New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
notary + tuf proposal #38
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,191 @@ | ||
== Notary & TUF Proposal | ||
|
||
*Name of project:* Notary & TUF | ||
|
||
*Description:* | ||
|
||
The Update Framework (TUF) is a specification designed to solve specifically provenance and trust problems as part of a larger distribution framework. | ||
|
||
Notary is a content signing framework implementing the TUF specification in the Go language. The project provides both a client, and a pair of server applications to host signed metadata and perform limited online signing functions. It is the de facto image signing framework in use by Docker, Quay, VMWare, and others. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Isn't that because Docker only supports Notary, and so Quay/VMWare have to use it? Or are they using it in another capacity I'm not aware of? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The integration of notary is used to map a human readable name to a sha256 digest in a secure and verifiable way. While not directly integrated, it's possible for anyone else to write a tool that does a similar conversion and use it against both the docker CLI, e.g. I fervently hope that Quay uses it because 1) it's in Go and that suits them, and 2) it's the best signing framework available and there's no point in duplicating work. @ecordell as our maintainer from Quay, any thoughts? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Right, but I think you're missing my point. Other people have tried to include alternative proposals (Red Hat comes immediately to mind) and they haven't been accepted for a variety of reasons -- instead they've been implemented as wrappers around Docker's tooling (such as Project Atomic). The only supported way of cryptographically signing image identities in Docker is with Notary, and thus anyone who wants to support secure registries must use Notary. Whether you could in theory add other implementations is not relevant to the discussion of whether the statement
Is a testament to the popularity of Notary, or a testament to the necessity to use it due to the popularity of Docker. This is yet another reason why I asked for examples of Notary use outside of Docker. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think Quay is a good example of how Notary is flexible rather than single-purpose. We're using Notary as a library, wrapping it and extending it to suit our needs. Over time I think Notary could become configurable enough that the wrapping isn't necessary at all, but that's somewhat orthogonal. Although it's true that we're still signing container tags the same as DockerHub, this is an artifact of wanting to be compatible with the docker client first, not because Notary is forcing our hand. We've considered signing different metadata that our Quay-specific client quayctl (you've heard if it, right?!) would understand but decided to focus on what existing tooling (Docker client) understands for now. For what it's worth, when we starting looking into using TUF at Quay, we decided to use Notary despite Quay being a Python codebase. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Another use case we've dug up, CloudFlare's PAL tool uses notary for container identity, allowing one to associate metadata such as secrets to running containers in a verifiable manner https://blog.cloudflare.com/pal-a-container-identity-bootstrapping-tool/ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Additionally, LinuxKit is using Notary to distribute its kernels: http://mobyproject.org/blog/2017/06/26/sign-all-the-things/ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This thread briefly discusses GPG for signing DEB packages and APT repos (and VMWare Harbour for docker images). The benefits of Notary over those are listed as revocation, freshness, delegation to alternate signers, and painless key compromise recovery. It would be good to get a bit more balanced detail on this (relative strengths, weaknesses, similarities and differences) vs these and other alternatives (Thandy, Web of Trust etc). |
||
|
||
Notary and TUF have been presented at [CNCF TOC meeting 6/20/2017](https://docs.google.com/presentation/d/1MvCZytMQpTgGW4IvJ1cM0hvnIr8IowH7hFaeXJZ6cp4/edit#slide=id.g2309ce468a_22_0) | ||
|
||
*Sponsor / Advisor from TOC:* Solomon Hykes | ||
|
||
*Preferred maturity level:* incubating | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I believe we will go forward with this project at the "inception" level per @cncf/toc discussion today There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @monadic can you confirm that you want this in as inception or incubating? I may have misheard you There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. waiting on confirmation to change this (or not) |
