# Notation video ideas Issue: https://github.com/notaryproject/notaryproject.dev/issues/129 ## Meeting notes on Mar 22, 2022 ## Idea - Why is container signing important? - What is crypto signing and what is the Notary Project? - What is Notation - Concepts of software security supply chain (?) - Signing and verification workflow and scenario (diagram) - Demo of Notation CLI (Start with docker) - How to install and get started: https://notaryproject.dev/docs/installation/cli/ - ## Related Concepts * ORAS * OCI * Ratify (K8s) * PaC (policy as code) * high-level only ## High level architecture    ## Timeline - Review the script on Mar 24 - Have the first version of video on Mar 31 - Final deadline: before the mid of April ## Appendix/Resources * https://aws.amazon.com/blogs/containers/cryptographic-signing-for-containers/ * https://notaryproject.dev/docs/quickstart/ * https://github.com/deislabs/ratify/blob/main/docs/examples/ratify-verify-azure-cmd.md * KubeCon videos * [Notary v2: Deep Dive and Open Issues - Justin Cormack, Docker & Steve Lasker, Microsoft](https://www.youtube.com/watch?v=7U4VdjgOFJc) * [Notary v2: Supply Chain Security for Containers - Justin Cormack, Docker & Steve Lasker, Microsoft](https://www.youtube.com/watch?v=SZMbuirEQVU) * [Notary v2: Redesigning the Secure Supply Chain for Containers - Justin Cormack & Steve Lasker](https://www.youtube.com/watch?v=LKpFynI0S_w) * [Notary v2 Introduction and Status Report - Justin Cormack, Docker & Omar Paul, Amazon](https://www.youtube.com/watch?v=8K4a7Ltk_4U) * Comparison with Sigstore/cosign (TBD) ## Note Please do not use "Notary v2" as we dropped this name recently. We can say the Notary Project is a open standard and tool in a whole and Notation is a CLI. ## Rough Script (Sai) Container signing is critical to ensure integrity and security of container images as they move through your software supply chain. Let’s walk through an example. In the process of working with container images, most developers pull from a base image. Right off the bat, I'll first want to verify the signature of the public image, here. _point to first section of following image on lightboard_  But what is cryptographic signing? Essentially it ensures integrity — meaning the image I download actually matches the image when it was originally built... AND non-repudiation, meaning we can be certain about who actually created that image, or atleast signed it. Now that I'm confident about that base image, I'll use it to create a new image that has been "hardened". Essentially, checking the image for vulnerabilities, making any necessary changes, and marking it as ready for use within my organization. We'll start our demo today here. Notation is a CLI project to add signatures to containers (and other standard OCI artifacts) in a way that allows the signatures to persist with it through our container build pipeline. The Notation CLI provides simple tooling for signing and verifying these signatures. To start this process, you will first need a signing key. For local testing and development purposes, `notation` will help us by creating a self-signed x.509 certificate. We can run the following commands to generate a test key and self-signed certificate: `notation cert generate-test --default "wabbit-networks.io"` View the generated key with: `notation key ls` and confirm the certificate is in the trust store with: `notation cert ls` Next, we’ll use `notation sign` to sign the container image: `notation sign $IMAGE` Lastly, run the following to check if the signature has been attached to the image: `notation ls $IMAGE` The team has now signed the image it is pushed into an OCI-compliant registry, in our case GitHub Container Registry, along with its signature as a private image. Next, the consumers of this image will need to verify the signature prior to deploying the image. To do so, they can create a `trustpolicy.json` with the example truststore that we created earlier: ```{ "version": "1.0", "trustPolicies": [ { "name": "wabbit-networks-images", "registryScopes": [ "*" ], "signatureVerification": { "level" : "strict" }, "trustStores": [ "ca:wabbit-networks.io" ], "trustedIdentities": [ "*" ] } ] } ``` This JSON creates a trust policy which applies to policy artifacts in any registry, and uses the `wabbit-networks.io` truststore which we created earlier. At this point, we can run the following to verify the signatures associated with the image: `notation verify $IMAGE` In a real use-case, we would not use a self-signed certificate, but the general flow remains the same. Note that there are other aspects to the software supply chain lifecycle, such as generating SBOMs (software bill of materials), and policy management within Kubernetes to ensure that only signed images can run in your Kubernetes clusters. While these capabilities are out of the scope of the project, Notation provides interoperability with policy management or admission control projects like Ratify and Kyverno to enable these use cases. To learn more, check out the complete documentation on the Notary site linked in the description below. Thanks for watching! ## Suggested changes 1. The digest shown for `notation ls $IMAGE` is not the same as `notaiont sign` and `notation verify` command. it's better to use the same digest 2. The artifact type of signature marked in red is wrong, it should be `application/vnd.cncf.notary.signature`   3. Suggest adding a simple end-to-end diagram or just put three related project logos (Kubernetes, Ratify, Kyverno) on the screen when you mentioning verify image deployment in Kubernetes with Ratify or Kyverno integration at `0:03:30`.