NOTARY-V2-OCI
Notary V2 Notation OCI image signing keys-based.
Définition
Notary V2 / Notation features : (1) Signing : notation sign command, uses CA-issued X509 certificates (Azure Key Vault, AWS KMS, Google KMS, HashiCorp Vault, files), produces COSE_Sign1 ou JWS signature, attaches OCI Artifact alongside image via OCI Distribution Spec referrers API. (2) Verification : notation verify command, validates signature against trust policy (.trust-policy.json) defining trusted CAs + trusted identities. (3) Trust Policy : JSON config specifying trusted identities (registry-scoped, repository-scoped, global). (4) Signature formats : COSE Sign1 (default), JWS (legacy). (5) Plugins : KMS signing plugins extensible. Comparison Cosign vs Notation : Cosign keyless OIDC (Public Good Sigstore-managed), Notation keys-based (enterprise PKI managed), recent interoperability efforts via OCI Artifact spec convergence. Adoption : Microsoft Azure Container Registry ACR native Notation support, AWS ECR Pull-through Cache, Docker Hub planning Notation. ~5-10% supply chain signing 2024 (vs ~90% Cosign).
Origine
Notary V1 historic Docker Inc 2015 (CNCF Incubating ferme 2020) ; Notary V2 Working Group CNCF launched 2020 ; rebrand Notation 2022 ; CNCF Sandbox + Incubating ; primary commiters Microsoft Azure, AWS, ByteDance, IBM, etc.
Exemple en contexte
Microsoft Azure Container Registry ACR client signs production container image via Notation : notation sign --signature-format cose mcr.microsoft.com/dotnet:8.0, uses Azure Key Vault for key storage, signature COSE_Sign1 attached to OCI Artifact in ACR ; AKS Kubernetes admission controller policy verifies via notation verify before deployment allow.
Termes liés
- Sigstore Cosign — alternative principale.