||
|
||
*Unique identifier:* | ||
|
||
* Notary: notary | ||
* The Update Framework: tuf | ||
|
||
*License:* | ||
|
||
* Notary: Apache 2.0 | ||
* TUF: Dual licensed under MIT and Apache 2.0 | ||
|
||
*Source control repositories:* | ||
|
||
* https://github.com/docker/notary | ||
* https://github.com/theupdateframework/tuf | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there anything in theupdateframework github org that would not be included? |
||
* https://github.com/theupdateframework/taps | ||
|
||
*Initial Committers:* | ||
|
||
* https://github.com/docker/notary/blob/master/MAINTAINERS | ||
* https://github.com/theupdateframework/tuf/blob/develop/AUTHORS.txt | ||
|
||
*Infrastructure requirements (CI / CNCF Cluster):* | ||
|
||
* CircleCI | ||
* CodeCov | ||
* Travis CI | ||
|
||
*Issue tracker:* | ||
|
||
* https://github.com/docker/notary/issues | ||
* https://github.com/theupdateframework/tuf/issues | ||
|
||
*Mailing lists:* | ||
|
||
* Slack: https://dockercommunity.slack.com/messages/notary | ||
* Google Groups: https://groups.google.com/forum/#!forum/theupdateframework | ||
|
||
*Website:* | ||
|
||
* TUF: https://theupdateframework.github.io/ | ||
|
||
*Release methodology and mechanics:* | ||
|
||
* Feature based releases | ||
|
||
*Social media accounts:* None | ||
|
||
*Existing sponsorship:* Docker for Notary, National Science Foundation and NYU for TUF | ||
|
||
*Contributor statistics:* | ||
|
||
The notary community is growing slowly with a very small but active base and a larger group of occasional contributors. Maintainers are from Docker, CoreOS and Huawei. | ||
|
||
TUF maintainers from NYU and CoreOS. | ||
|
||
*Adopters:* Docker, Quay, Huawei, Motorola Solutions, VMWare | ||
|
||
*External Dependencies:* | ||
|
||
* https://github.com/docker/notary/blob/master/vendor.conf | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @caniszczyk Have the licenses of dependencies been checked? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @bgrant0607 all were fine, the only issue that came up is what hit containerd, we have to get them to switch to another TOML library: notaryproject/notary#1210 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It also contains a fork of go-tuf, which isn't in the vendor directory: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Some advice on that would actually be useful. That's not a fork of go-tuf in any reasonable sense. It did start as a fork 2.5 years ago, but we've added many features, re-written most of the packages, and re-architected near enough the entire system. We submitted a couple of minor pieces back to go-tuf early on but have since diverged to the point nothing can be usefully submitted back. Is there some point at which a fork is no longer a fork or are we stuck in a "my fathers axe" type situation? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. https://en.wikipedia.org/wiki/Ship_of_Theseus Good question, but probably at least as much a legal one as a technical one. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The complicated part is that every incremental change of any given project is a derived work, and BSD-3-Clause (unlike MIT/X11) does not permit sublicensing. You can license your changes under another (compatible) license, but derived works are always a fun legal topic. IANAL, and I'd recommend asking one. |
||
* Protobuf | ||
* GRPC | ||
* MySQL/PostgreSQL/rethinkDB | ||
* https://github.com/yubico/yubico-piv-tool | ||
* https://github.com/flynn/gotuf (forked and heavily modified under the "tuf" directory in the notary repository) | ||
|
||
*Statement on alignment with CNCF mission:* | ||
|
||
Notary is the most secure and widely adopted implementation of The Update Framework to date, and represents a | ||
critical security building block for ensuring the provenance and integrity of data in the field of | ||
cloud-native computing. As an implementer of The Update Framework it can provide its guarantees over any | ||
arbitrary digital content, making it ultimately flexible to any use case requiring security guarantees | ||
against attacks up to and including nation state level. | ||
|
||
Additional Material | ||
--- | ||
|
||
*Notary/TUF vs Traditional Package Signing* | ||
|
||
Traditional package signing methods commonly revolve around GPG signing of various metadata fragments. In a | ||
sense, GPG is a primitive used by traditional package signing systems. If there was strong enough desire, | ||
GPG could be integrated into any existing TUF implementation as an available signing option. TUF recognizes | ||
that the existing signing systems have not gone far enough to address the threats that are meaningful in the | ||
context of software distribution. It proposes a complete system for secure software distribution that | ||
