Venafi CodeSign Protect Signature and Verification Plugin for the Notation CLI.
This is a plugin that aims to be compliant with the plugin spec.
Type | Supported |
---|---|
JWS | ✔️ |
COSE Sign1 | ✔️ |
Capability | Compatibility |
---|---|
keySpec | RSA-2048 , RSA-3072 , RSA-4096 , EC-256 , EC-384 , EC-521 |
hashAlgorithm | SHA-256 |
signingAlgorithm | RSASSA-PSS-SHA-256 , ECDSA-SHA-256 |
pluginCapability | SIGNATURE_GENERATOR.ENVELOPE , SIGNATURE_VERIFIER.TRUSTED_IDENTITY , SIGNATURE_VERIFIER.REVOCATION_CHECK |
signatureEnvelopeType | application/jose+json (JWS), application/cose (COSE) |
extendedAttributes | com.venafi.notation.plugin.x5u (only generated with TPP 23.1+ for experimental identity validation support) |
signingScheme | notary.x509 |
The following summarizes the steps to configure the Venafi CodeSign Protect notation plugin and sign and verify a container image. The following steps are based off of the Notation hello-signing example.
- This plugin leverages the Venafi vSign SDK, which means you'll need to meet the pre-requisites as well as customize the config.ini in terms of
tpp_url
,access_token
, andtpp_project
. - Install notation CLI. Version v1.1.0 has been tested. Note that
make install
creates the plugin directory structure based on a MacOS environment. Update the Makefile based on your OS. It then copies the plugin to the appropriate location based on the notation plugin directory structure spec.
Install the notation-venafi-csp plugin for remote signing and verification, using the notation plugin install
command:
notation plugin install --url https://github.com/Venafi/notation-venafi-csp/releases/download/v0.3.0/notation-venafi-csp-linux-amd64.tar.gz --sha256sum 03771794643f18c286b6db3a25a4d0b8e7c401e685b1e95a19f03c9356344f5a
Adjust the --url
and --sha256sum
parameters based on the release and platform you are deploying the plugin for.
git clone https://github.com/venafi/notation-venafi-csp.git
cd notation-venafi-csp
make build
make install
- Install Docker Desktop for local docker operations
- Create and run an OCI-compatible registry on your development system using an open source registry implementation.
docker run -d -p 5001:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true --name registry registry
- Build and Push the
net-monitor
software
docker build -t localhost:5001/net-monitor:v1 https://github.com/wabbit-networks/net-monitor.git#main
docker push localhost:5001/net-monitor:v1
- Get the digest value of localhost:5001/net-monitor:v1:
docker inspect localhost:5001/net-monitor:v1 -f '{{ .Id }}'
sha256:073b75987e95b89f187a89809f08a32033972bb63cda279db8a9ca16b7ff555a
- List the image, and any associated signatures. At this point there shouldn't be any signatures
IMAGE=localhost:5001/net-monitor@sha256:073b75987e95b89f187a89809f08a32033972bb63cda279db8a9ca16b7ff555a
notation ls $IMAGE
- Create a trust policy In order to verify the container image, you need to configure the trust policy to specify trusted identities which sign the artifacts, and level of signature verification to use. Follow the Manage trust policies guide to understand and implement Notation trust policy.
{
"version": "1.0",
"trustPolicies": [
{
"name": "wabbit-networks-images",
"registryScopes": [ "*" ],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:wabbit-networks.io" ],
"trustedIdentities": [
"*"
]
}
]
}
As an example, you can use notation policy import
to import the trust policy configuration from the above JSON file:
notation policy import ./trustpolicy.json
- Obtain certificate
You should use the certificate label that matches the Venafi CodeSign Protect environment obtained using pkcs11config
:
pkcs11config getcertificate <...>
- Add the Key Id to the keys and certs
notation key add --default "vsign-rsa2048-cert" --plugin venafi-csp --id "vsign-rsa2048-cert" --plugin-config "config"="/path/to/vsign/config.ini"
notation certificate add --type ca --store example.com /path/to/chain.crt
Note: A best practice for Key Id naming would be to use the certificate label that matches the Venafi CodeSign Protect environment
- List the keys and certs to confirm
notation key list
notatation certificate list
- Sign the container image with default signature manifest as
image
notation sign --key "vsign-rsa2048-cert" $IMAGE
- Confirm that there is one signature
notation ls $IMAGE
localhost:5001/net-monitor@sha256:073b75987e95b89f187a89809f08a32033972bb63cda279db8a9ca16b7ff555a
└── application/vnd.cncf.notary.v2.signature
└── sha256:ba3a68a28648ba18c51a479145fca60d96b43dc96c6ab22f412c89ac56a9038b
- Verify the container image signature
notation verify $IMAGE
Signature verification succeeded for sha256:73b3c3f2200bc6c161663b88b1fde3b3ed486518d6b6453fccdfdbbaefa09c7b
Note: Verification does perform additional checks such as verifying the revocation status of the code signing certificate, as well as validating that the certificate does exist in CodeSign Protec via PKS for identity validation purposes when using TPP 23.1+.