1. What is Notary?
Notary is an open-source project that provides a framework for ensuring the integrity and authenticity of container images by allowing the signing and verification of image content.
2. Why is image signing important in containerization?
Image signing ensures that the content of container images has not been tampered with, providing a level of trust and security in the software supply chain.
3. How does Notary work?
Notary uses digital signatures to sign and verify container images. Publishers sign their images, and consumers can verify the authenticity of those signatures.
4. What is the role of content trust in Notary?
Content trust is a feature of Notary that, when enabled, requires the signing of container images before they can be pulled or run, ensuring the images are from a trusted source.
5. Can Notary be used with any container registry?
Notary is registry-agnostic and can be used with any container registry that supports the Docker Content Trust model.
6. How does Notary integrate with Docker?
Notary is integrated into the Docker Content Trust model, allowing Docker users to sign and verify container images using Notary signatures.
7. Can Notary be used in environments with air-gapped or restricted network access?
Yes, Notary supports the use of offline or air-gapped environments by allowing users to sign images on one machine and then transfer the signatures to another machine.
8. What cryptographic mechanisms does Notary use for image signing?
Notary uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for cryptographic signing.
9. How can I sign a container image using Notary?
You can sign a container image using Notary by using the docker trust command or the Notary CLI to create and push signatures for the image.
10. How do I verify the authenticity of a signed container image with Notary?
To verify a signed container image, use the docker trust command or the Notary CLI to check the signatures against the publisher’s keys.
11. Can Notary signatures be revoked?
Notary supports revoking signatures by the key owner, allowing publishers to invalidate compromised or no longer trusted keys.
12. What happens if a signed image is modified or tampered with?
If a signed image is modified or tampered with, the signature verification process will fail, and the image will be considered untrusted.
13. Can Notary be used for multi-platform image signing?
Yes, Notary supports multi-platform signing, allowing publishers to sign images for different architectures and operating systems.
14. How does Notary handle image promotion across environments?
Notary does not handle image promotion directly, but signed images can be promoted across environments, and the signatures remain valid as long as the image content is unchanged.
15. Does Notary support key rotation?
Yes, Notary supports key rotation, allowing users to update their signing keys for improved security.
16. Can Notary be used with Kubernetes?
Yes, Notary can be integrated with Kubernetes for signing and verifying container images in a Kubernetes cluster.
17. What is the role of the “root key” in Notary?
The root key in Notary is the highest level of trust and is used to sign keys that sign other keys. It is essential for establishing a trust chain.
18. How does Notary handle key management?
Notary relies on a hierarchical key management model, with root keys, targets keys, and snapshot keys, ensuring a secure and flexible key infrastructure.
19. Can Notary signatures be timestamped?
Yes, Notary supports timestamping, allowing users to include timestamp information in the signatures to prove when the signature was created.
20. How does Notary address the “supply chain attack” problem in containerization?
Notary mitigates supply chain attacks by ensuring the integrity and authenticity of container images through the use of digital signatures.
21. What is the difference between Notary and The Update Framework (TUF)?
Notary is an implementation of The Update Framework (TUF). TUF is a framework, and Notary is a tool that uses TUF principles for securing container image updates.
22. Can Notary be used in conjunction with other container security tools?
Yes, Notary can be integrated with other container security tools to enhance overall container image security.
23. How does Notary handle key compromise scenarios?
In the event of a key compromise, Notary allows users to revoke the compromised key and sign new keys to maintain the integrity of the trust chain.
24. Can Notary be used with private container registries?
Yes, Notary can be used with private container registries, providing the same level of security and trust as with public registries.
25. Does Notary support role-based access control (RBAC) for key management?
Notary does not provide native RBAC features for key management. Access controls are typically managed through the underlying container registry.
26. How does Notary handle the distribution of public keys?
Notary relies on a trust-on-first-use (TOFU) model for distributing public keys, with users manually verifying keys the first time they encounter them.