addresses these threats. | ||
|
||
Over the years many package management signing systems have been developed and they continue to make the | ||
mistakes of the past because the community has largely focused on the expertise required to develop | ||
crypto primitives, without also acknowledging the expertise required to design systems. To quote Duncan | ||
Coutts in his explanation of Haskell’s choice to use TUF, “TUF has been designed by academic experts in | ||
the subject, based both on research and existing real-world systems. Our crypto-humility should cover | ||
not just crypto algorithms but extend to whole system designs.” | ||
|
||
*TUF vs GPG* | ||
|
||
GPG currently has much greater recognition that TUF. This is expected given the age and lack of | ||
competition it has received. This does not automatically make it a good solution to signing requirements. | ||
GPG lacks the same features as our “Traditional Package Managers”, as they have largely added very little | ||
if anything meaningful on top of the GPG primitives. | ||
|
||
Nominally one could argue that GPG private key management is simpler than TUF private key management | ||
purely on the basis that there are slightly fewer keys to manage. This marginal difference is a poor | ||
tradeoff in the face of ease of integration. GPG is well recognized as being difficult to use [1] (response | ||
at [5]), and even more difficult to integrate with at the library level as a developer [2]. By comparison, | ||
one user was able to write a tool to use Notary to sign and verify git tags during a hackathon with no \ | ||
help from the Notary maintainers [3]. | ||
|
||
*Why a joint submission?* | ||
|
||
We want the TUF specification to be accepted into CNCF because it will make a clear statement of the | ||
importance and expectations the community must have for the security of their software distribution | ||
channels. Furthermore we want there to be implementations in many languages to enable broad adoption. | ||
A joint submission of TUF and Notary is a highly cohesive package that lays a solid foundation for | ||
package signing in CNCF, providing both the spec for guidance, and an implementation in Golang, which | ||
is the majority language among existing CNCF projects. | ||
|
||
We are at an inflection point in the methods used to develop and deploy software. The paradigm shift | ||
happening right now must be capitalized on lest we risk extending the the unacceptable status quo in | ||
software distribution security. | ||
|
||
*Use Cases* | ||
|
||
The most unequivocal use case for TUF and Notary is securing software update systems. This is the stated | ||
scope and primary goal of TUF. It is also a stated goal that the framework should be usable with both | ||
new and existing software update systems. | ||
|
||
We should define what we mean by “software update system” in this context: a software update system is | ||
a process and utilities that allow one to download and install entirely new software, and upgrades to | ||
existing software, within a specific environment. Some examples are Python’s PIP, Debian’s APT, and | ||
RedHat’s YUM systems. | ||
|
||
Container images map very closely to a typical software update system payload. Like some of those | ||
mentioned, it uses TAR files containing the collection of files to be installed on the requesting host. | ||
It uses a manifest, a JSON file, to describe how those files are used to set up and run the container. | ||
The manifest is the root of a Merkle tree, containing the SHA256 checksums of the layers that make up | ||
the image. This efficiently allows us to sign only the manifest using Notary and a user can perform a | ||
verification of everything they download for the image. | ||
|
||
We also see a future for Notary and TUF in signing service or pod definitions. This strengthens | ||
protections around what software can run on a cluster. We envision a single Notary repository | ||
maintained within a cluster to which recognized delegates can push updates. This would be the only | ||
mechanism for a cluster to receive updates to its definitions and automatically acts as a second | ||
factor of authentication (something you have: the private key) in the presence of traditional | ||
username+password based auth. | ||
|
||
Finally, we recognize that there is a natural link between code identity and container, service, and | ||
pod identity. We believe that runtime identity ought to be tied to code signatures, so that policies | ||
can be set such that only particular images may assume a runtime identity. For example, a customer | ||
might specify that a particular signing process for container images is necessary in order to call | ||
particular APIs within a cluster. This link between image identity and container runtime identity | ||
requires a cryptographically strong, commonly shared image signing and verification system. | ||
|
||
Use cases that we consider in scope and that are already implemented or can be accomplished now: | ||
|
||
* Container image signing | ||
* General software package signing (a demo of this was put together using Notary to sign PIP packages for a talk at PyCon 2016 [4]) | ||
* OS/Kernel signing (already in use in LinuxKit) | ||
* CI pipeline signing | ||
* Every entity performing a step in a CI pipeline (build, test, security scan, etc…) should add a signature and all signatures should be verified at deployment time. | ||
|
||
Use cases that are achievable with some additional work: | ||
|
||
* Signing cluster/service/pod definitions | ||
* Binding code signatures to service/container/pod identity | ||
|
||
Out of scope: | ||
|
||
* Signing communications, i.e. emails | ||
* Signed logs (though TUF/Notary could be applicable to signing log files backed up offsite) | ||
|
||
1. https://blog.filippo.io/giving-up-on-long-term-pgp/ | ||
2. https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html | ||
3. https://github.com/docker/global-hack-day-3/tree/master/docker-bdx | ||
4. https://www.youtube.com/watch?v=fDvO9jwXCV4 | ||
5. https://arstechnica.co.uk/information-technology/2016/12/signal-does-not-replace-pgp/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason that both projects are being proposed together? I appreciate that Notary is a very widely used implementation (because it is what Docker uses), but proposing a specification and an implementation in one go doesn't sound right to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cyphar Is there another widely used implementation of TUF?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tor uses it for their update system for the TBB (from memory they were the first non-academic users). I also believe that Pythons pip ecosystem also uses TUF (or there was some planned integration at some point). Here's the list that TUF maintains: https://theupdateframework.github.io/#integrations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But most importantly, there already is an upstream Python TUF implementation that was written by the TUF designers. It's likely not as widely used as Notary clients (since there are a large number of Docker users), but that would mean that CNCF would be getting two different TUF implementations in one proposal (as well as the spec).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hadn't seen a switch, I thought TOR still used Thandy, on which TUF is based. Python does not use TUF. There are 2 proposed PEPs (458 & 480) and we've talked to the maintainer of pip, they're not going to get around to it for a while.
The submission of the spec is by the TUF designers at NYU. As far as their Python implementation, GRPC has integrations with many languages and that seems to be nothing but a good thing. These are not competing implementations, they are complementary. One should ultimately be able to publish using the Python code, and consume using the Go code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, okay I wasn't aware that Python hadn't switched. I have actually brought up TUF to the zypper folks (our package manager), so don't think I'm not interested in it as a project. 😸
That's not the same thing though. gRPC's multiple integrations is because in order to use gRPC with a language you have to generate client/server code from the schema. You don't need to do that with TUF, and as you said the publishing and verification can be done by either implementation.
This situation would be more like wanting to include the DBus "specification" as well as two different dbus implementations in one proposal. If the key benefit or differentiator is the language they're implemented in, I'm struggling to see why you need both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I look at it differently. We could simply tell everyone "GRPC compiles protos to C, you can work out how to integrate that in to your language" but we don't because nobody would use it. One can publish a request with a GRPC python client and consume it with a GRPC Go server. There's no actual need to generate code for GRPC, it's a productivity multiplier that we can do so. It's similarly a productivity multiplier if one wants to integrate with TUF and finds out there's already a canonical library in the desired language.
Notary allows one to integrate with TUF using Go. It provides a library and a convenience CLI, along with some server applications that simplify management of a TUF repo. The python implementation allows one to integrate with TUF using Python, it provides only a library and no CLI (beyond the python interpreter), or server applications. I'm hopeful other language integrations appear and can be folded in to the family.