Securing the Container Supply Chain with Notary

The presentation discusses the importance of standards in supply chain security and the ongoing efforts to incorporate transparency logs and metadata into software in the container ecosystem.

• Verifying identity and large entities is important in supply chain actions
• Working with the SKET project to build a transparency log and record identities and signatures
• Incorporating additional metadata around supply chains, such as S-BOMs and SPGX, to have more fine-grained controls
• Proposing a new sub-project of Notary to directly store TUF repository metadata in the registry
• Seeing Notary projects as a home for a set of standards around supply chain security

The speaker mentions a vulnerability management session where they demonstrated how to manage vulnerabilities, sign them, and verify them using Kubernetes. They also mention a session with Ratify and Gatekeeper using the same approach. The last demo discussed how to sign local artifacts without needing to have the image or S-BOM in the registry before signing it, which is important for certain scenarios.

This talk gives an overview of the new capabilities available in the Notary project tooling as well as the project’s role in the broader software supply chain ecosystem. With the release of a stable version of Notary v2 tooling, the Notary project enables advanced enterprise scenarios for software supply chain. The talk will cover the core functionalities included in the Notary v2 release, typical scenarios those can be applied as well as integrations with other ecosystem tools. The talk will give an overview of the project and a deep dive into capabilities.