Disclaimer
This text shouldn’t be attempting to check the professionals & cons between Cosign and Notary. Somewhat, it’s a sharing that you need to opt-in Cosign if in case you have some technical wants like I do.
I additionally connected some web sites on the finish of this text. I like to recommend you to learn these web sites earlier than you progress on.
Introduction
You is perhaps heard of SolarWinds hack and you realize what’s Software program Provide Chain Assault. And so-called software program can embody libraries, linux packages, plugins, and so forth.
As there are various softwares distributed each single second worldwide, it turns into a scorching matter that how we will belief the software program we downloaded is protected. One concept is that we would like somebody we belief to make a declare by signing their signiture to the software program. And everytime we wish to obtain/replace the software program, we are going to verify whether or not the signiture exists.
For instance:
- Software program authors can signal the software program to assert that it’s a authroized launch.
- Secuirty auditors can signal the software program to assert that it has handed their secuirty audit.
- Inhouse secuirty group can signal the software program to assert that it’s authroized for use inside the corporate.
One of many main software program kind that we’re so familar are container photos. Cosign and Notary each are mainstream options for signing container photos.
There are Notary/v1 and Notary/v2. Notary/v2 shouldn’t be prepared for normal use so I will not speak a lot about it. On this article, if you see the time period Notary, I’m referring to Notary/v1.
Issues
In a position to signal any OCI artifacts
Previously, after we say we publish one thing to the registry, we all the time seek advice from container photos. Nonetheless it doesn’t apply anymore. These days many fashionable registries are OCI suitable, the place we’re free to retailer any OCI artifacts. And extra amazingly, any arbitary file will be saved as an OCI artifact. Theotically, you possibly can even retailer a video to OCI registries.
If you’re engaged on K8S cluster, you need to be familar with helm charts. And sure, you possibly can retailer helm charts to OCI regitry. It’s critical as a result of we will reuse the CI/CD mindset that we apply to docker photos, to helm charts. It really works like a allure after we pair with GitOps.
So now you might be so care in regards to the security of your software program provide chain, and it’s pure that you really want all container photos to be signed. What about helm charts? You most likely need helm charts to be signed too. (I hope nobody will suppose that unauthorized launch of helm charts is trivial.)
Now I can let you know that you need to simply go for Cosign and go away Notary alone. Why? Notary solely can be utilized to signal container photos, not OCI artifacts.
In further to helm charts, you possibly can retailer SBOMs, picture scanning outcomes as OCI artifacts together with your container photos. The use instances of OCI are excess of you possibly can think about.
OK. You would possibly inform me that you don’t use helm charts in any respect. Then do you have to nonetheless contemplate Notary? Proceed to learn the next part.
Operation pleasant
So now you wish to signal your container photos. Definately you wish to do it in a automation model (please agree on me). And I can let you know that Cosign is completely higher than Notary with little doubt.
Cosign itself is a binary. You may set up it utilizing any bundle managers like homebrew and apt. It additionally means you need to use it in any CI/CD answer like Github Actions, Azure Pipeline by including a step to put in it.
To make use of Cosign, you simply want to make use of Cosign to generate a keypair in native surroundings, then you definitely retailer the non-public key as a secret inside your CI/CD platform. After which use Cosign to run signal command. Easy!
cosign generate-key-pair
cosign signal --key cosign.key dlorenc/demo
Quite the opposite, Notary requires you to self-host a Notary service.
Listed below are some details you need to know.
Studying Curve
Notary relies on the TUF framework. TUF is highly effective. The choice phrase of highly effective is difficult. You need to perceive how TUF works to make a correct use of Notary.
After you may have spend (a lot) time to know TUF nicely, are you prepared to teach your customers what TUF is?
Setup complexity
A Notary service consists of Notary server, Notary signer, Notary consumer, MySQL database. Some folks would possibly argue that the setup is straightforward. Nonetheless be conscious of Cosign, it simply requires you to put in a binary.
And also you additionally have to setup MTLS between Notary server and Notary signer. It may not be an enormous problem, however it’s nonetheless an effort you need to take note of.
Operation burden
How are you going to deal with in case your Notary service is unavailable? Your pipelines is perhaps damaged when it could actually’t confirm signiture of the container photos.
A few of you is perhaps so skilled in designing a HA answer, and may taking a excellent care of the MySQL database in case of area outage. Nonetheless, this operation burden shouldn’t be a chunk of cake to a lot of the engineers.
Community connectivity
Notary service is crucial. Except you might be releasing container photos to the general public, likely you might be internet hosting Notary as an internal-facing service to cut back assault floor.
If you’re utilizing public employee in your CI/CD answer, now you must deploy some self-hosted staff such that it could actually attain your Notary service.
Secret administration
You need to handle a set of secrets and techniques, comparable to TLS certificates and TUF keys.
For Cosign, you additionally have to handle the non-public key. It’s a lot less complicated that Notary.
After studying these details, you possibly can take into consideration is the benefit of Notary outweight the trouble you spend on it?
To me, the reply is NO.
Conclusion
Though I decide in for Cosign, I don’t suppose Notary is dangerous. As I’ve talked about, TUF (Notary) is highly effective. In case your group have assets to well-study TUF and wish to safe container picture provide chain as a lot as doable, utilizing Notary is an effective option to you. And I do encourage folks to be taught what TUF is even you don’t use Notary.
Sooner or later, I’ll write one other article to clarify how you need to use Cosign to safe helm chart K8S deployment.
Enjoyable
Notary/v2
There are different points include Notary/v1. For this reason Notary/v2 challenge is proposed. Notary/v2 has launched its first alpha model, the implementation is named Notation. Personally, I feel the person expertise of utilizing Notary/v2 is so just like Cosign.
Attempt Notary/v1
DockerHub is internet hosting an offcical Notary server in https://notary.docker.io and you’ll confirm all offical revealed photos listed in here.
Verifying offical alpine picturenotary -s https://notary.docker.io -d ~/.docker/belief checklist docker.io/library/alpine
Readings
What is OCI?
What is SBOMs?
Publish helm charts to AWS ECR
What is TUF?
Notary/v2 v.s Notary/v1
Notary/v2 v.s. Cosign