Inferensys

Glossary

Notary

Notary is an open-source project that implements The Update Framework (TUF) specification to provide high-assurance cryptographic signing and verification for container images and arbitrary content.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
CONTENT TRUST INFRASTRUCTURE

What is Notary?

Notary is a project that implements The Update Framework (TUF) to provide high-trust content signing and verification for container images, enforcing content trust policies in Docker registries.

Notary is a client-server application that cryptographically signs and verifies container image metadata using The Update Framework (TUF) specification. It enables Docker Content Trust, ensuring that only images signed by authorized publishers are pulled and executed, preventing tampering and man-in-the-middle attacks during distribution.

The system operates through a Notary server managing signed metadata and a Notary signer holding private keys. It maintains a timestamped, append-only trust database that records every signing action, providing a verifiable audit trail. This architecture guarantees freshness guarantees and key compromise resilience, critical for securing software supply chains in sovereign infrastructure environments.

CONTENT TRUST INFRASTRUCTURE

Key Features of Notary

Notary implements The Update Framework (TUF) to provide a robust, cryptographically secure system for signing and verifying container images, enforcing content trust policies across the software supply chain.

01

The Update Framework (TUF) Foundation

Notary is a concrete implementation of TUF, a flexible security specification designed to protect against key compromise and repository attacks. It manages a hierarchical key structure with distinct roles—root, targets, snapshot, and timestamp—each with specific trust responsibilities. This separation of duties ensures that compromising a single key does not grant an attacker the ability to sign arbitrary content. The framework uses a threshold signature scheme, requiring a configurable number of keys to sign critical metadata before it is considered valid, preventing unilateral malicious actions.

02

Docker Content Trust Enforcement

Notary is the backend service that powers Docker Content Trust (DCT). When DCT is enabled, the Docker client communicates with a Notary server to verify the digital signature of a tagged image before pulling or running it. This process cryptographically binds a publisher's identity to an image digest, ensuring the image has not been tampered with since publication. Key operational commands include:

  • DOCKER_CONTENT_TRUST=1: Environment variable to globally enforce signature verification.
  • docker trust sign: Command for publishers to sign and push a tagged image.
  • docker trust inspect: Command to view signers and signature metadata for an image.
03

Delegated Trust and Role Management

Notary supports delegation, allowing a repository owner to delegate signing authority for specific image tags or namespaces to other verified parties without sharing the primary targets key. This is critical for large organizations where different teams manage separate software components. A delegation role is defined with a set of trusted public keys and a list of path patterns it is authorized to sign. This enables a secure, scalable model where a platform team can delegate the signing of team-a/* images to Team A's specific keys, maintaining a strict chain of custody.

04

Key Hierarchy and Offline Storage

Notary's security model relies on a strict separation between offline root keys and online repository keys. The root key, which establishes the ultimate trust anchor for a repository, is intended to be generated and stored on an air-gapped hardware security module (HSM) or a permanently disconnected device. Day-to-day signing operations use lower-privilege targets and delegation keys. This architecture ensures that even if the online Notary service is fully compromised, an attacker cannot rotate the root of trust or sign content for new, unauthorized namespaces.

05

Timestamping and Snapshot Freshness

To prevent rollback attacks—where an attacker serves an older, validly-signed but vulnerable version of metadata—Notary employs timestamp and snapshot roles. The timestamp key signs a frequently-expiring file that indicates the latest version of the snapshot metadata. The snapshot key signs a manifest listing the current versions of all other metadata files. Clients verify these timestamps, ensuring they are receiving the most recent content. If a timestamp is stale, the client rejects the update, guaranteeing freshness in the trust chain.

06

Notary v2 and OCI Distribution

The evolution to Notary v2 decouples signing from a central server, aligning with the OCI Distribution Specification. Instead of a proprietary protocol, signatures are stored as standard OCI Artifacts alongside the image in any compliant registry. This allows for a serverless signing workflow using tools like notation, where a publisher creates a signature artifact and pushes it directly to the registry. Verification is performed by resolving the image's referrers API to find and validate the attached signature manifest, eliminating the need for a separate Notary service for core signing operations.

CONTENT TRUST & SIGNING

Frequently Asked Questions

Clear answers to common questions about Notary, TUF, and enforcing cryptographic content trust policies in private container registries.

Notary is a project that implements The Update Framework (TUF) to provide high-trust content signing and verification for container images. It acts as a security layer on top of container registries, allowing publishers to cryptographically sign images and consumers to verify those signatures before pulling and running them. Notary operates by maintaining a separate, signed metadata database—the Notary repository—that maps image tags to specific, trusted digests. When a publisher pushes an image, they use a delegation key to sign the tag-to-digest mapping. When a consumer pulls with Docker Content Trust (DCT) enabled, the Docker client contacts the Notary server, downloads the signed metadata, verifies the signature chain against a trusted root key, and only proceeds if the image digest matches the signed mapping. This prevents rollback attacks, man-in-the-middle tampering, and unauthorized image substitution. The architecture separates the root key (offline, highly secured) from targets and delegation keys (online, used for routine signing), ensuring a compromise of the registry or signing infrastructure does not allow attackers to forge trusted metadata.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.