Inferensys

Glossary

Content Trust

A security mechanism that uses digital signatures to ensure only authorized, untampered container images are pulled and executed within a runtime environment.
Compute infrastructure aisle representing runtime, scale, and model serving.
CRYPTOGRAPHIC SIGNATURE VERIFICATION

What is Content Trust?

A security mechanism that uses digital signatures to ensure only authorized, untampered container images are pulled and executed within a runtime environment.

Content trust is a cryptographic security framework that enforces the use of digital signatures to verify the publisher identity and integrity of a container image before a runtime pulls it. It ensures that the image has not been altered in transit and originates from a specific, authorized publisher, preventing supply chain attacks and the execution of tampered code.

This mechanism relies on a trusted delegation model where image publishers sign image manifests using private keys, and consumers configure their runtimes to only execute images signed by those trusted keys. This creates a verifiable chain of custody from the build pipeline to the production node, often implemented via tools like Notary or Cosign.

CRYPTOGRAPHIC INTEGRITY FRAMEWORK

Core Characteristics of Content Trust

Content trust establishes a verifiable chain of custody for container images through digital signatures, ensuring that only authorized, untampered artifacts are deployed in runtime environments.

01

Digital Signature Verification

Content trust relies on asymmetric cryptography where publishers sign images with a private key and consumers verify with a public key. The Notary project implements The Update Framework (TUF) to manage this trust hierarchy.

  • Signing Process: A publisher hashes the image manifest and encrypts the hash with their private key
  • Verification: The runtime decrypts the signature using the trusted public key and compares hashes
  • Key Management: TUF separates root, targets, snapshot, and timestamp keys with offline root keys for maximum security

This prevents man-in-the-middle attacks and ensures the image pulled is bit-for-bit identical to what the publisher signed.

SHA256
Signature Algorithm
TUF
Trust Framework
02

The Update Framework (TUF) Integration

TUF provides a robust key hierarchy designed to survive key compromise. It separates roles so that compromising a single online key cannot poison the entire repository.

  • Root Key: Stored offline; signs the trusted root metadata
  • Targets Key: Signs image manifests and delegations
  • Snapshot Key: Signs metadata about the latest collection of files to prevent rollback attacks
  • Timestamp Key: Signs short-lived metadata to ensure freshness and prevent freeze attacks

TUF also supports threshold signatures, requiring multiple keys to sign critical metadata, eliminating single points of failure.

4
Key Roles
Offline
Root Key Storage
03

Notary v2 and OCI Distribution

Notary v2 is the modern evolution of content trust, natively integrated with the OCI Distribution Specification. Unlike Notary v1, it stores signatures as OCI Artifacts alongside images in the same registry.

  • Signature Format: Uses JSON Web Signatures (JWS) for portability
  • Referrers API: Allows discovery of all signatures and attestations for a given image digest
  • Multi-Signature Support: Multiple parties can independently sign the same image

This architecture eliminates the need for a separate Notary server, reducing operational complexity while maintaining cryptographic guarantees.

JWS
Signature Format
OCI 1.1
Spec Version
04

Cosign and Keyless Signing

Cosign, part of the Sigstore project, enables keyless signing using OpenID Connect identities. Developers authenticate via their email or workload identity, and a short-lived certificate is issued.

  • Fulcio: A certificate authority that issues ephemeral signing certificates bound to OIDC identities
  • Rekor: A transparency log that records signatures, making them auditable and discoverable
  • Verification: Consumers verify the certificate chain and check the Rekor log entry

This eliminates the operational burden of managing long-lived signing keys while providing a tamper-evident audit trail.

Keyless
Signing Method
Rekor
Transparency Log
05

Enforcement via Admission Controllers

Content trust is enforced at deploy time through Kubernetes Admission Controllers. These webhooks intercept pod creation requests and validate image signatures before the pod is persisted.

  • Gatekeeper/OPA: Policy engines that reject pods with unsigned or invalidly signed images
  • Kyverno: A Kubernetes-native policy engine that can verify Cosign signatures natively
  • Binary Authorization: GCP's deploy-time control that integrates with attestations

Without enforcement, content trust is advisory. Admission controllers make it mandatory, creating a hard gate that prevents untrusted images from ever reaching the runtime.

Pre-Deploy
Enforcement Point
MutatingWebhook
API Mechanism
06

Supply Chain Levels (SLSA) Integration

Content trust is a foundational component of SLSA Level 2+ compliance. SLSA requires provenance attestations that are cryptographically signed and verifiable.

  • SLSA Provenance: A signed document describing how an artifact was built, including builder identity, source repository, and build steps
  • Attestation Storage: Provenance documents are stored as OCI artifacts alongside the image
  • Policy Verification: Admission controllers verify both the image signature AND the SLSA provenance before allowing deployment

This closes the loop from source code to running container, ensuring the entire software supply chain is verifiable.

SLSA L2+
Required Level
In-Toto
Attestation Format
CONTENT TRUST

Frequently Asked Questions

Clear, technical answers to the most common questions about cryptographic signing, verification, and policy enforcement for container images in sovereign AI infrastructure.

Content trust is a security mechanism that uses digital signatures to cryptographically guarantee that a container image has not been tampered with and was published by an authorized entity. It works by assigning a signing key to a publisher. When an image is pushed, the Docker Notary client (or Cosign) generates a hash of the image manifest and encrypts it with the publisher's private key, creating a signature. This signature is stored in a trust metadata collection alongside the image. When a consumer pulls the image, the runtime engine verifies the signature against the publisher's public key. If the signature is invalid, missing, or the image digest has changed, the pull is rejected. This establishes a cryptographic chain of custody from the build pipeline to the runtime environment, preventing supply chain attacks such as image substitution or man-in-the-middle registry compromises.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.