1

I am looking for artifactory default notary server . Dockerhub default notary server is notary.docker.io which is hosted on cloud. Does artifactory also supports any cloud notary server?

Divya Vyas
  • 323
  • 1
  • 4
  • 16

1 Answers1

1

You can check out "Working with Docker Content Trust"

Notary is Docker's platform to provide trusted delivery of content by signing images that are published.
A content publisher can then provide the corresponding signing keys that allow users to verify that content when it is consumed.

Artifactory fully supports working with Docker Notary to ensure that Docker images uploaded to Artifactory can be signed, and then verified when downloaded for consumption. When the Docker client is configured to work with Docker Notary, after pushing an image to Artifactory, the client notifies the Notary to sign the image before assigning it a tag.

Artifactory supports hosting signed images without the need for any additional configuration.

Does artifactory also supports any cloud notary server?

So in that respect, your Artifactory instance can work with is its own notary.
The article explains how to run a notary instance (on port 4443).

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Hi Thanks for the help. export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443 What should I give here ? My artifactory registry name ? – Divya Vyas Apr 19 '18 at 06:25
  • @DivyaVyas I have edited the answer: actually, Artifactory can work with a notary answer: the article I mention explains to run a notary server alongside your Artifactory instance (same IP, different port) – VonC Apr 19 '18 at 06:31
  • I got it. How can I make my notary server accessible from notary signer( which signs the image during docker push) and client ( where we pull the signed image). If I understand the notary conecpt properly client will connect to notary server to get image signature information. – Divya Vyas Apr 19 '18 at 07:36
  • @DivyaVyas You will need to make sure the notary server is deployed with a public IP accessible from our client. – VonC Apr 19 '18 at 07:37
  • Ok thanks. I have one more question here. I am signing my docker images using delegation keys as my company CA server gives certificate chain( root certificate, intermediate certificates) . Does the notary suuports signing the images with certificate chain? – Divya Vyas Apr 19 '18 at 08:05
  • @DivyaVyas I believe so (not tested), same as using self-signed certificates (https://github.com/theupdateframework/notary/issues/1230) See also https://forums.docker.com/t/how-can-clients-control-the-certificates-that-are-used-to-sign-each-repo-gun/16221. – VonC Apr 19 '18 at 08:06