notary

package module
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 28, 2017 License: Apache-2.0 Imports: 3 Imported by: 0

README

Notary

Circle CI CodeCov GoReportCard

The Notary project comprises a server and a client for running and interacting with trusted collections. Please see the service architecture documentation for more information.

Notary aims to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content.

With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.

Consumers, having acquired the publisher's public key through a secure channel, can then communicate with any notary server or (insecure) mirror, relying only on the publisher's key to determine the validity and integrity of the received content.

Goals

Notary is based on The Update Framework, a secure general design for the problem of software distribution and updates. By using TUF, notary achieves a number of key advantages:

  • Survivable Key Compromise: Content publishers must manage keys in order to sign their content. Signing keys may be compromised or lost so systems must be designed in order to be flexible and recoverable in the case of key compromise. TUF's notion of key roles is utilized to separate responsibilities across a hierarchy of keys such that loss of any particular key (except the root role) by itself is not fatal to the security of the system.
  • Freshness Guarantees: Replay attacks are a common problem in designing secure systems, where previously valid payloads are replayed to trick another system. The same problem exists in the software update systems, where old signed can be presented as the most recent. notary makes use of timestamping on publishing so that consumers can know that they are receiving the most up to date content. This is particularly important when dealing with software update where old vulnerable versions could be used to attack users.
  • Configurable Trust Thresholds: Oftentimes there are a large number of publishers that are allowed to publish a particular piece of content. For example, open source projects where there are a number of core maintainers. Trust thresholds can be used so that content consumers require a configurable number of signatures on a piece of content in order to trust it. Using thresholds increases security so that loss of individual signing keys doesn't allow publishing of malicious content.
  • Signing Delegation: To allow for flexible publishing of trusted collections, a content publisher can delegate part of their collection to another signer. This delegation is represented as signed metadata so that a consumer of the content can verify both the content and the delegation.
  • Use of Existing Distribution: Notary's trust guarantees are not tied at all to particular distribution channels from which content is delivered. Therefore, trust can be added to any existing content delivery mechanism.
  • Untrusted Mirrors and Transport: All of the notary metadata can be mirrored and distributed via arbitrary channels.

Security

Please see our service architecture docs for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.

Our last security audit was on July 31, 2015 by NCC (results).

Any security vulnerabilities can be reported to security@docker.com.

Getting started with the Notary CLI

Please get the Notary Client CLI binary from the official releases page or you can build one yourself. The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.

To use the Notary CLI with Docker hub images, please have a look at our getting started docs.

For more advanced usage, please see the advanced usage docs.

To use the CLI against a local Notary server rather than against Docker Hub:

  1. Please ensure that you have docker and docker-compose installed.

  2. git clone https://github.com/docker/notary.git and from the cloned repository path, start up a local Notary server and signer and copy the config file and testing certs to your local notary config directory:

    $ docker-compose build
    $ docker-compose up -d
    $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
    
  3. Add 127.0.0.1 notary-server to your /etc/hosts, or if using docker-machine, add $(docker-machine ip) notary-server).

You can run through the examples in the getting started docs and advanced usage docs, but without the -s (server URL) argument to the notary command since the server URL is specified already in the configuration, file you copied.

You can also leave off the -d ~/.docker/trust argument if you do not care to use notary with Docker images.

Building Notary

Note that our latest stable release is at the head of the releases branch. The master branch is the development branch and contains features for the next release.

Prerequisites:

  • Go >= 1.7.1
  • godep installed
  • libtool development headers installed
    • Ubuntu: apt-get install libltdl-dev
    • CentOS/RedHat: yum install libtool-ltdl-devel
    • Mac OS (Homebrew): brew install libtool

Run make client, which creates the Notary Client CLI binary at bin/notary. Note that make client assumes a standard Go directory structure, in which Notary is checked out to the src directory in your GOPATH. For example:

$GOPATH/
    src/
        github.com/
            docker/
                notary/

To build the server and signer, please run docker-compose build.

