Since December 2019, teams have been meeting regularly, as captured in the Notary v2 notes. Requirements and a focused prototype have been completed, enabling conversations to upstream projects.
To deliver Notary v2, we recognized the need of experts from multiple backgrounds, experiences and skill sets. The various perspectives were needed to assure we learned from past efforts and learned from subject matter experts.
Stages of Development were identified with the following February 2021 progress:
To complete Notary v2, key areas of focus were identified, with the following progress:
- Definition of a Notary v2 Signature
- Registry Persistance, Discovery and Retrieval
- Key Management
- Policy Management
Baseline requirements have been defined, enabling focused prototyping. Additional requirements are being discussed as PRs:
In September of 2020, a focused prototype for signing, integration with a registry and client validation were completed.
The prototype focused on:
- Signing a container image with a prototype of an nv2 client.
- Pushing to an instance of the CNCF Distribution based registry, with exploratory prototype enhancements.
- Discovery of signatures, based on a verification by reference design.
- Validation of a signature with the
nv2client, using the public key pair used to sign the artifact.
Details of the September 2020 Prototype:
The prototypes have enabled participants and subject matter experts to identify additional areas of focus, such as how policy management capabilities may be applied to Notary v2 signature validation.
With a focused nv2 client validation complete, the next phase will integrate policy management rules, using OPA and Gatekeeper. These additional validations will surface gaps in the workflow, including key management, and what policies may be supported through multiple Notary v2 keys. Air-gap environments will likely surface additional details to be addressed, including key-revocation capabilities.
- Definition of a Notary v2 Signature
- Registry Persistance, Discovery and Retrieval
- Key Management
- Policy Management
A Prototype-1 Signature Spec has been defined, serializing as a JWT variant. While additional signature types may be added, a baseline signature spec has enabled validation of the other areas of focus, including registry persistance, discovery & retrieval.
To validate the end to end experiences, an experimental change to CNCF Distribution enabled linking of a container image and an independent Notary v2 signature.
An experimental docker plug-in called docker-generate generates a local manifest, used to generate the signature. The plug-in extends the docker push command to push the signature and make an additional link API request of the registry.
This prototype inspired a new OCI Artifact Manifest, which provides a way for artifacts to define the target artifact (manifest) they are linking to.
Additional signature types have also been discussed, including IBM Simple Signing and a cosign prototype, developed by Dan Lorenc which would benefit from the OCI Artifact Manifest linking proposal. Supporting additional signature types is not within the Notary v2 scope, rather a benefit from the OCI Artifact manifest approach for linking Notary v2 signatures.
To support discovery of linked artifacts, OCI Distribution-spec list API requirements have begun. Conversations whether the linking API should be part of the OCI distribution-spec, or a registry extension defined in OCI Artifacts are being considered.
Early on, a preliminary Notary v2 thread model was defined, with key management requirements forming. Key management is an area of additional focus in 2021 as we focus on:
- Publishing and discovery of public keys for consumers to validate signatures
- Key revocation, including support for air-gapped environments
As OPA/Gatekeeper prototypes are started in 2021, a set of policy management requirements will surface. Notary v2 will not defined a policy management solution, rather it will provide options for policy management solutions to interact with.
A Notary v2 signature spec has been prototyped. As the OCI Artifact Manifest and Manifest Link API proposals proceed, with subsequent prototype validations, the Notary v2 spec will begin.
2020 focused on requirements gathering and initial prototypes to validate the requirements could be met. 2021 will focus on building end to end prototypes, including integration with Kubernetes, OPA and Gatekeeper. The changes required for registry persistence, discovery and retrieval will be hardened enabling registry operators and registry projects to implement the changes. The goal being user validations, and gap analysis of requirements and/or prototypes. These final validations will lead to a Notary v2 specification.
The following goals are set for 2021:
- Extend OCI Artifacts to support reverse lookup capabilities for signatures and SBoMs.
- An oci.artifact.manifest proposal has begun review.
- Design a manifest - linked-list lookup distribution API for discovering linked artifacts, such as Notary v2 signatures.
- Once a stable proposal is reached, implement it in CNCF Distribution with the ability for users to self-instance the solution.
- The design should be strong enough for cloud providers and registry projects to implement in sand-boxed environments for user validation.
- Prototype policy management rules, using something like OPA and Gatekeeper.
- Build out key management requirements, including discovery of public keys, and key revocation scenarios across public and private/air-gapped environments.
- Engage users and customers for feedback on the end to end capabilities.
- Begin a Notary v2 spec that captures the learnings.