Notary V2

Notary V2, implemented through the Notation CLI, is designed to ensure the integrity and authenticity of container images in the software supply chain. This tool enables users to sign and verify container images, similar to checking git commit signatures, but with a broader application scope.

The technical architecture of Notary V2 revolves around the Notation CLI, which integrates with container registries to manage signatures. Users can generate signatures using the notation sign command and store these signatures directly in the container registry. The tool supports two signature formats: JWS (JSON Web Signatures) and COSE (CBOR Object Signing and Encryption), with JWS being the default if not specified.

Operationally, Notary V2 requires users to log into their container registry using the notation login command, ensuring they use access tokens rather than passwords. The tool then allows listing and verifying signatures attached to container images using commands like notation ls and notation verify. Notary V2 also supports RFC 3161 compliant timestamping, which adds an additional layer of security by including a trusted timestamp in the signature.

Key operational considerations include the use of SHA256 identifiers to uniquely reference images, as image tags can be mutable. The tool's integration with OCI (Open Container Initiative) specifications ensures compatibility with various container registries. However, managing and validating these signatures can introduce complexity, particularly in large-scale deployments where signature management and revocation become critical.

From a technical standpoint, Notary V2 relies on the notation-core-go module for core crypto functionality, including signature generation, parsing, and revocation. This module also handles certificate validation and OCSP revocation status checks, ensuring robust security practices are maintained throughout the signing and verification process.