Documentation

Index

Constants

View Source
const (
	// MaxDownloadSize is the maximum size we'll download for metadata if no limit is given
	MaxDownloadSize int64 = 100 << 20
	// MaxTimestampSize is the maximum size of timestamp metadata - 1MiB.
	MaxTimestampSize int64 = 1 << 20
	// MinRSABitSize is the minimum bit size for RSA keys allowed in notary
	MinRSABitSize = 2048
	// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold
	MinThreshold = 1
	// SHA256HexSize is how big a SHA256 hex is in number of characters
	SHA256HexSize = 64
	// SHA512HexSize is how big a SHA512 hex is in number of characters
	SHA512HexSize = 128
	// SHA256 is the name of SHA256 hash algorithm
	SHA256 = "sha256"
	// SHA512 is the name of SHA512 hash algorithm
	SHA512 = "sha512"
	// TrustedCertsDir is the directory, under the notary repo base directory, where trusted certs are stored
	TrustedCertsDir = "trusted_certificates"
	// PrivDir is the directory, under the notary repo base directory, where private keys are stored
	PrivDir = "private"
	// RootKeysSubdir is the subdirectory under PrivDir where root private keys are stored
	// DEPRECATED: The only reason we need this constant is compatibility with older versions
	RootKeysSubdir = "root_keys"
	// NonRootKeysSubdir is the subdirectory under PrivDir where non-root private keys are stored
	// DEPRECATED: The only reason we need this constant is compatibility with older versions
	NonRootKeysSubdir = "tuf_keys"
	// KeyExtension is the file extension to use for private key files
	KeyExtension = "key"

	// Day is a duration of one day
	Day  = 24 * time.Hour
	Year = 365 * Day

	// NotaryRootExpiry is the duration representing the expiry time of the Root role
	NotaryRootExpiry      = 10 * Year
	NotaryTargetsExpiry   = 3 * Year
	NotarySnapshotExpiry  = 3 * Year
	NotaryTimestampExpiry = 14 * Day

	ConsistentMetadataCacheMaxAge = 30 * Day
	CurrentMetadataCacheMaxAge    = 5 * time.Minute
	// CacheMaxAgeLimit is the generally recommended maximum age for Cache-Control headers
	// (one year, in seconds, since one year is forever in terms of internet
	// content)
	CacheMaxAgeLimit = 1 * Year

	MySQLBackend     = "mysql"
	MemoryBackend    = "memory"
	PostgresBackend  = "postgres"
	SQLiteBackend    = "sqlite3"
	RethinkDBBackend = "rethinkdb"
	FileBackend      = "file"

	DefaultImportRole = "delegation"

	// HealthCheckKeyManagement and HealthCheckSigner are the grpc service name
	// for "KeyManagement" and "Signer" respectively which used for health check.
	// The "Overall" indicates the querying for overall status of the server.
	HealthCheckKeyManagement = "grpc.health.v1.Health.KeyManagement"
	HealthCheckSigner        = "grpc.health.v1.Health.Signer"
	HealthCheckOverall       = "grpc.health.v1.Health.Overall"

	// PrivExecPerms indicates the file permissions for directory
	// and PrivNoExecPerms for file.
	PrivExecPerms   = 0700
	PrivNoExecPerms = 0600

	// DefaultPageSize is the default number of records to return from the changefeed
	DefaultPageSize = 100
)

application wide constants

View Source
const FIPSEnvVar = "GOFIPS"

FIPSEnvVar is the name of the environment variable that is being used to switch between FIPS and non-FIPS mode

Variables

NotarySupportedBackends contains the backends we would like to support at present

View Source
var NotarySupportedSignals = []os.Signal{
	syscall.SIGUSR1,
	syscall.SIGUSR2,
}

NotarySupportedSignals contains the signals we would like to capture: - SIGUSR1, indicates a increment of the log level. - SIGUSR2, indicates a decrement of the log level.

Functions

func FIPSEnabled added in v0.5.1

func FIPSEnabled() bool

FIPSEnabled returns true if environment variable `GOFIPS` has been set to enable FIPS mode

Types

type CtxKey added in v0.4.3

type CtxKey int

CtxKey is a wrapper type for use in context.WithValue() to satisfy golint https://github.com/golang/go/issues/17293 https://github.com/golang/lint/pull/245

const (
	CtxKeyMetaStore CtxKey = iota
	CtxKeyKeyAlgo
	CtxKeyCryptoSvc
	CtxKeyRepo
)

enum to use for setting and retrieving values from contexts

type PassRetriever added in v0.4.0

type PassRetriever func(keyName, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error)

PassRetriever is a callback function that should retrieve a passphrase for a given named key. If it should be treated as new passphrase (e.g. with confirmation), createNew will be true. Attempts is passed in so that implementers decide how many chances to give to a human, for example.

Directories

Path Synopsis
cmd
Package passphrase is a utility function for managing passphrase for TUF and Notary keys.
Package passphrase is a utility function for managing passphrase for TUF and Notary keys.
Package proto is a generated protocol buffer package.
Package proto is a generated protocol buffer package.
api
remoteks
Package remoteks is a generated protocol buffer package.
Package remoteks is a generated protocol buffer package.
tuf
Package tuf defines the core TUF logic around manipulating a repo.
Package tuf defines the core TUF logic around manipulating a repo.
utils
Package utils contains tuf related utility functions however this file is hard forked from https://github.com/youmark/pkcs8 package.
Package utils contains tuf related utility functions however this file is hard forked from https://github.com/youmark/pkcs8 package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL