github.com/containerd/nerdctl@v1.7.7/docs/notation.md

github.com/containerd/nerdctl@v1.7.7/docs/notation.md (about)

     1  # Container Image Sign and Verify with notation tool
     2  
     3  | :zap: Requirement | nerdctl >= 1.3.0 |
     4  |-------------------|------------------|
     5  
     6  [notation](https://github.com/notaryproject/notation) is a project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures.
     7  
     8  You can enable container signing and verifying features with `push` and `pull` commands of `nerdctl` by using `notation`
     9  under the hood with make use of flags `--sign` while pushing the container image, and `--verify` while pulling the
    10  container image.
    11  
    12  * Ensure notation executable in your `$PATH`.
    13  * You can install notation by following this page: https://notaryproject.dev/docs/user-guides/installation/cli/
    14  * Notation follows the RC of OCI spec v1.1.0. Follow the [instruction](https://notaryproject.dev/docs/quickstart/#create-an-oci-compatible-registry) to set up the local registry with the compliance for testing purpose.
    15  
    16  Prepare your environment:
    17  
    18  ```shell
    19  # Create a sample Dockerfile
    20  $ cat <<EOF | tee Dockerfile.dummy
    21  FROM alpine:latest
    22  CMD [ "echo", "Hello World" ]
    23  EOF
    24  ```
    25  
    26  > Please do not forget, we won't be validating the base images, which is `alpine:latest` in this case, of the container image that was built on,
    27  > we'll only verify the container image itself once we sign it.
    28  
    29  ```shell
    30  
    31  # Build the image
    32  $ nerdctl build -t localhost:5000/my-test -f Dockerfile.dummy .
    33  
    34  # Generate a key-pair in notation's key store and trust store
    35  $ notation cert generate-test --default "test"
    36  
    37  # Confirm the signing key is correctly configured. Key name with a * prefix is the default key.
    38  $ notation key ls
    39  
    40  # Confirm the certificate is stored in the trust store.
    41  $ notation cert ls
    42  ```
    43  
    44  Sign the container image while pushing:
    45  
    46  ```
    47  # Sign the image and store the signature in the registry
    48  $ nerdctl push --sign=notation --notation-key-name test localhost:5000/my-test
    49  ```
    50  
    51  Verify the container image while pulling:
    52  
    53  > REMINDER: Image won't be pulled if there are no matching signatures with the cert in the [trust policy](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#trust-policy) in case you passed `--verify` flag.
    54  
    55  ```shell
    56  # Create `trustpolicy.json` under $XDG_CONFIG_HOME/notation (XDG_CONFIG_HOME is ~/.config below)
    57  cat <<EOF | tee ~/.config/notation/trustpolicy.json
    58  {
    59      "version": "1.0",
    60      "trustPolicies": [
    61          {
    62              "name": "test-images",
    63              "registryScopes": [ "*" ],
    64              "signatureVerification": {
    65                  "level" : "strict"
    66              },
    67              "trustStores": [ "ca:test" ],
    68              "trustedIdentities": [
    69                  "*"
    70              ]
    71          }
    72      ]
    73  }
    74  EOF
    75  
    76  # Verify the image
    77  $ nerdctl pull --verify=notation localhost:5000/my-test
    78  
    79  # You can not verify the image if it is not signed by the cert in the trust policy
    80  $ nerdctl pull --verify=notation localhost:5000/my-test-bad
    81  ```