notary

module
v0.0.0-...-a9fda57 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 10, 2015 License: Apache-2.0

README

Notary Circle CI

The Notary project comprises a server and a client for running and interacting with trusted collections.

Notary aims to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content.

With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.

Consumers, having acquired the publisher's public key through a secure channel, can then communicate with any notary server or (insecure) mirror, relying only on the publisher's key to determine the validity and integrity of the received content.

Goals

Notary is based on The Update Framework, a secure general design for the problem of software distribution and updates. By using TUF, notary achieves a number of key advantages:

  • Survivable Key Compromise: Content publishers must manage keys in order to sign their content. Signing keys may be compromised or lost so systems must be designed in order to be flexible and recoverable in the case of key compromise. TUF's notion of key roles is utilized to separate responsibilities across a hierarchy of keys such that loss of any particular key (except the root role) by itself is not fatal to the security of the system.
  • Freshness Guarantees: Replay attacks are a common problem in designing secure systems, where previously valid payloads are replayed to trick another system. The same problem exists in the software update systems, where old signed can be presented as the most recent. notary makes use of timestamping on publishing so that consumers can know that they are receiving the most up to date content. This is particularly important when dealing with software update where old vulnerable versions could be used to attack users.
  • Configurable Trust Thresholds: Oftentimes there are a large number of publishers that are allowed to publish a particular piece of content. For example, open source projects where there are a number of core maintainers. Trust thresholds can be used so that content consumers require a configurable number of signatures on a piece of content in order to trust it. Using thresholds increases security so that loss of individual signing keys doesn't allow publishing of malicious content.
  • Signing Delegation: To allow for flexible publishing of trusted collections, a content publisher can delegate part of their collection to another signer. This delegation is represented as signed metadata so that a consumer of the content can verify both the content and the delegation.
  • Use of Existing Distribution: Notary's trust guarantees are not tied at all to particular distribution channels from which content is delivered. Therefore, trust can be added to any existing content delivery mechanism.
  • Untrusted Mirrors and Transport: All of the notary metadata can be mirrored and distributed via arbitrary channels.

Notary CLI

Notary is a tool for publishing and managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content. This ability is built on a straightforward key management and signing interface to create signed collections and configure trusted publishers.

Using Notary

Lets try using notary.

Prerequisites:

As setup, let's build notary and then start up a local notary-server (don't forget to add 127.0.0.1 notary-server to your /etc/hosts, or if using docker-machine, add $(docker-machine ip) notary-server).

make binaries
docker-compose build
docker-compose up -d

Note: In order to have notary use the local notary server and development root CA we can load the local development configuration by appending -c cmd/notary/config.json to every command. If you would rather not have to use -c on every command, copy cmd/notary/config.json and cmd/notary/root-ca.crt to ~/.notary.

First, let's initiate a notary collection called example.com/scripts

notary init example.com/scripts

Now, look at the keys you created as a result of initialization

notary key list

Cool, now add a local file install.sh and call it v1

notary add example.com/scripts v1 install.sh

Wouldn't it be nice if others could know that you've signed this content? Use publish to publish your collection to your default notary-server

notary publish example.com/scripts

Now, others can pull your trusted collection

notary list example.com/scripts

More importantly, they can verify the content of your script by using notary verify:

curl example.com/install.sh | notary verify example.com/scripts v1 | sh

Notary Server

Notary Server manages TUF data over an HTTP API compatible with the notary client.

It may be configured to use either JWT or HTTP Basic Auth for authentication. Currently it only supports MySQL for storage of the TUF data, we intend to expand this to other storage options.

Setup for Development

The notary repository comes with Dockerfiles and a docker-compose file to facilitate development. Simply run the following commands to start a notary server with a temporary MySQL database in containers:

$ docker-compose build
$ docker-compose up

If you are on Mac OSX with boot2docker or kitematic, you'll need to update your hosts file such that the name notary is associated with the IP address of your VM (for boot2docker, this can be determined by running boot2docker ip, with kitematic, echo $DOCKER_HOST should show the IP of the VM). If you are using the default Linux setup, you need to add 127.0.0.1 notary to your hosts file.

Successfully connecting over TLS

By default notary-server runs with TLS with certificates signed by a local CA. In order to be able to successfully connect to it using either curl or openssl, you will have to use the root CA file in fixtures/root-ca.crt.

OpenSSL example:

openssl s_client -connect notary-server:4443 -CAfile fixtures/root-ca.crt

Compiling Notary Server

Prerequisites:

  • Go = 1.5.1
  • godep installed
  • libtool development headers installed

Install dependencies by running godep restore.

From the root of this git repository, run make binaries. This will compile the notary, notary-server, and notary-signer applications and place them in a bin directory at the root of the git repository (the bin directory is ignored by the .gitignore file).

notary-signer depends upon pkcs11, which requires that libtool headers be installed (libtool-dev on Ubuntu, libtool-ltdl-devel on CentOS/RedHat). If you are using Mac OS, you can brew install libtool, and run make binaries with the following environment variables (assuming a standard installation of Homebrew):

export CPATH=/usr/local/include:${CPATH}
export LIBRARY_PATH=/usr/local/lib:${LIBRARY_PATH}

Running Notary Server

The notary-server application has the following usage:

$ bin/notary-server --help
usage: bin/notary-serve
  -config="": Path to configuration file
  -debug=false: Enable the debugging server on localhost:8080

Configuring Notary Server

The configuration file must be a json file with the following format:

{
    "server": {
        "addr": ":4443",
        "tls_cert_file": "./fixtures/notary-server.crt",
        "tls_key_file": "./fixtures/notary-server.key"
    },
    "logging": {
        "level": 5
    }
}

The pem and key provided in fixtures are purely for local development and testing. For production, you must create your own keypair and certificate, either via the CA of your choice, or a self signed certificate.

If using the pem and key provided in fixtures, either:

  • Add fixtures/root-ca.crt to your trusted root certificates

  • Use the default configuration for notary client that loads the CA root for you by using the flag -c ./cmd/notary/config.json

  • Disable TLS verification by adding the following option notary configuration file in ~/.notary/config.json:

          "skipTLSVerify": true
    

Otherwise, you will see TLS errors or X509 errors upon initializing the notary collection:

$ notary list diogomonica.com/openvpn
* fatal: Get https://notary-server:4443/v2/: x509: certificate signed by unknown authority
$ notary list diogomonica.com/openvpn -c cmd/notary/config.json
latest b1df2ad7cbc19f06f08b69b4bcd817649b509f3e5420cdd2245a85144288e26d 4056

