Notation
Notation is a built-in verifier to Ratify. Notation currently supports X.509 based PKI and identities, and uses a trust store and trust policy to determine if a signed artifact is considered authentic.
There are two ways to configure verification certificates:
verificationCerts: Notation verifier will load all certificates from path specified in this array.verificationCertStores: Defines a collection of Notary Project Trust Stores. Notary Project specification defines a Trust Policy, which is a policy construct to specify which identities and Trust Stores are trusted to produce artifacts in a verification. The name of CertificateStore resource(s) must be accurately provided. When a CertificateStore name is specifed, the notation verifier will be configured to trust all certificates fetched from that particular CertificateStore resource. Note: CLI is NOT SUPPORTED.
NOTE:
verificationCertStoressupersedesverificationCertsif both fields are specified.
In the following example, the verifier's configuration references 2 CertificateStores, certstore-akv, certstore-akv1. Here, ca:certs is the only trust store specified and the certs suffix corresponds to the certs certification collection listed in the verificationCertStores section.
Sample Notation yaml spec:
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: notation-wabbit
spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- certstore-akv
- certstore-akv1
trustPolicyDoc:
version: "1.0"
trustPolicies:
- name: default
registryScopes:
- "*"
signatureVerification:
level: strict
trustStores:
- ca:certs
trustedIdentities:
- "*"
Configuration
Kubernetes
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: verifier-notation
spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores: # maps a Trust Store to CertificateStore resources with certificates
certs: # name of the trustStore
- <NAMESPACE>/<CERTIFICATE STORE NAME> # namespace/name of the certificate store CRD to include in this trustStore
trustPolicyDoc: # policy language that indicates which identities are trusted to produce artifacts
version: "1.0"
trustPolicies:
- name: default
registryScopes:
- "*"
signatureVerification:
level: strict
trustStores:
- ca:certs
trustedIdentities:
- "*"
| Name | Required | Description | Default Value |
|---|---|---|---|
| verificationCerts | no | An array of string. Notation verifier will load all certificates from path specified in this array. | "" |
| verificationCertStores | no | Defines a collection of certificate store objects. This property supersedes the path defined in verificationCerts. CLI NOT supported. | "" |
| trustPolicyDoc | yes | Trust policy is a policy language that indicates which identities are trusted to produce artifacts. | "" |
CLI
{
"store": {
"version": "1.0.0",
"plugins": [
{
"name": "oras",
}
]
},
"policy": {
"version": "1.0.0",
"plugin": {
"name": "configPolicy",
"artifactVerificationPolicies": {
"application/spdx+json": "all"
}
}
},
"verifier": {
"version": "1.0.0",
"plugins": [
{
"name": "notation",
"artifactTypes": "application/spdx+json",
"verificationCerts": [
"/usr/local/ratify-certs/notation/truststore"
],
"trustPolicyDoc": {
"version": "1.0",
"trustPolicies": [
{
"name": "default",
"registryScopes": [
"*"
],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:certs"
],
"trustedIdentities": [
"*"
]
}
]
}
}
]
}
}