HackMD
  • New!
    New!  “Bookmark” and save your note
    Find a note that's worth keeping or want reading it later? “Bookmark” it to your personal reading list.
    Got it
      • Create new note
      • Create a note from template
    • New!  “Bookmark” and save your note
      New!  “Bookmark” and save your note
      Find a note that's worth keeping or want reading it later? “Bookmark” it to your personal reading list.
      Got it
      • Options
      • Versions and GitHub Sync
      • Transfer ownership
      • Delete this note
      • Template
      • Save as template
      • Insert from template
      • Export
      • Dropbox
      • Google Drive
      • Gist
      • Import
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
      • Download
      • Markdown
      • HTML
      • Raw HTML
      • ODF (Beta)
      • Sharing Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • More (Comment, Invitee)
      • Publishing
        Everyone on the web can find and read all notes of this public team.
        After the note is published, everyone on the web can find and read this note.
        See all published notes on profile page.
      • Commenting Enable
        Disabled Forbidden Owners Signed-in users Everyone
      • Permission
        • Forbidden
        • Owners
        • Signed-in users
        • Everyone
      • Invitee
      • No invitee
    Menu Sharing Create Help
    Create Create new note Create a note from template
    Menu
    Options
    Versions and GitHub Sync Transfer ownership Delete this note
    Export
    Dropbox Google Drive Gist
    Import
    Dropbox Google Drive Gist Clipboard
    Download
    Markdown HTML Raw HTML ODF (Beta)
    Back
    Sharing
    Sharing Link copied
    /edit
    View mode
    • Edit mode
    • View mode
    • Book mode
    • Slide mode
    Edit mode View mode Book mode Slide mode
    Note Permission
    Read
    Owners
    • Owners
    • Signed-in users
    • Everyone
    Owners Signed-in users Everyone
    Write
    Owners
    • Owners
    • Signed-in users
    • Everyone
    Owners Signed-in users Everyone
    More (Comment, Invitee)
    Publishing
    Everyone on the web can find and read all notes of this public team.
    After the note is published, everyone on the web can find and read this note.
    See all published notes on profile page.
    More (Comment, Invitee)
    Commenting Enable
    Disabled Forbidden Owners Signed-in users Everyone
    Permission
    Owners
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Invitee
    No invitee
       owned this note    owned this note      
    Published Linked with
    Like BookmarkBookmarked
    Subscribed
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    Subscribe
    # Notary v2 Meeting Notes ###### tags: `cncf` `notary` `notes` **NOTE: Time Change** - moving 1 hour earlier. Time: 1600 GMT (0900 PT; 1200 ET; 1700 CET) - [On Github](https://github.com/notaryproject/) - [CNCF Calendar](https://www.cncf.io/community/calendar/) - [Zoom Dial-in link](https://zoom.us/j/6115932621?pwd=SGtsUXhQWHVvTjBuNnp4KzI1UFhyZz09) - Passcode: 77777 (5x 7) - [Notary v2 Conversations on Slack]( https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/thread/CEX1W7WMD-1582660575.076600) - [Find your local number](https://zoom.us/u/aLDk4OXTu) - [Notary v2 GitHub Projects](https://github.com/notaryproject/) - [YouTube Channel of recording](https://www.youtube.com/playlist?list=PLj6h78yzYM2O1BOGT3hLdJTJCKz0f-bYq) ### Dial by your location 877 369 0926 US Toll-free 855 880 1246 US Toll-free Meeting ID: 611 593 2621 #### One tap mobile +16465588656,,6115932621# US (New York) +16699006833,,6115932621# US (San Jose) **Note:** Template for copying at the bottom of the note. ## March 1, 2021 ### Attendees: - Niaz Khan (AWS) - Dennis Leon (VMware) - Steve Lasker (Microsoft) - Garry Ing (VMware) - Brandon Mitchell - Robert Szumlakowski (VMware) - Jackline Mutua (VMware) - Samuel Karp (AWS) - Marina Moore (NYU) ### Agenda Items: - Identify next phases of prototypes, with an open invite for folks to contribute (Steve) - _add your topics_ ### Notes: - Next round of prototypes: - OPA/Gatekeeper validation w/k8s - Complete CNCF distribution/distribution implementations - [Add support for linked artifacts #3](https://github.com/notaryproject/distribution/pull/3) - [Add OCI Artifact Type #31](https://github.com/opencontainers/artifacts/pull/31) - https://github.com/shizhMSFT/notary - https://github.com/sajayantony/nv2-demo - ORAS - Discussion around key management and revocation, Marina and Niaz will work on a document of a possible solution. - Key managment working session planned for Wednesday 10am EST on same zoom link. - _meeting minutes_ ## February 22, 2021 [Recording](https://www.youtube.com/watch?v=8HMpVsXSiGQ) ### Attendees: - Joao Pereira (VMware) - Garry Ing (VMware) - Steve Lasker (Microsoft) - Hank Donnay (Quay) - Brandon Mitchell - Niaz Khan (AWS) - Marina Moore (NYU) - Mauren Berti (VMware) - Robert Szumlakowski (VMware) - Omar Paul (AWS) - Samuel Karp (AWS) - Serge Hallyn (Cisco) - _add yourself_ ### Agenda Items: - [Key Management Requirements](https://github.com/notaryproject/requirements/pull/38) - Niaz - [Publishing the Notary v2 Status - feedbck before publishing?](https://github.com/notaryproject/notaryproject/pull/1) - SBoM Working Group quick update (Steve) - _add your topics_ ### Notes: - _meeting minutes_ ## February 15, 2021 ### Agenda Items: - cancelled due to the US holiday ## February 8, 2021 [Recording](https://www.youtube.com/watch?v=itYqzloJKro) ### Attendees: - Steve Lasker (Microsoft) - Andy Goldstein (VMware) - Brandon Mitchell - Joao Pereira (VMware) - Manish Dangi(Student India) - Miloslav Trmač (Red Hat) - Niaz Khan (AWS) - Samuel Karp (AWS) - Omar Paul (AWS) - Serge Hallyn (Cisco) - Marina Moore (NYU) - Mauren Berti (VMware) - _add yourself_ ### Agenda Items: - Container Signing Demo - Dan Lorenc (Google) - Key Management Requirements (https://github.com/notaryproject/requirements/pull/38) - _add your topics_ ### Notes: - Dan is from Google, working on signing solutions - Presenting [cosign](https://github.com/projectcosign/cosign) - Similar to minisign and signify - Using the Red Hat SimpleSigning format with the Google binary auth service - _meeting minutes_ ## February 1, 2021 [Recording](https://www.youtube.com/watch?v=eAjXTG1nhZM) ### Attendees: - Steve Lasker (Microsoft) - Joao Pereira (VMware) - John Ryan (VMware) - Garry Ing (VMware) - Brandon Mitchell - Josh Dolitsky - Peter Engelbert - Samuel Karp (AWS) - Marco Franssen (Philips - Research) - Niaz Khan (AWS) - Rio Kierkels (UvA: SNE Master Student) - Hank Donnay (Quay) - Serge Hallyn (Cisco) - Marina Moore (NYU) - Paavan Mistry (AWS) - Mauren Berti (VMware) - _add yourself_ ### Agenda Items: - Status Update (Steve) - Work through backlog of issues and PRs (Steve-group) - Hackmd.io performance: Archive these notes to a repo under https://github.com/notaryproject/ (Steve) - [How to enable dynamic (delegation) certificates in CI? #44](https://github.com/notaryproject/requirements/discussions/44) (Marco) - [What should the root key cover](https://github.com/notaryproject/nv2/discussions/27) (Marina) - New timeslot? - _add your topics_ ### Notes: - Status Update - steve to get a doc out this week, with time for feedback to provide a status for others to read as well. - [Quay update for Hank](https://github.com/notaryproject/requirements/pull/39) Merged - Brandon will add a PR to cover [issue #43](https://github.com/notaryproject/requirements/issues/43) - Discussion around whether Docker Hub would sign user repos to verify image came from logged in user. Potentially better than trust on first use. - Looking for volunteers to help with key management scenarios. - Steve looking for volunteer to run a poll for finding a better time slot. - Steve also looking at new cncf-provided meeting venue, so link may change. (check HackMD) - [More information about the TUF design](https://github.com/notaryproject/nv2/tree/prototype-tuf) - [Discussion on manifest list API](https://github.com/opencontainers/distribution-spec/issues/222) - Paavan Mistry Would there be a limit to how many signatures that can be attached? - Steve There could be, but that would be a client config. At least that's the current thinking. - Jon public registries should use something like transparency logs for tags... shoving this requirement into notary feels like scope creep - Niaz Khan We should have this be individual organizations. If you haven't heard of Wabbit Networks, why would you trust their software? ## January 25, 2021 [Recording](https://www.youtube.com/watch?v=14c7tcM1MAk) ### Attendees: - Steve Lasker (Microsoft) - Rio Kierkels (UvA: SNE Master Student) - Mohanad Elamin (UvA: SNE Master Student) - Niaz Khan (AWS) - Hank Donnay (Quay) - Marco Franssen (Philips - Research) - Samuel Karp (AWS) - Omar Paul (AWS) - Paavan Mistry (AWS) - Brandon Mitchell - Miloslav Trmač (Red Hat) - Marina Moore (NYU) ### Agenda Items: - [OCI Artifact/Notary v2 Signature Persistance Updates](https://github.com/SteveLasker/artifacts/blob/artifact-manifest/artifact-manifest/artifact-manifest.md) (steve) - [Scenarios for types of artifacts and delayed verification](https://github.com/notaryproject/requirements/pull/41) (Brandon) - [Should tags be signed in addition to digests?](https://github.com/notaryproject/requirements/issues/43) (Brandon) - [Scenario for clients to limit trust of a signing key](https://github.com/notaryproject/requirements/issues/42) (Brandon) - [TUF Implementation Discusions](https://github.com/notaryproject/nv2/discussions?discussions_q=%5BTUF%5D) (Brandon) - Should Roots be tied to Registry/Repository? (Niaz) - SPIFFE/Spire (some thoughts) - Marco: PodMan did a similar [registry configuration feature](https://github.com/containers/podman/blob/c70f5fb19bb411f81183d025d18bbf1e8cdc0938/pkg/registries/registries.go#L19) - _add your topics_ ### Notes: - Steve talked us through some of the thoughts on the artifact manifest: - https://github.com/SteveLasker/artifacts/blob/artifact-manifest/artifact-manifest/artifact-manifest.md - https://stevelasker.blog/2020/10/21/is-it-time-to-change-default-registry-references/ - RH experience: allowing short ambiguous names is deeply problematic. It may make sense for an UI (per-user aliases on manually-typed input), but should never be in data like Helm charts / k8s pod specs. Consider what happens if two different vendors deliver Helm charts that require different short-name configurations: you end up with search paths and conflicts and attacks via registry DoS to redirect references. Instead, have names that are worldwide-unique, and map them to physical locations. - Multiple concerns with dropping the registry server in references, including ambiguous references to `name.with.dots/path:tag` where the name may be a part of the repo or a hostname, and intentional repository name conflicts