Notary v2 and OCI Image Signing Standards (eBook)

Chapter 2
Notary v2: Architecture and Protocol Design

Unlock the intricate world behind Notary v2—a transformative leap in container image signature management that addresses the critical shortcomings of its predecessors. This chapter peels back the curtain on how advanced architectural decisions, modular protocol layers, and granular trust models converge to create a next-generation framework for verifiable, extensible, and policy-driven image security. Whether you are architecting at cloud scale or dissecting the confines of secure code delivery, this deep dive reveals how Notary v2 achieves a powerful synthesis of security, usability, and adaptability.

2.1 Motivations for Notary v2

The evolution of container image signing mechanisms reflects an ongoing response to the practical and security challenges faced by organizations and developers. Notary v1, introduced as part of the TUF (The Update Framework) ecosystem, alongside Docker Content Trust (DCT), represented early efforts to ensure the integrity and provenance of container images. However, the operational experience and feedback from diverse end-user environments revealed fundamental limitations and pain points that constrained their broader adoption and effectiveness. These issues galvanized the need for a reimagined, extensible, and interoperable signing architecture embodied in Notary v2.

A primary limitation with Notary v1 lay in its architectural complexity and operational overhead. While the use of TUF principles ensured strong cryptographic guarantees against a variety of attack vectors-including key compromise and replay attacks-the system relied on a set of specialized metadata stores and a centralized trust server. This approach introduced challenges around horizontal scalability and high availability, as the Notary server became a single point of failure and performance bottleneck under heavy workloads. Organizations operating large-scale DevOps pipelines reported bottlenecks during continuous deployment processes, where the latency of signature verification conflicted with rapid iteration cycles. The metadata format and repository actions also imposed cumbersome procedures for image publishers, limiting seamless integration with existing container registries.

Docker Content Trust, built on Notary v1, while improving end-user experience by integrating signing commands into the Docker CLI, inherited many of these constraints. Furthermore, DCT’s client-server model abstracted away the underlying cryptographic primitives, providing a degree of opacity that limited flexibility. End-users often expressed difficulty in customizing trust policies or integrating alternative identity systems. In particular, enterprises deploying multitenant registries or implementing fine-grained access controls found it challenging to reconcile DCT’s trust models with their internal governance frameworks. The inflexibility around supporting multiple signature formats or evolving cryptographic algorithms further hampered long-term maintainability.

Security demands also evolved rapidly during the early adoption phases. The threat landscape underscored the necessity for robust trust delegation and revocation capabilities, which were only partially addressed in Notary v1. For example, in multi-actor organizations, delegating signing authority securely to different teams or automation systems required complex key management workflows. Additionally, the reliance on static root keys created hurdle scenarios for key rotation and recovery in the event of compromise. Such limitations exposed organizations to extended risk windows and undermined confidence in end-to-end supply chain security. Feedback from security practitioners emphasized the need for a transparent yet flexible framework that could incorporate emerging standards for cryptographic signatures, including support for multiple signature schemes like COSE and integration with hardware security modules (HSMs).

From an extensibility standpoint, both Notary v1 and Docker Content Trust struggled to keep pace with the diverse registries and artifact types forming the foundation of modern cloud-native ecosystems. The increasing adoption of OCI (Open Container Initiative) image specifications and the expansion of artifacts beyond container images-such as Helm charts, software bills of materials (SBOMs), and custom metadata-exposed tight coupling in the original systems. Users demanded a uniform signing and verification interface applicable across artifact types and repository implementations. The inability to natively support multiple registries without extensive customization created deployment complexity, often requiring parallel trust systems that increased the cognitive and operational load on teams.

Moreover, user-centric challenges exacerbated adoption friction. The technical sophistication required to operate Notary v1 servers and manage the associated cryptographic material proved onerous for smaller teams and individual developers. The CLI tooling, while functional, lacked polish in error reporting and usability, making troubleshooting difficult during signature failures. Consequently, this hampered broad developer engagement and contributed to incomplete adoption of signing best practices. Continuous integration pipelines often circumvented signing steps altogether, negating security benefits and increasing exposure to supply chain tampering.

Taken together, these limitations articulate a compelling case for a next-generation solution that prioritizes scalability, usability, interoperability, and security in equal measure. Notary v2 emerges as a direct response to these pain points by adopting a modular architecture that decouples signature management from provenance storage, leveraging OCI standards for metadata representation and transport. It facilitates seamless integration with heterogeneous registries and artifact types, enabling consistent enforcement of trust policies across the software supply chain. By supporting multiple signature formats and cryptographic algorithms, Notary v2 empowers organizations to evolve their security posture without disruptive rebuilds.

In addition, the design of Notary v2 embraces cloud-native principles by enabling decentralized trust models and simplified key management workflows, minimizing operational overhead while enhancing resilience. Strong emphasis on developer experience ensures clear diagnostics, straightforward tooling, and flexible extensibility points, broadening the reach of image signing practices into diverse DevOps environments. Collectively, these driving forces underpin the vision of Notary v2 as a scalable, user-friendly, and interoperable signature framework, addressing critical gaps identified in its predecessors and aligning with the evolving demands of modern software delivery ecosystems.

2.2 Core Components and Their Interactions

The Notary v2 architecture decomposes trust and integrity mechanisms into four fundamental components: signers, verifiers, policy engines, and registries. Each of these entities plays a discrete role within the system, collectively forming a modular framework that enables robust content signing, verification, policy enforcement, and registry management. The design emphasizes clear interfaces and extensibility, accommodating diverse deployment needs and evolving security requirements.

Signers are responsible for generating cryptographic signatures over defined content-in particular, container images or binaries-thus asserting the authenticity and provenance of artifacts. The core functionality of a signer involves computing digital signatures using private cryptographic keys under specified algorithms and producing metadata that captures the signature format, cryptographic parameters, and signing context.

Notary v2 abstracts signer implementations behind a pluggable interface. This abstraction allows integration of various signing backends, including hardware security modules (HSMs), cloud-based key management services, or local software keystores. The interaction with signers is typically one-way: the signer accepts a payload and signing directives, then returns a signature envelope conforming to agreed-upon standard formats such as COSE or CMS. The pluggability enables seamless adoption in heterogeneous environments without modifying the core system.