This repository provides an implementation of
The Update Framework specification
and all references to notary
in this repository refer to the implementation of the client
and server aligning with the TUF specification.
The most prominent use of this implementation is in Docker Content Trust (DCT).
The first release v0.1 was released in November, 2015.
This repository comprises of a server and a client for running and interacting with trusted collections. See the service architecture documentation for more information.
The aim is to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server, which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content.
Publishers can sign their content offline using keys kept highly
secure. Once the publisher is ready to make the content available, they can
push their signed trusted collection to the notary
server.
Consumers, having acquired the publisher's public key through a secure channel,
can then communicate with any notary
server or (insecure) mirror, relying
only on the publisher's key to determine the validity and integrity of the
received content.
The notary
client and server is based on The Update Framework, a secure general design for the problem of software distribution and updates. By using TUF, the notary
client and server achieves a number of key advantages:
Any security vulnerabilities can be reported to security@docker.com.
See service architecture docs for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
Below are the two public security audits:
notary
client and server.notary
client and server.Get the notary
client CLI binary from the official releases page or you can build one yourself.
The version of the notary
server and signer should be greater than or equal to notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.
To use the notary CLI with Docker hub images, have a look at notary's getting started docs.
For more advanced usage, see the advanced usage docs.
To use the CLI against a local notary
server rather than against Docker Hub:
Ensure that you have docker and docker-compose installed.
git clone https://github.com/theupdateframework/notary.git
and from the cloned repository path,
start up a local notary
server and signer and copy the config file and testing certs to your
local notary config directory:
$ docker-compose build
$ docker-compose up -d
$ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
Add 127.0.0.1 notary-server
to your /etc/hosts
, or if using docker-machine,
add $(docker-machine ip) notary-server
).
You can run through the examples in the
getting started docs and
advanced usage docs, but
without the -s
(server URL) argument to the notary
command since the server
URL is specified already in the configuration, file you copied.
You can also leave off the -d ~/.docker/trust
argument if you do not care
to use notary
with Docker images.
To prevent mistakes in vendoring the go modules a buildscript has been added to properly vendor the modules using the correct version of Go to mitigate differences in CI and development environment.
Following procedure should be executed to upgrade a dependency. Preferably keep dependency upgrades in a separate commit from your code changes.
go get -u github.com/spf13/viper
buildscripts/circle-validate-vendor.sh
git add .
git commit -m "Upgraded github.com/spf13/viper"
The buildscripts/circle-validate-vendor.sh
runs go mod tidy
and go mod vendor
using the given version of Go to prevent differences if you are for example running on a different version of Go.
Note that the latest stable release is at the head of the releases branch. The master branch is the development branch and contains features for the next release.
Prerequisites:
Set GOPATH
. Then, run:
$ export GO111MODULE=on
$ go get github.com/theupdateframework/notary
# build with pkcs11 support by default to support yubikey
$ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary
$ notary
To build the server and signer, run docker-compose build
.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。