You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: specs/proposals/dm-verity.md
+12-6Lines changed: 12 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -61,17 +61,19 @@ This section outlines the proposed solution for signing and verifying OCI contai
61
61
2. Per-layer signing capability
62
62
3. Deterministic EROFS image and Merkle tree generation
63
63
4. OCI registry distribution for a new artifact containing the signed layer root hashes via ORAS Attached Artifacts
64
-
5. A new AKV plugin for the PKCS#7 format
65
64
66
65
### Extended Notation CLI
67
66
68
-
Extend `notation sign` with a new `--dm-verity` flag to enable automated per-layer signing:
67
+
Extend `notation sign` with a new `--dm-verity` flag to enable automated per-layer signing. While the command below assumes the container image exists in a remote registry, this argument should also work when signing [OCI image layouts](https://github.com/notaryproject/notation/blob/main/specs/cmd/sign.md#experimental-sign-container-images-stored-in-oci-layout-directory) with argument `--oci-layout` for local signing.
68
+
69
+
The manifest from the default sign behavior is signed with the expected JWS/COSE formats that can be verified in userspace while the layer hashes are signed with the PKCS#7 format by default until other formats are supported.
70
+
71
+
This command will not recursively sign multi-arch container images. In this case, the command should be run for each individual image for the requested architecture.
69
72
70
73
**Sample command:**
71
74
```bash
72
75
notation sign --dm-verity \
73
76
--id myKeyId \
74
-
--signature-format pkcs7 \
75
77
myregistry.azurecr.io/myapp@sha256:def456...
76
78
```
77
79
**Sample output:**
@@ -146,9 +148,13 @@ The new entries are described below:
146
148
- io.cncf.notary.dm-verity.root-hash: The root hash value of the dm-verity block device
147
149
- io.cncf.notary.dm-verity.signature=true: This is a flag that notifies Notation that dm-verity signatures and root hashes exist in the artifact
148
150
149
-
The new referrer artifact is expected to add less than 5 KB of metadata per layer in the registry
150
-
- 1-2 KB for the json manifest entry
151
-
- 1-2 KB per signature blob
151
+
**Performance Metrics:**
152
+
- Registry overhead: ~4 KB per layer
153
+
-PKCS#7 signature blob: ~2 KB
154
+
- Manifest entry: ~2 KB
155
+
- Signing time: ~4-5 seconds per layer
156
+
- Timeout: 5 minutes for EROFS conversion with no hardcoded maximum layer size
0 commit comments