Blocked on Container Image Signing – No Certificates Available & Need Integration Options

[varsha2605]

What is not working as expected?

"Is it possible to configure Notary for image signing without obtaining a certificate from a Certificate Authority or generating a self-signed certificate?"

We are exploring the use of Notary for container image signing but are currently blocked due to the unavailability of any certificate, including a self-signed one. Is there a supported way to perform signing in such scenarios?

Is it possible to integrate Notary with a trusted signing service?

We would like to understand whether Notary supports integration with external signing providers (e.g. cloud-based signing services) for signing container images.

What is the recommended approach for signing container images in this setup?

Given the above constraints, we are looking for guidance on how to achieve container image signing using Notary. If direct integration is not supported, are there any best practices or workarounds recommended ?

This is currently blocking our signing workflow, so any help or documentation reference would be greatly appreciated.
Thank you for your support!

What did you expect to happen?

We expected Notary to support an alternative mechanism for signing container images without requiring a certificate from a Certificate Authority or a self-signed certificate. Specifically, we were hoping to integrate an trusted signing service to handle the signing process.

How can we reproduce it?

Set up a Notary environment for container image signing .

1.Do not provision a certificate from a trusted Certificate Authority (CA).

2.Do not generate or use a self-signed certificate.

3.Attempt to perform a signing operation on a container image using Notary.

4. Observe that signing is blocked due to the unavailability of a certificate.

We are seeking guidance on how to proceed with Notary in such a setup without relying on CA-issued or self-signed certificates.

Describe your environment

Notation installation method: Installed via curl from the GitHub releases page.

Operating System: Linux

Shell type: bash

Golang version: go1.23.0 (used by Notation CLI)

What is the version of your Notation CLI or Notation Library?

Notation CLI version: 1.2.0

Go version: go1.23.0 (used by Notation)

[FeynmanZhou]

Specifically, we were hoping to integrate an trusted signing service to handle the signing process.

Hi @varsha2605 , which trusted signing service that you would expect to use? We are working with a few vendors to provide integrations with keyless signing solutions.

[varsha2605]

Specifically, we were hoping to integrate an trusted signing service to handle the signing process.

Hi @varsha2605 , which trusted signing service that you would expect to use? We are working with a few vendors to provide integrations with keyless signing solutions.

Hi @FeynmanZhou , We are expecting to use Azure Trusted Signing service .