27. Can Notary be used for signing images across multiple organizations or entities?
Yes, Notary supports signing images across multiple organizations or entities, as long as the appropriate key management practices are followed.
28. How does Notary handle the expiration of signed images or keys?
Notary allows users to specify expiration dates for signed images or keys, providing a mechanism to manage the lifecycle of trust relationships.
29. What metadata does Notary sign along with container images?
Notary signs metadata including image digests, sizes, and other relevant information that uniquely identifies the container image.
30. How does Notary support transparency in the software supply chain?
Notary provides transparency by allowing users to inspect signed metadata and verify the integrity of the trust chain, ensuring a transparent view of the software supply chain.
31. Can Notary be used in a multi-cloud environment?
Yes, Notary can be used in a multi-cloud environment, providing consistent image signing and verification across different cloud providers.
32. How does Notary integrate with continuous integration/continuous deployment (CI/CD) pipelines?
Notary can be integrated into CI/CD pipelines to sign and verify container images as part of the automated deployment process.
33. Does Notary have any dependencies on specific container runtimes?
Notary itself does not have dependencies on specific container runtimes and can be used with various container runtimes that support the Docker Content Trust model.
34. What is the role of Notary in ensuring container image provenance?
Notary plays a crucial role in ensuring container image provenance by verifying the signatures of images, providing confidence in the origin and integrity of the images.
35. Can Notary be used for signing and verifying Helm charts?
While Notary is primarily designed for container images, Helm charts can be signed and verified separately using GPG or other cryptographic mechanisms.
36. How does Notary handle decentralized trust in a containerized environment?
Notary relies on a decentralized trust model, where each entity in the trust chain signs the keys of the entities below it, establishing a chain of trust.
37. Can Notary signatures be audited or logged?
Yes, Notary signatures and key changes can be audited and logged for compliance and security purposes.
38. How does Notary handle the scenario where a publisher loses control of their private key?
If a publisher loses control of their private key, they should revoke the compromised key, sign a new key, and distribute the new key securely.
39. Can Notary be used for signing images in a GitOps workflow?
Yes, Notary can be integrated into a GitOps workflow to sign and verify container images as part of a Git-driven continuous delivery process.
40. How does Notary handle the signing of layered container images?
Notary signs the manifest of a container image, which includes information about the layers. Each layer itself does not have an individual signature.
41. Does Notary support third-party signature verification?
Yes, Notary supports third-party signature verification, allowing users to verify the signatures of container images signed by entities other than the publisher.
42. How does Notary handle cross-repository image signing?
Notary supports cross-repository image signing, allowing publishers to sign images in one repository and consumers to verify those signatures when pulling from a different repository.
43. Can Notary be used in scenarios with multiple development teams and projects?
Yes, Notary can be used in scenarios with multiple development teams and projects, providing a consistent approach to image signing and verification.
44. How does Notary handle image deletions or removals?
Notary does not inherently handle image deletions or removals. Signatures remain valid as long as the image content is unchanged, even if the image is removed from the registry.
45. Can Notary be used for signing images in edge computing or IoT environments?
Yes, Notary can be used for signing images in edge computing or IoT environments, ensuring the integrity and authenticity of containerized applications.
46. How does Notary impact the performance of image pulling and deployment?
The impact on performance is minimal, as Notary signatures are verified locally during the image pulling process, and the signed images are cached for subsequent use.
47. Can Notary be used with orchestrators other than Kubernetes, such as Docker Swarm or OpenShift?
Yes, Notary can be used with various orchestrators, including Docker Swarm and OpenShift, to sign and verify container images.
48. What is the significance of the “targets” role in Notary?
The “targets” role in Notary is responsible for signing image manifests, indicating that the associated image content has been verified and is trusted.
49. How does Notary handle the signing of container images with multiple tags?
Notary signs container images based on their digest, ensuring that all tags associated with the same image content are covered by the same signature.
50. Can Notary be used in a serverless computing environment?
Yes, Notary can be used in serverless computing environments, ensuring the security and trustworthiness of container images deployed in serverless applications.
