news open source products security Tanzu Application Catalog

Tanzu Application Catalog Leverages Notation to Deliver Stronger Software Supply Chain Security

Tanzu Application Catalog, the enterprise edition of Bitnami Application Catalog, extends its software supply chain security capabilities by leveraging Notation, in addition to Cosign, for signing and verifying Open Container Initiative (OCI) artifacts (container images, Helm charts, and metadata bundles). Notation is a CLI project that enables adding signatures as standard items in the OCI registry ecosystem and building a set of simple tooling to sign and verify these signatures. Notation is an implementation of the Notary Project specifications and is a CNCF incubating project

In this blog post, we explain how Notation is used by Tanzu Application Catalog to sign OCI artifacts and the benefits our customers stand to reap because of it. In addition, we walk through the process of verifying the signature of any OCI artifact delivered by Tanzu Application Catalog. 

Benefits of signing OCI artifacts with Notation

Supporting Notation signature in Tanzu Application Catalog paves the way for the following:

  • Ensure content integrity – By signing our OCI artifacts using Notation, we can guarantee the integrity of the OCI artifacts we deliver. The signatures generated by Notation are based on the content, creating a unique fingerprint for each version of the artifact. Any tampering with the OCI artifact will result in a failed verification, alerting users to potential security threats.

  • Verify authenticity – Knowing the source of your OCI artifacts is crucial for security and compliance. Notary Project signatures provide a way to verify the authenticity of the artifacts by confirming the identity of the signer. This ensures that your applications are built from trusted sources–Tanzu Application Catalog–reducing the risk of deploying compromised or malicious software.

  • Interoperability across tools and platforms – Notation plays a crucial role in standardizing the representation of signatures. This standardization enables interoperability across different tools and platforms that support the OCI image format without being tied to a specific ecosystem.

Notation, with its standards-based tooling for signing and verifying artifacts, helps Tanzu Application Catalog achieve improved security while delivering compliant open source software artifacts for mission-critical production use cases.

Signing with Notation in Tanzu Application Catalog

Notation signature specification aims to be signature envelope format agnostic, supporting CBOR Object Signing and Encryption (COSE) and JSON Web Signature (JWS). 

The signature is stored in an OCI Distribution-conformant registry. The signature manifest has a configuration media type that specifies it's a Notary Project signature, a subject referencing the manifest of the artifact being signed, a layer referencing the signature, and a collection of annotations.

Diagram showing Notary project signature specification

Tanzu Application Catalog, in addition to supporting Cosign, now implements the Notation signature and signs every single OCI artifact that is built to spec for each customer. This includes not only container images and Helm charts but also any metadata bundles like Vulnerability Exploitable eXchange (VEX) documentation, software bills of materials (SBoMs), CVE scans, and test results associated with the OCI artifact. Finally, all these built-to-spec OCI artifacts are pushed to customer registries, ready to be verified before deployment.

Tanzu Application Catalog supports different registries like Harbor Registry, Google Container Registry, Google Artifact Registry, Azure Container Registry, Amazon Elastic Container Registry, or Harbor, among others. Harbor, in particular, stands out for its seamless integration of Notation signature into its user interface (UI), offering users a transparent and intuitive way to verify the authenticity and integrity of OCI artifacts. 

Harbor user interface showing both Cosign and Notation signatures of a Tanzu Application Catalog artifact

Signature verification

Notation CLI simplifies the process of signature verification with an efficient, user-friendly interface. Designed with ease of use in mind, this command-line interface (CLI) streamlines the often complex task of verifying signatures. To locally verify the signature of an OCI artifact delivered by Tanzu Application Catalog, follow these steps:

1. Download and install Notation CLI. Here's a sample of a trustpolicy.json file:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "Tanzu Application Catalog",
            "registryScopes": [ "*" ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:VMware" ],
            "trustedIdentities": [
              "*"
            ]
        }
    ]
}

2. Add the Tanzu Application Catalog Root CA certificate:

$ notation cert add --type ca --store VMware rootCA.crt

3. Import the trust policy:

$ notation policy import trustpolicy.json

4. Verify any OCI artifact in your registry from Tanzu Application Catalog:

$ notation verify harbor-repo.vmware.com/vacpmdemo/containers/debian-11/airflow:2.7.3-debian-11-r1

Successfully verified signature for
harbor-repo.vmware.com/vacpmdemo/containers/debian-11/airflow@sha256:
ef612f4c708c6ef68d834380826c234ccb817e37331d4e237b670ec821df3a93

Metadata like VEX, SBoMs, CVE scan results, or test reports associated with each application are also signed with Notation and can be verified as follows:

$ notation verify harbor-repo.vmware.com/vacpmdemo/containers/debian-11/airflow:2.7.3-metadata

Successfully verified signature for
harbor-repo.vmware.com/vacpmdemo/containers/debian-11/airflow@sha256:
5a6ecc204e5ff212ebe717db56b307734bab695496efbf8d95e66ddaaabd1133

Conclusion

Securing your modern applications and infrastructure requires a proactive approach to address potential threats. Signing and verifying OCI artifacts is becoming a critical part of this proactive approach. Up until now, Tanzu Application Catalog has provided signature verification for (OCI) artifacts (container images, Helm charts, and metadata bundles) through Cosign. By leveraging Notation, Tanzu Application Catalog provides enterprises with an additional tool to efficiently deliver signed and verifiable OCI artifacts, adding a layer of trust to their software supply chain. By adopting these tools, enterprises can not only enhance the security of their applications but also build a more reliable tech ecosystem, paving the way for innovation and growth.

If you are interested in knowing more about the Notary Project, check out their website.

If you are interested in learning more about Tanzu Application Catalog in general, check out the product webpage, Tech Zone page, technical documentation, and additional resources. If you would like to get in touch, contact us.