Directories

Path Synopsis
Godeps
_workspace/src/github.com/agl/ed25519
Package ed25519 implements the Ed25519 signature algorithm.
Package ed25519 implements the Ed25519 signature algorithm.
_workspace/src/github.com/agl/ed25519/edwards25519
Package edwards25519 implements operations in GF(2**255-19) and on an Edwards curve that is isomorphic to curve25519.
Package edwards25519 implements operations in GF(2**255-19) and on an Edwards curve that is isomorphic to curve25519.
_workspace/src/github.com/beorn7/perks/quantile
Package quantile computes approximate quantiles over an unbounded data stream within low memory and CPU bounds.
Package quantile computes approximate quantiles over an unbounded data stream within low memory and CPU bounds.
_workspace/src/github.com/bugsnag/bugsnag-go
Package bugsnag captures errors in real-time and reports them to Bugsnag (http://bugsnag.com).
Package bugsnag captures errors in real-time and reports them to Bugsnag (http://bugsnag.com).
_workspace/src/github.com/bugsnag/bugsnag-go/errors
Package errors provides errors that have stack-traces.
Package errors provides errors that have stack-traces.
_workspace/src/github.com/bugsnag/bugsnag-go/revel
Package bugsnagrevel adds Bugsnag to revel.
Package bugsnagrevel adds Bugsnag to revel.
_workspace/src/github.com/bugsnag/osext
Extensions to the standard "os" package.
Extensions to the standard "os" package.
_workspace/src/github.com/bugsnag/panicwrap
The panicwrap package provides functions for capturing and handling panics in your application.
The panicwrap package provides functions for capturing and handling panics in your application.
_workspace/src/github.com/docker/distribution/context
Package context provides several utilities for working with golang.org/x/net/context in http requests.
Package context provides several utilities for working with golang.org/x/net/context in http requests.
_workspace/src/github.com/docker/distribution/digest
Package digest provides a generalized type to opaquely represent message digests and their operations within the registry.
Package digest provides a generalized type to opaquely represent message digests and their operations within the registry.
_workspace/src/github.com/docker/distribution/health
Package health provides a generic health checking framework.
Package health provides a generic health checking framework.
_workspace/src/github.com/docker/distribution/registry/api/v2
Package v2 describes routes, urls and the error codes used in the Docker Registry JSON HTTP API V2.
Package v2 describes routes, urls and the error codes used in the Docker Registry JSON HTTP API V2.
_workspace/src/github.com/docker/distribution/registry/auth
Package auth defines a standard interface for request access controllers.
Package auth defines a standard interface for request access controllers.
_workspace/src/github.com/docker/distribution/registry/auth/htpasswd
Package htpasswd provides a simple authentication scheme that checks for the user credential hash in an htpasswd formatted file in a configuration-determined location.
Package htpasswd provides a simple authentication scheme that checks for the user credential hash in an htpasswd formatted file in a configuration-determined location.
_workspace/src/github.com/docker/distribution/registry/auth/silly
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty.
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty.
_workspace/src/github.com/docker/distribution/uuid
Package uuid provides simple UUID generation.
Package uuid provides simple UUID generation.
_workspace/src/github.com/docker/libtrust
Package libtrust provides an interface for managing authentication and authorization using public key cryptography.
Package libtrust provides an interface for managing authentication and authorization using public key cryptography.
_workspace/src/github.com/dvsekhvalnov/jose2go
Package jose provides high level functions for producing (signing, encrypting and compressing) or consuming (decoding) Json Web Tokens using Java Object Signing and Encryption spec
Package jose provides high level functions for producing (signing, encrypting and compressing) or consuming (decoding) Json Web Tokens using Java Object Signing and Encryption spec
_workspace/src/github.com/dvsekhvalnov/jose2go/aes
Package aes contains provides AES Key Wrap and ECB mode implementations
Package aes contains provides AES Key Wrap and ECB mode implementations
_workspace/src/github.com/dvsekhvalnov/jose2go/arrays
Package arrays provides various byte array utilities
Package arrays provides various byte array utilities
_workspace/src/github.com/dvsekhvalnov/jose2go/base64url
package base64url provides base64url encoding/decoding support
package base64url provides base64url encoding/decoding support
_workspace/src/github.com/dvsekhvalnov/jose2go/compact
package compact provides function to work with json compact serialization format
package compact provides function to work with json compact serialization format
_workspace/src/github.com/dvsekhvalnov/jose2go/kdf
package kdf contains implementations of various key derivation functions
