Written by Beltran Rueda Borrego and Bala Bharathy U. This blog was originally published on Bitnami blogs.
Bitnami-packaged open source software container images and Helm charts available in DockerHub are now signed by Notation, a Cloud Native Computing Foundation (CNCF) incubating project.
In December, 2023, we announced that VMware Tanzu Application Catalog, the enterprise edition of Bitnami Application Catalog, started making use of Notation as a tool for signing and verifying the open container initiative (OCI) artifacts (e.g. container images, Helm charts, and metadata bundles) that we deliver. Now, we’re happy to announce the extension of this capability to the community edition of Bitnami-packaged container images in DockerHub as well.
Read on to discover more about Notation, how you stand to benefit from this integration, and how you can verify the Notation signatures in Bitnami packages.
What is Notation?
Docker developed the Docker Content Trust (DCT), a.k.a. Notary V1, in 2015 and subsequently donated it to the CNCF. Notary V1 allows users to sign and verify container images while ensuring the integrity and authenticity of specific image tags through client-side or runtime verification. Notary v1 functions by adding the user's public key to the registry and signing the image with the key's private counterpart before uploading it. Users can then verify the image by comparing the public key against the registry command group's pulled data.
The updated and enhanced Notation seeks to improve upon the shortcomings of DCT or Notary v1. Now users can create and incorporate their own implementations of the specifications into workflows for signing and verifying multiple OCI artifacts (such as software bill of materials, scan results, and container images) using Notation. It’s intended to serve as a cross-registry, cross-industry standard for signing and validating any registry artifact or OCI image. Notation is an implementation of the Notary Project specifications and is a CNCF incubating project.
Benefits of signing Bitnami images with Notation
There are several benefits of signing Bignami images with Notation, including the ability to:
- Ensure content integrity—By signing our container images with Notation we can guarantee the integrity of the software we deliver. The signatures generated by Notation are based on the content, creating a unique fingerprint for each version of the artifact. Any tampering with the container will result in a failed verification, alerting users to potential security threats.
- Verify authenticity—Knowing the source of the open source software you use is critical for security and compliance. Notary Project signatures provide a way to verify the authenticity of the artifacts by confirming the identity of the signer. This ensures that your applications are built from trusted sources—Bitnami—reducing the risk of deploying compromised or malicious software.
- Support interoperability across tools and platforms—Notation plays a vital role in standardizing the representation of signatures. This standardization enables interoperability across different tools and platforms that support the OCI image format without being tied to a specific ecosystem.
Signature verification
To locally verify the signature of a Bitnami-packaged container image, follow the steps below:
-
Download the “rootCA.cert” file from https://app-catalog.vmware.com/.well-known/notationCA.crt.
-
Download and install the Notation CLI for your platform from the official releases from https://github.com/notaryproject/notation/releases.
-
Add the VMware Tanzu Application Catalog Root CA certificate:
$ ./notation cert add --type ca --store VMware notationCA.crt
-
Import the trust policy:
$ ./notation policy import trustpolicy.json
This is an example of the trustpolicy.json file:
{
"version": "1.0",
"trustPolicies": [
{
"name": "VMware Tanzu Application Catalog",
"registryScopes": [ "*" ],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:VMware" ],
"trustedIdentities": [
"*"
]
}
]
}
-
Verify the signature of a container image of Helm chart and check the latest available version or tag from DockerHub.
./notation verify docker.io/bitnami/wordpress:6.4.3-debian-12-r20
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:6.4.3-debian-12-r20) because resolved digest may not point to the same signed artifact, as tags are mutable.
Successfully verified signature for docker.io/bitnami/wordpress@sha256:4c93c6a8b06ab87c7d5b54d58684157b32cb69e466b9330e7c6460331ff663aa
-
Use the digest directly.
./notation verify docker.io/bitnami/wordpress@sha256:4c93c6a8b06ab87c7d5b54d58684157b32cb69e466b9330e7c6460331ff663aa
Successfully verified signature for docker.io/bitnami/wordpress@sha256:4c93c6a8b06ab87c7d5b54d58684157b32cb69e466b9330e7c6460331ff663aa
Check out our enterprise version – VMware Tanzu Application Catalog!
If you’re interested in learning more about the enterprise edition of Bitnami Application Catalog – Tanzu Application Catalog, check out our product webpage, solution brief, and additional resources.
Are you going to be at KubeCon + CloudNativeCon Europe 2024? If so, you can learn how to reinforce your software supply chain security by joining our session, VEXintating your Container Images: The European Way, on March 21, 2024 (Thursday) at 15:25 – 16:00 CET.