Notary is a client-server application that cryptographically signs and verifies container image metadata using The Update Framework (TUF) specification. It enables Docker Content Trust, ensuring that only images signed by authorized publishers are pulled and executed, preventing tampering and man-in-the-middle attacks during distribution.
Glossary
Notary

What is Notary?
Notary is a project that implements The Update Framework (TUF) to provide high-trust content signing and verification for container images, enforcing content trust policies in Docker registries.
The system operates through a Notary server managing signed metadata and a Notary signer holding private keys. It maintains a timestamped, append-only trust database that records every signing action, providing a verifiable audit trail. This architecture guarantees freshness guarantees and key compromise resilience, critical for securing software supply chains in sovereign infrastructure environments.
Key Features of Notary
Notary implements The Update Framework (TUF) to provide a robust, cryptographically secure system for signing and verifying container images, enforcing content trust policies across the software supply chain.
The Update Framework (TUF) Foundation
Notary is a concrete implementation of TUF, a flexible security specification designed to protect against key compromise and repository attacks. It manages a hierarchical key structure with distinct roles—root, targets, snapshot, and timestamp—each with specific trust responsibilities. This separation of duties ensures that compromising a single key does not grant an attacker the ability to sign arbitrary content. The framework uses a threshold signature scheme, requiring a configurable number of keys to sign critical metadata before it is considered valid, preventing unilateral malicious actions.
Docker Content Trust Enforcement
Notary is the backend service that powers Docker Content Trust (DCT). When DCT is enabled, the Docker client communicates with a Notary server to verify the digital signature of a tagged image before pulling or running it. This process cryptographically binds a publisher's identity to an image digest, ensuring the image has not been tampered with since publication. Key operational commands include:
DOCKER_CONTENT_TRUST=1: Environment variable to globally enforce signature verification.docker trust sign: Command for publishers to sign and push a tagged image.docker trust inspect: Command to view signers and signature metadata for an image.
Delegated Trust and Role Management
Notary supports delegation, allowing a repository owner to delegate signing authority for specific image tags or namespaces to other verified parties without sharing the primary targets key. This is critical for large organizations where different teams manage separate software components. A delegation role is defined with a set of trusted public keys and a list of path patterns it is authorized to sign. This enables a secure, scalable model where a platform team can delegate the signing of team-a/* images to Team A's specific keys, maintaining a strict chain of custody.
Key Hierarchy and Offline Storage
Notary's security model relies on a strict separation between offline root keys and online repository keys. The root key, which establishes the ultimate trust anchor for a repository, is intended to be generated and stored on an air-gapped hardware security module (HSM) or a permanently disconnected device. Day-to-day signing operations use lower-privilege targets and delegation keys. This architecture ensures that even if the online Notary service is fully compromised, an attacker cannot rotate the root of trust or sign content for new, unauthorized namespaces.
Timestamping and Snapshot Freshness
To prevent rollback attacks—where an attacker serves an older, validly-signed but vulnerable version of metadata—Notary employs timestamp and snapshot roles. The timestamp key signs a frequently-expiring file that indicates the latest version of the snapshot metadata. The snapshot key signs a manifest listing the current versions of all other metadata files. Clients verify these timestamps, ensuring they are receiving the most recent content. If a timestamp is stale, the client rejects the update, guaranteeing freshness in the trust chain.
Notary v2 and OCI Distribution
The evolution to Notary v2 decouples signing from a central server, aligning with the OCI Distribution Specification. Instead of a proprietary protocol, signatures are stored as standard OCI Artifacts alongside the image in any compliant registry. This allows for a serverless signing workflow using tools like notation, where a publisher creates a signature artifact and pushes it directly to the registry. Verification is performed by resolving the image's referrers API to find and validate the attached signature manifest, eliminating the need for a separate Notary service for core signing operations.
Frequently Asked Questions
Clear answers to common questions about Notary, TUF, and enforcing cryptographic content trust policies in private container registries.
Notary is a project that implements The Update Framework (TUF) to provide high-trust content signing and verification for container images. It acts as a security layer on top of container registries, allowing publishers to cryptographically sign images and consumers to verify those signatures before pulling and running them. Notary operates by maintaining a separate, signed metadata database—the Notary repository—that maps image tags to specific, trusted digests. When a publisher pushes an image, they use a delegation key to sign the tag-to-digest mapping. When a consumer pulls with Docker Content Trust (DCT) enabled, the Docker client contacts the Notary server, downloads the signed metadata, verifies the signature chain against a trusted root key, and only proceeds if the image digest matches the signed mapping. This prevents rollback attacks, man-in-the-middle tampering, and unauthorized image substitution. The architecture separates the root key (offline, highly secured) from targets and delegation keys (online, used for routine signing), ensuring a compromise of the registry or signing infrastructure does not allow attackers to forge trusted metadata.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Notary implements The Update Framework (TUF) to establish a robust signing and verification chain. These related concepts form the foundation of a secure, tamper-evident container supply chain.
Content Trust
A security mechanism that uses digital signatures to ensure only authorized, untampered container images are pulled and executed. Notary is the primary implementation enabling content trust in Docker registries.
- Enforces image authenticity at runtime
- Prevents man-in-the-middle registry attacks
- Validates publisher identity before image pull
- Integrates with Docker Content Trust (
DOCKER_CONTENT_TRUST=1)
Cosign
A tool under the Sigstore project used to cryptographically sign container images and OCI artifacts. Unlike Notary's TUF-based approach, Cosign stores signatures directly alongside images in the registry.
- Supports keyless signing via OIDC
- Generates signatures in OCI-compliant format
- Works with any OCI registry without external services
- Complements Notary for defense-in-depth signing strategies
Sigstore
A free, open-source public good service enabling automated, keyless signing and verification of software artifacts. It uses OpenID Connect identities and a transparent log (Rekor) to provide non-repudiation.
- Eliminates long-term key management
- Provides public auditability via transparency logs
- Integrates with Fulcio certificate authority
- Often used alongside Notary for developer-friendly signing workflows
Image Attestation
A cryptographically signed, verifiable statement about a container image, such as an SBOM or vulnerability scan result. Attestations are stored alongside the image in the registry for automated policy enforcement.
- Proves build provenance (who built it, how, when)
- Links SBOMs to specific image digests
- Enables policy-based admission in Kubernetes
- Uses in-toto attestation format for standardization
Binary Authorization
A deploy-time security control that enforces strict signature validation before containers can run. It ensures only images signed by trusted authorities during the build process reach production clusters.
- Integrates with Kubernetes admission controllers
- Enforces deploy-time policy (not just pull-time)
- Requires valid Notary or Cosign signatures
- Creates an immutable trust boundary at deployment
SLSA Provenance
A security framework (Supply-chain Levels for Software Artifacts) providing a tamper-proof, attestable record of the build process. SLSA provenance answers: who built the image, from what source, using which build pipeline?
- Defines four progressive security levels (L1-L4)
- Requires hermetic, isolated builds at higher levels
- Generates verifiable provenance attestations
- Complements Notary signatures with build integrity metadata

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us