHub Copilot support?
Microsoft Developer
What I Wish I Knew ... about how much your job can change
Microsoft Developer
What I Wish I Knew ... about how much your job can change
Microsoft Developer
How do I become more confident about AI?
Microsoft Developer
How do I become more confident about AI?
Microsoft Developer
Performance Demos of SQL’s Intelligent Query Processing Feedback capabilities | Data Exposed
Microsoft Developer
What I Wish I Knew ... about coming to Microsoft
Microsoft Developer
What I Wish I Knew ... about coming to Microsoft
Microsoft Developer
Revolutionizing Image Search with Vectors
Microsoft Developer
Igniting developer innovation with Vector search and Azure OpenAI
Microsoft Developer
Getting Started with Azure AI Studio's Prompt Flow - Part 2
Microsoft Developer
What I Wish I Knew ... about finding my career path
Microsoft Developer
What I Wish I Knew ... about finding my career path
Microsoft Developer
Windows Terminal's journey to Open Source
Microsoft Developer
Can I trust the code that GitHub Copilot generates?
Microsoft Developer
What I Wish I Knew ... about interviewing
Microsoft Developer
What I Wish I Knew ... about interviewing
Microsoft Developer
What is the Microsoft TechSpark Program?
Microsoft Developer
SQL Server 2022: Accelerate query performance while reducing query compile time - w/ no code changes
Microsoft Developer
What I Wish I Knew ... about discovering computer science
Microsoft Developer
What I Wish I Knew ... about discovering computer science
Microsoft Developer
Call center transcription and analysis using Azure AI
Microsoft Developer
How to use Text Analytics for health in Azure AI Language
Microsoft Developer
Azure OpenAI-powered summarization in Azure AI Language
Microsoft Developer
Accelerate data labeling using Azure OpenAI and Azure AI Language
Microsoft Developer
Building a Private ChatGPT with Azure OpenAI
Microsoft Developer
What I Wish I Knew ... about how to interview
Microsoft Developer
What I Wish I Knew ... about how to interview
Microsoft Developer
Getting Started with Azure AI Studio's Prompt Flow - Part 3
Microsoft Developer
Intelligent Apps with Azure Kubernetes Service (AKS)
Microsoft Developer
Getting Started with Azure Blob Storage | Data Exposed: MVP Edition
Microsoft Developer
Chat + Your Data + Plugins
Microsoft Developer
What I Wish I Knew ... about different career paths
Microsoft Developer
What I Wish I Knew ... about different career paths
Microsoft Developer
Advanced Dev Tunnels Features | OD122
Microsoft Developer
Learn Live - Manage performance and availability in Azure Cosmos DB for PostgreSQL
Microsoft Developer
Plan your SQL Migration to Azure with confidence | Data Exposed
Microsoft Developer
What I Wish I Knew ... about social skills in a tech career
Microsoft Developer
What I Wish I Knew ... about social skills in a tech career
Microsoft Developer
All About Vectors, Search, and Function Calling in Azure OpenAI - Labor Day Special
Microsoft Developer
Introduction to project ORAS
Microsoft Developer
What I Wish I Knew ... about finding the right major
Microsoft Developer
What I Wish I Knew ... about finding the right major
Microsoft Developer
What I Wish I Knew ... about how to approach programming
Microsoft Developer
What I Wish I Knew ... about how to approach programming
Microsoft Developer
Learn Live - Scale from a single node to multiple nodes with Azure Cosmos DB for PostgreSQL
Microsoft Developer
What I Wish I Knew ... about diversity in tech #1
Microsoft Developer
What I Wish I Knew ... about diversity in tech #1
Microsoft Developer
Get started with SQL Server AGs across Windows, Linux and Container Replicas | Data Exposed
Microsoft Developer
Writing LLM Apps with Azure AI and PromptFlow
Microsoft Developer
What I Wish I Knew ... about how cool working in tech could be
Microsoft Developer
Open Source foundation models in Azure Machine Learning & optimization techniques behind the scenes
Microsoft Developer
More on: Docker & Containers
View skill →Related Reads
📰
📰
📰
📰
Cut Memory Store Tests from 3 Hours to 10 Minutes: 18x Efficiency with pytest + Docker
Dev.to · BAOFUFAN
I Vibe-Coded a Feature Into Production. Cleanup Cost More Than Writing It
Medium · DevOps
The Outage Ended. Then RestartSec Synced 400 Services Into One Thundering Herd
Medium · Programming
The Outage Ended. Then RestartSec Synced 400 Services Into One Thundering Herd
Medium · DevOps
Chapters (4)
Introduction
2:30
What's in version 2
3:55
Demo - How it works
10:00
What's next
🎓
Tutor Explanation
DeepCamp AI