to push malicious images. My preference is to use an upstream registry name, and clients can configure mirrors that attempt to pull images for a specific upstream registry from a specific mirror. (Brandon) - Add topic around signature revocation, in addition to key revocation - Will send the OCI Artifact Manifest PR out later this week for feedback - Recursive lookups on references (CNAB -> Helm -> Image) is probably best left to a client side implementation to avoid server-side DoS attacks. (Brandon) - It would be helpful for a lookup of signatures on an image to include the contents of the multiple signatures, rather than only a list of descriptors that needs to be queried separately (reducing the number of round trips to find a usable signature). (Brandon) - SPIFFE/Spire - Marco - could we use this for a deferred signing solution. Not sure how this would work with keys that are continually rotating ## January 11, 2021 [Recording](https://www.youtube.com/watch?v=t8D5IAMmmjU) ### Attendees: - Steve Lasker (Microsoft) - Hank (quay) - Peter Engelbert (Blood Orange) - Josh Dolitsky (Blood Orange) - Rio Kierkels (University of Amsterdam: Security and Network Engineering Master Student) - Mohanad Elamin (University of Amsterdam: Security and Network Engineering Master Student) - Marco Franssen (Philips - Research) - _add yourself_ ### Agenda Items: - Update on prototypes - Conflict process - _add your topics_ ### Notes: - GPG support vs. x509? - GitHub issue: https://github.com/notaryproject/nv2/issues/21 - Conflict Process Today, the referenced conversations are captured in incomplete hackmd.io notes, or recording videos. While captured, these aren't fairly searchable. Now that we have a baseline of content in the git repos: - https://github.com/notaryproject/requirements - https://github.com/notaryproject/requirements/blob/main/scenarios.md We committed in the meeting today to capture the specific items as PRs and issues. The git history will be better for search and resolution. ## January 4, 2021 [Recording](https://www.youtube.com/watch?v=4xvko9Zjtb8) ### Attendees: - Steve Lasker (Microsoft) - Niaz Khan (AWS) - Justin Cormack (Docker) - Brandon Mitchell (self) - Marco Franssen (Philips - Research) - Marina Moore (NYU) - Santiago Torres-Arias (Purdue) - Trishank Karthik Kuppusamy (Datadog) - Garry Ing (VMware) - _add yourself_ ### Agenda Items: - Open discussion pertaining to the SolarWinds exploit and how Notary v2 would pertain and what we could/should add to our scope. Based on the publicly disclosed info, the build system appears to have been exploited. Source code was not exploited, but we all know the extent of what is capable in a build environment. - Were packages exploited? - Were additional packages injected? - Was the build environment locked down to not allow external sources/packages to be pulled in? - Where do the scripts that replicate the builds originate from? - What verification systems were in place to validate what went in is what came out? - _add your topics_ ### Notes: Open discussion on the SolarWinds attack, and what could have been done to mitigate, based on what we know about the attack and what we know about build systems. - Trishank Kuppusamy The Trusting Trust attack, exactly, Steve From santiago torres to Everyone: 09:54 AM to add: xcodeghost was an attack like that. A compiler that injected malware in popular iOS apps (one was angry birds iirc) - Ian McMillan Totally agree with what Marina is saying here. At the very least, supporting TUF and in-toto and/or SBOM would increase the cost to compromise and reduce the cost/velocity of post-compromise investigations. - santiago torres Agreed! I also wanted to add taht there are other exciting solutions: using keylime (TPM+Kernel IMA) and embedd this information inside of in-toto attestations to verify the integrity of buildservers - Marco Franssen Joined a bit late, but hearing the last 40 minutes I think the key point is to find a way to make it easier for others to understand these topics. Personally I also struggle to convince people that we need more then just a PKI solution to do signatures. We need simple tools to integrate in the process, preferably hard to bypass, but still easy for developers to integrate. Personally I really liked notary v1 after we added a small tool to manage the certificates. Notary v2, in-toto can pull this further. Make it easier for developers, make it easier to understand for management to make them understand a relative low investment can save huge amounts of costs. etc. etc. - Trishank Kuppusamy 100% @Marco - Marco Franssen Shouldn’t we pull this even further then just OCI registries. Many things before we reach a Docker build phase would benefit from notary as well. Supporting other registry types, npm, gradle, nuget, go modules etc. Would add a lot of value, probably even more if adding in-toto in the mix to verify images came from those registries. Info about the SolarWinds attack: - https://www.sec.gov/Archives/edgar/data/0001739942/000162828020017451/swi-20201214.htm - https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/ - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ - https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth # Archived Notes Older meeting notes have been archived to: https://github.com/notaryproject/meeting-notes # Meeting Notes Template (template for copying) ## Meeting Date ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_

