Signing Docker Image

With the increasingly widespread use of containers users need to improve our software supply-chain security by ensuring that the container images we are running on our Kubernetes clusters are the trusted ones. We achieve this by signing the container images.

Notation is a Command Line Interface (CLI) project to add signatures as standard items in the Open Container Initiative (OCI) registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. This scheme is similar to checking git commit signatures, although the signatures are generic and can be used for additional purposes.

For more, see Signing Docker Image Scenarios.