Notarize Signed Image with airSlate SignNow

Notarize signed image

hi everyone my name is anthony ramirez and on the cloud engineer at nebula works and today we're going to talk about container security the objectives of today are to describe the motivation for a project called the update framework or tough we're going to describe Notary which is an implementation of tough and then we're going to look at an example of how you can use notary with the docker platform so off the bat top and notary are open source projects that are part of the cloud native computing foundation so these tools are open source and they have open source communities that are driving the motivation for new functionality and new features so before we get started these are the tools that we're going to be discussing today it tend to be tough notary and the darker platform there's some assumptions about the knowledge that you have about docker since notary and tough provide mechanisms in order to securely update docker images so at this point it's assumed that you're familiar with writing a docker file building it tagging it and pushing it to an image repository so the update framework is a project that was started in order to create a generic framework that secured software update systems so there exists dozens of software update systems on your computer which provide the ability for software to update packages in order to either remove vulnerabilities or add new functionality so those need to better understand how the updates to software should be managed so the update framework intends to provide a framework that can be used to secure new and existing software update systems to reduce key compromise so that the entities that are signing your keys are authorized and sit in are where they say they are and should be generic enough to be compatible with many systems in this case the docker container platform so notary is an implementation of tough so under the covers notary is essentially the tough framework and docker introduced notary in 2015 along the concept of docker content trust which is the ability to sign your images and pushed into your repository and verify that the entity that signed and pushed your images are who they say they are so now we'll get into an example of how to implement notary and docker so on this side we have a list of things that we're going to be discussing but at first I'm going to describe some of the components that are necessary in order to integrate notary with docker so first we have a local workstation that's running the doctor engine that's greater than 1.8 and this is a local workstation that our developers on over here we have an image repository that allows us to store our images and we have a notary server and sign so this is the server sign up and we both have some databases here so the first thing that you have to understand is that notary provides you the ability to authenticate what content has been updated by who and when so considering that these are some features that motor provides you it's important to define how to leverage the features correctly and so to do that we're going to define the key hierarchy a notary so I'll describe this at a high level and you can find more information by going to the update framework com but at a high level we have a root key which is in charge of establishing the the root of our source of all truth for all of the content and metadata that you'll be trying to verify from this key will create a timestamp key which provides us the ability to sign with a timestamp to guarantee freshness of the content that we're modifying pushing or pulling there's a targets key that's responsible for delegating a specific content in this case we're talking about a image repository that a signer will be able to interact with and then there is a snapshot key and the snapshot key allows you to create a point-in-time snapshot of all of the content that exists and changed within a imagery bow and then from a target key we have the ability to create delegations and a delegation is essentially a way to allow a user such as a docker engine in order to interact with the repo so the purpose of creating this hierarchy in this way is that if a delegation key is compromised it's very easy to regenerate these keys and since these keys can be used for automation purposes most of the time they might be online or accessible through a web server so these keys should be treated almost as ephemeral and then the root key or also known as the offline key should be kept safe and it is very hard to recover from losing the root key so first and foremost you have to initialize and configure docker to use notary so another component that must exist on this host so if this is the developerworks station we also have to add the new airplane so the notary client or the notary CLI will exist on this machine and what we'll do is we'll connect or make this notary client aware of this server and signer and technically all of this can run on a single host if you wanted to create a proof of concept or an MVP however for production purposes it's not recommended it's you should have notary running in a secure Network possibly in running on different servers you can also run notary with containers so now there's a given repo that provides you the dogger compose files to stand this up so we have a notary client here that communicates with the notary server through configuration files then in order to provide the docker engine with instructions in order to use military we exported an environment variable called docker content trust and we set it to one so when this variable is set to one the doctor engine will automatically look for a key so you may ask well how do i generate this key in order to do that you must run a command called notary and then and then a repository so this is a shorthand syntax here but normally you would have to provide the workspace of the repo and then the actual repo name so once an intiative initialize a repo this repo now has content Trust metadata so every time I push an image to this repo the notary server will verify that the key that's used to sign the image exists and it will verify all of the content that you're pushing and allow you to push to the imagery bill so essentially the keys that we're using here if we're using a delegation is a user's public and private key pair so the user will talk to the private key and notary hold on to the public key so now if there are any pools back to the engine we can verify that the public key that exists in the image repo matches the private key on the docker engine so with this workflow developers can configure it first configured the docker engine notary client and then enable docker content trust by exporting doctor content trusts to one and then every time they build tag and push an image it will require that a key be present leverage that key to sign the image and then push it to the image repository and then when you pull that image it will verify with the public key so the point of this is to ensure the integrity of the users that are pushing you're pushing any updates or content to your images as well as provide mechanisms like a timestamp key in order to guarantee the freshness of these any updates to your images so at a high level we discussed the update framework which is a tool an open-source tool created to secure update systems and notary is an open source project that leveraged tough in order to verify the integrity of users that are pushing docker images and then we talked about how you can use these tools in tandem with docker in order to sign images and verify who either pushed or pulled from a repo thank you for listening and watching if you enjoyed this video please like and subscribe to our channel if you want more information about container security signing with signing images with notary please visit us at nebula verse comm forward slash hashtag contact us and also check out the links in the description if you want to know more about the tools discussed today thank you [Music]