Question 1

How to set up notary for signing Docker images?

Accepted Answer

Use Docker Content Trust (DCT) which integrates notary. Enable it via environment variables like DOCKER_CONTENT_TRUST, and follow the getting started docs to initialize keys and push signed images to registries.

Question 2

Notary vs GPG for software updates?

Accepted Answer

Notary uses TUF for hierarchical key management and freshness guarantees, preventing replay attacks, while GPG focuses on individual signatures without built-in update mechanisms. Notary is better for continuous distribution systems.

Question 3

How does notary handle key rotation if a key is compromised?

Accepted Answer

Notary allows publishers to update metadata to revoke compromised keys and introduce new ones using TUF's role system. This ensures security without disrupting consumers, as detailed in the survivable key compromise feature.

Question 4

Can notary be used with cloud storage like AWS S3 for distribution?

Accepted Answer

Yes, notary is distribution-agnostic and can work with any channel, including S3. However, you need to set up the notary server to serve metadata and ensure clients can access it, which may require additional configuration.

Question 5

What are the hardware requirements for running a notary server?

Accepted Answer

The README doesn't specify exact requirements, but it involves running Docker containers and storing metadata. For production, plan for scalable storage and compute to handle verification loads and key management operations.

Question 6

Is notary suitable for securing mobile app updates?

Accepted Answer

Yes, its distribution-agnostic design allows integration with app stores, but mobile clients need lightweight notary clients for verification, which may require custom implementation due to resource constraints.

Notary

What is Notary?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions