# Notation CX for Blob Signing
## Current CX in PR
*notation blob verify **--policy-scope** wabbit-networks --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin*
***trustpolicy.json***
```JSON=
{
"version": "1.1",
"trustPolicies": [
{
"name": "wabbit-networks-images",
"scopes": [
"oci:registry.acme-rockets.io/software/net-monitor",
"oci:registry.acme-rockets.io/software/net-logger"
],
"signatureVerification": {
"level" : "strict"
},
"trustStores": ["wabbit-networks"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
"scopes": [ "oci:*" ],
"signatureVerification": {
"level" : "audit"
},
"trustStores": ["ca:acme-rockets", "ca:acme-rockets-ca2"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder"
]
},
{
"name": "wabbit-networks-blobs",
"scopes": [
"blob:wabbit-networks" // limit the scope of the policy to blobs coming from wabbit-networks
],
"signatureVerification": {
"level" : "strict"
},
"trustStores": ["wabbit-networks"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
// Policy for all arbitrarily blobs with a wildcard scope
"name": "global-policy-for-all-blobs",
"scopes": [ "blob:*" ],
"signatureVerification": {
"level" : "audit"
},
"trustStores": ["ca:acme-rockets", "ca:acme-rockets-ca2"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder"
]
}
]
}
```
## Proposed CX
*notation blob verify **--policy-name** wabbit-networks-blobs --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin*
***trustpolicy.blob.json***
```JSON=
{
"version": "1.1",
"policyType" : "blob",
"trustPolicies": [
{
"name": "wabbit-networks-blobs",
"signatureVerification": {
"level" : "strict"
},
"trustStores": ["wabbit-networks"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
// Policy for all arbitrarily blobs with a wildcard scope
"name": "global-policy-for-all-blobs",
"blobs" : [ "*" ],
"signatureVerification": {
"level" : "audit"
},
"trustStores": ["ca:acme-rockets", "ca:acme-rockets-ca2"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder"
]
}
]
}
```
***trustpolicy.oci-image.json***
```JSON=
{
"version": "1.1",
"policyType" : "oci-image",
"trustPolicies": [
{
"name": "wabbit-networks-images",
"images": [
"registry.acme-rockets.io/software/net-monitor",
"registry.acme-rockets.io/software/net-logger"
],
"signatureVerification": {
"level" : "strict"
},
"trustStores": ["wabbit-networks"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
"name": "global-policy-for-all-other-images"
"images": [ "*" ],
"signatureVerification": {
"level" : "audit"
},
"trustStores": ["ca:acme-rockets", "ca:acme-rockets-ca2"],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder"
]
}
]
}
```
### References
* Kyverno - Verify Notation signed image
``` rules:
- name: verify-signature-notary
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- type: Notary
imageReferences:
- "ghcr.io/kyverno/test-verify-image*"
attestors:
- count: 1
entries:
- certificates:
```
* Sigstore Admissions Controller policy
```
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: custom-key-attestation-sbom-spdxjson
spec:
images:
- glob: "**"
authorities:
- name: custom-key
key:
data: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg
4FCemyVurIM4KEORQk4OAu8ZNwxvGSoY3eAabYaFIPPQ8ROAjrbdPwNdJw==
-----END PUBLIC KEY-----
attestations:
- name: must-have-spdxjson
predicateType: https://spdx.dev/Document
policy:
type: cue
data: |
predicateType: "https://spdx.dev/Document"
```
Sign in with Wallet
Connect another wallet