Content trust is a cryptographic security framework that enforces the use of digital signatures to verify the publisher identity and integrity of a container image before a runtime pulls it. It ensures that the image has not been altered in transit and originates from a specific, authorized publisher, preventing supply chain attacks and the execution of tampered code.
Glossary
Content Trust

What is Content Trust?
A security mechanism that uses digital signatures to ensure only authorized, untampered container images are pulled and executed within a runtime environment.
This mechanism relies on a trusted delegation model where image publishers sign image manifests using private keys, and consumers configure their runtimes to only execute images signed by those trusted keys. This creates a verifiable chain of custody from the build pipeline to the production node, often implemented via tools like Notary or Cosign.
Core Characteristics of Content Trust
Content trust establishes a verifiable chain of custody for container images through digital signatures, ensuring that only authorized, untampered artifacts are deployed in runtime environments.
Digital Signature Verification
Content trust relies on asymmetric cryptography where publishers sign images with a private key and consumers verify with a public key. The Notary project implements The Update Framework (TUF) to manage this trust hierarchy.
- Signing Process: A publisher hashes the image manifest and encrypts the hash with their private key
- Verification: The runtime decrypts the signature using the trusted public key and compares hashes
- Key Management: TUF separates root, targets, snapshot, and timestamp keys with offline root keys for maximum security
This prevents man-in-the-middle attacks and ensures the image pulled is bit-for-bit identical to what the publisher signed.
The Update Framework (TUF) Integration
TUF provides a robust key hierarchy designed to survive key compromise. It separates roles so that compromising a single online key cannot poison the entire repository.
- Root Key: Stored offline; signs the trusted root metadata
- Targets Key: Signs image manifests and delegations
- Snapshot Key: Signs metadata about the latest collection of files to prevent rollback attacks
- Timestamp Key: Signs short-lived metadata to ensure freshness and prevent freeze attacks
TUF also supports threshold signatures, requiring multiple keys to sign critical metadata, eliminating single points of failure.
Notary v2 and OCI Distribution
Notary v2 is the modern evolution of content trust, natively integrated with the OCI Distribution Specification. Unlike Notary v1, it stores signatures as OCI Artifacts alongside images in the same registry.
- Signature Format: Uses JSON Web Signatures (JWS) for portability
- Referrers API: Allows discovery of all signatures and attestations for a given image digest
- Multi-Signature Support: Multiple parties can independently sign the same image
This architecture eliminates the need for a separate Notary server, reducing operational complexity while maintaining cryptographic guarantees.
Cosign and Keyless Signing
Cosign, part of the Sigstore project, enables keyless signing using OpenID Connect identities. Developers authenticate via their email or workload identity, and a short-lived certificate is issued.
- Fulcio: A certificate authority that issues ephemeral signing certificates bound to OIDC identities
- Rekor: A transparency log that records signatures, making them auditable and discoverable
- Verification: Consumers verify the certificate chain and check the Rekor log entry
This eliminates the operational burden of managing long-lived signing keys while providing a tamper-evident audit trail.
Enforcement via Admission Controllers
Content trust is enforced at deploy time through Kubernetes Admission Controllers. These webhooks intercept pod creation requests and validate image signatures before the pod is persisted.
- Gatekeeper/OPA: Policy engines that reject pods with unsigned or invalidly signed images
- Kyverno: A Kubernetes-native policy engine that can verify Cosign signatures natively
- Binary Authorization: GCP's deploy-time control that integrates with attestations
Without enforcement, content trust is advisory. Admission controllers make it mandatory, creating a hard gate that prevents untrusted images from ever reaching the runtime.
Supply Chain Levels (SLSA) Integration
Content trust is a foundational component of SLSA Level 2+ compliance. SLSA requires provenance attestations that are cryptographically signed and verifiable.
- SLSA Provenance: A signed document describing how an artifact was built, including builder identity, source repository, and build steps
- Attestation Storage: Provenance documents are stored as OCI artifacts alongside the image
- Policy Verification: Admission controllers verify both the image signature AND the SLSA provenance before allowing deployment
This closes the loop from source code to running container, ensuring the entire software supply chain is verifiable.
Frequently Asked Questions
Clear, technical answers to the most common questions about cryptographic signing, verification, and policy enforcement for container images in sovereign AI infrastructure.
Content trust is a security mechanism that uses digital signatures to cryptographically guarantee that a container image has not been tampered with and was published by an authorized entity. It works by assigning a signing key to a publisher. When an image is pushed, the Docker Notary client (or Cosign) generates a hash of the image manifest and encrypts it with the publisher's private key, creating a signature. This signature is stored in a trust metadata collection alongside the image. When a consumer pulls the image, the runtime engine verifies the signature against the publisher's public key. If the signature is invalid, missing, or the image digest has changed, the pull is rejected. This establishes a cryptographic chain of custody from the build pipeline to the runtime environment, preventing supply chain attacks such as image substitution or man-in-the-middle registry compromises.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Content trust relies on a constellation of complementary technologies—from signing tools and admission controllers to immutable storage and vulnerability scanners—that together enforce cryptographic integrity across the container lifecycle.
Image Digest: Immutable Content Addressing
A unique, content-addressable SHA256 hash that immutably identifies a specific container image manifest or layer. Unlike mutable tags (latest, v1.0), a digest provides cryptographic verification of integrity—any change to the image produces a completely different hash. Content trust systems pin deployments to digests rather than tags, ensuring that the image pulled at deploy time is byte-for-byte identical to the image that was signed and scanned during the build pipeline. This eliminates TOCTOU (time-of-check-to-time-of-use) attacks where a tag is retargeted to a malicious image.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us