    Import from clipboard

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lost their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template is not available.
    All
    • All
    • Team
    No template found.

    Create a template

    Delete template

    Do you really want to delete this template?

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in via Google

    New to HackMD? Sign up

    Help

    Documents

    Tutorials
    YAML Metadata
    Slide Example
    Book Example

    Contacts

    Talk to us
    Report an issue
    Send us email

    Cheatsheet

    Example Syntax
    Header # Header
    • Unordered List
    - Unordered List
    1. Ordered List
    1. Ordered List
    • Todo List
    - [ ] Todo List
    Blockquote
    > Blockquote
    Bold font **Bold font**
    Italics font *Italics font*
    Strikethrough ~~Strikethrough~~
    19th 19^th^
    H2O H~2~O
    Inserted text ++Inserted text++
    Marked text ==Marked text==
    Link [link text](https:// "title")
    Image ![image alt](https:// "title")
    Code `Code`
    var i = 0;
    ```javascript
    var i = 0;
    ```
    :smile: :smile:
    Externals {%youtube youtube_id %}
    LaTeX $L^aT_eX$

    This is a alert area.

    :::info
    This is a alert area.
    :::

    Versions

    Versions and GitHub Sync

    Sign in to link this note to GitHub Learn more
    This note is not linked with GitHub Learn more
     
    Add badge Pull Push GitHub Link Settings

    Version named by    

    More Less
    • Edit
    • Delete

    Note content is identical to the latest version.
    Compare with
      Choose a version
      No search result
      Version not found

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub

        Please sign in to GitHub and install the HackMD app on your GitHub repo. Learn more

         Sign in to GitHub

        HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully