ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

NOTARY-V2-OCI

Notary V2 Notation OCI image signing keys-based.

Définition

Notary V2 / Notation features : (1) Signing : notation sign command, uses CA-issued X509 certificates (Azure Key Vault, AWS KMS, Google KMS, HashiCorp Vault, files), produces COSE_Sign1 ou JWS signature, attaches OCI Artifact alongside image via OCI Distribution Spec referrers API. (2) Verification : notation verify command, validates signature against trust policy (.trust-policy.json) defining trusted CAs + trusted identities. (3) Trust Policy : JSON config specifying trusted identities (registry-scoped, repository-scoped, global). (4) Signature formats : COSE Sign1 (default), JWS (legacy). (5) Plugins : KMS signing plugins extensible. Comparison Cosign vs Notation : Cosign keyless OIDC (Public Good Sigstore-managed), Notation keys-based (enterprise PKI managed), recent interoperability efforts via OCI Artifact spec convergence. Adoption : Microsoft Azure Container Registry ACR native Notation support, AWS ECR Pull-through Cache, Docker Hub planning Notation. ~5-10% supply chain signing 2024 (vs ~90% Cosign).

Origine

Notary V1 historic Docker Inc 2015 (CNCF Incubating ferme 2020) ; Notary V2 Working Group CNCF launched 2020 ; rebrand Notation 2022 ; CNCF Sandbox + Incubating ; primary commiters Microsoft Azure, AWS, ByteDance, IBM, etc.

Exemple en contexte

Microsoft Azure Container Registry ACR client signs production container image via Notation : notation sign --signature-format cose mcr.microsoft.com/dotnet:8.0, uses Azure Key Vault for key storage, signature COSE_Sign1 attached to OCI Artifact in ACR ; AKS Kubernetes admission controller policy verifies via notation verify before deployment allow.

Termes liés

Dernière mise à jour: 16 mai 2026