The Notary project comprises a server and a client for running and interacting with trusted collections. Please see the service architecture documentation for more information.
Notary aims to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content.
With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.
Consumers, having acquired the publisher‘s public key through a secure channel, can then communicate with any notary server or (insecure) mirror, relying only on the publisher’s key to determine the validity and integrity of the received content.
Notary is based on The Update Framework, a secure general design for the problem of software distribution and updates. By using TUF, notary achieves a number of key advantages:
Please see our service architecture docs for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
Our last security audit was on July 31, 2015 by NCC (results).
Any security vulnerabilities can be reported to security@docker.com.
Please get the Notary Client CLI binary from the official releases page or you can build one yourself. The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.
To use the Notary CLI with Docker hub images, please have a look at our getting started docs.
For more advanced usage, please see the advanced usage docs.
To use the CLI against a local Notary server rather than against Docker Hub:
Please ensure that you have docker and docker-compose installed.
git clone https://github.com/docker/notary.git
and from the cloned repository path, start up a local Notary server and signer and copy the config file and testing certs to your local notary config directory:
$ docker-compose build $ docker-compose up -d $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
Add 127.0.0.1 notary-server
to your /etc/hosts
, or if using docker-machine, add $(docker-machine ip) notary-server
).
You can run through the examples in the getting started docs and advanced usage docs, but without the -s
(server URL) argument to the notary
command since the server URL is specified already in the configuration, file you copied.
You can also leave off the -d ~/.docker/trust
argument if you do not care to use notary
with Docker images.
Prerequisites:
apt-get install libltdl-dev
yum install libtool-ltdl-devel
brew install libtool
Run make binaries
, which creates the Notary Client CLI binary at bin/notary
. Note that make binaries
assumes a standard Go directory structure, in which Notary is checked out to the src
directory in your GOPATH
. For example:
$GOPATH/ src/ github.com/ docker/ notary/