As container adoption continues to grow, there is more scrutiny than ever on container supply chains. A container image from an unknown source could include vulnerabilities and malicious code injected by bad actors. To mitigate container supply chain threats, enterprises and open-source communities are exploring safeguards. Signing container images enables software consumers to detect tampering and ensure the authenticity of the containerized workloads.
Notary Project is a set of specifications and tools that provides cross-industry standards for securing software supply chains through signing and verification, signature portability, and key/certificate management. Notation is a sub-project of Notary Project, which consists of the notation CLI and two Golang libraries that implement the latest Notary Project specifications.
Key new features in the Notary Project major release
Notary Project is a CNCF Incubating project. We have seen tremendous adoption and integration of Notary Project from end-users and open-source projects, such as Windows Containers, containerd, and Kyverno. The Notary Project community announced a major release on August 24. This major release provides the following capabilities:
- Sign artifacts using signing keys stored securely in a key management system (KMS), such as Azure Key Vault.
- Sign artifacts as well as list and inspect signatures stored in OCI-compliant registries, such as Azure Container Registry.
- Support for two signature envelope formats: COSE and JWS.
- Verify signatures using the trust store and fine-grained trust policy.
Additionally, as part of our commitment to security, Notary Project also set up continuous fuzzing of the source code and completed a security audit in 2023. All vulnerabilities found during the audit were fixed before the major release of the libraries and the CLI.
Key new features in Notation Azure Key Vault plugin v1.0
As a co-maintainer organization for Notary Project, we at Microsoft Azure continuously strive to make it simple and reliable for customers to secure their software supply chain. Today we are excited to announce the Azure Key Vault plugin v1.0 for Notary Project major release. Azure Key Vault plugin is a Notation signing plugin using Azure Key Vault managed certificates and keys, implementing the plugin contract of Notary Project Specifications v1.0.0. It supports signing with self-signed certificates and Certificate Authority (CA) issued certificates.
Verify image metadata before deployment to Kubernetes
To enable Kubernetes clusters to verify artifact security metadata prior to containerized workload deployment, we announced the Ratify project in December 2021. Ratify is an extensible verification framework for container images and other artifacts that can examine and use custom policies that you create to approve deployments in Kubernetes. Ratify supports Notary Project signature verification in Kubernetes. Now you can use Notation and Ratify to build an end-to-end image integrity workflow on Azure Kubernetes Service or your on-premises Kubernetes.
What’s next
This milestone is just the beginning of the journey. We are committed to continuing working with the Notary Project community to continue improving the Notary Project and its Azure Key Vault plugin.
Automation of security posture with CI/CD pipelines is the way to simplify the supply chain security hardening process. The CI/CD integration with Notation including GitHub Actions and Azure DevOps Pipeline Tasks is planned to be released in the near future.
Start signing and verifying container images
To learn more about the Notary Project specification, Notation CLI tool, and signing container images, watch this Open at Microsoft video "Signing Container Images with Notary Project". You can also follow this hands-on guide to start signing and verifying container images on Azure.
We appreciate any feedback or thoughts about this new feature on Azure via the feedback portal or submit GitHub issues with any questions.