package kdf contains implementations of various key derivation functions
_workspace/src/github.com/dvsekhvalnov/jose2go/keys/ecc
package ecc provides helpers for creating elliptic curve leys
package ecc provides helpers for creating elliptic curve leys
_workspace/src/github.com/dvsekhvalnov/jose2go/keys/rsa
package Rsa provides helpers for creating rsa leys
package Rsa provides helpers for creating rsa leys
_workspace/src/github.com/dvsekhvalnov/jose2go/padding
package padding provides various padding algorithms
package padding provides various padding algorithms
_workspace/src/github.com/go-sql-driver/mysql
Go MySQL Driver - A MySQL-Driver for Go's database/sql package
Go MySQL Driver - A MySQL-Driver for Go's database/sql package
_workspace/src/github.com/golang/protobuf/proto
Package proto converts data structures to and from the wire format of protocol buffers.
Package proto converts data structures to and from the wire format of protocol buffers.
_workspace/src/github.com/golang/protobuf/proto/proto3_proto
Package proto3_proto is a generated protocol buffer package.
Package proto3_proto is a generated protocol buffer package.
_workspace/src/github.com/google/gofuzz
Package fuzz is a library for populating go objects with random values.
Package fuzz is a library for populating go objects with random values.
_workspace/src/github.com/gorilla/context
Package context stores values shared during a request lifetime.
Package context stores values shared during a request lifetime.
_workspace/src/github.com/gorilla/mux
Package gorilla/mux implements a request router and dispatcher.
Package gorilla/mux implements a request router and dispatcher.
_workspace/src/github.com/jfrazelle/go/canonical/json
Package json implements encoding and decoding of JSON objects as defined in RFC 4627.
Package json implements encoding and decoding of JSON objects as defined in RFC 4627.
_workspace/src/github.com/kr/pretty
Package pretty provides pretty-printing for Go values.
Package pretty provides pretty-printing for Go values.
_workspace/src/github.com/kr/text
Package text provides rudimentary functions for manipulating text in paragraphs.
Package text provides rudimentary functions for manipulating text in paragraphs.
_workspace/src/github.com/kr/text/colwriter
Package colwriter provides a write filter that formats input lines in multiple columns.
Package colwriter provides a write filter that formats input lines in multiple columns.
_workspace/src/github.com/kr/text/mc
Command mc prints in multiple columns.
Command mc prints in multiple columns.
_workspace/src/github.com/magiconair/properties
Package properties provides functions for reading and writing ISO-8859-1 and UTF-8 encoded .properties files and has support for recursive property expansion.
Package properties provides functions for reading and writing ISO-8859-1 and UTF-8 encoded .properties files and has support for recursive property expansion.
_workspace/src/github.com/mattn/go-sqlite3
Package sqlite3 provides interface to SQLite3 databases.
Package sqlite3 provides interface to SQLite3 databases.
_workspace/src/github.com/matttproud/golang_protobuf_extensions/pbutil
Package pbutil provides record length-delimited Protocol Buffer streaming.
Package pbutil provides record length-delimited Protocol Buffer streaming.
_workspace/src/github.com/miekg/pkcs11
Package pkcs11 is a wrapper around the PKCS#11 cryptographic library.
Package pkcs11 is a wrapper around the PKCS#11 cryptographic library.
_workspace/src/github.com/mitchellh/mapstructure
The mapstructure package exposes functionality to convert an abitrary map[string]interface{} into a native Go structure.
The mapstructure package exposes functionality to convert an abitrary map[string]interface{} into a native Go structure.
_workspace/src/github.com/prometheus/client_golang/prometheus
Package prometheus provides embeddable metric primitives for servers and standardized exposition of telemetry through a web services interface.
Package prometheus provides embeddable metric primitives for servers and standardized exposition of telemetry through a web services interface.
_workspace/src/github.com/prometheus/client_model/go
Package io_prometheus_client is a generated protocol buffer package.
Package io_prometheus_client is a generated protocol buffer package.
_workspace/src/github.com/prometheus/common/expfmt
A package for reading and writing Prometheus metrics.
A package for reading and writing Prometheus metrics.
HTTP Content-Type Autonegotiation.
_workspace/src/github.com/prometheus/common/model
Package model contains common data structures that are shared across Prometheus componenets and libraries.
Package model contains common data structures that are shared across Prometheus componenets and libraries.
_workspace/src/github.com/prometheus/procfs
Package procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
Package procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
_workspace/src/github.com/spf13/cobra
Package cobra is a commander providing a simple interface to create powerful modern CLI interfaces.
Package cobra is a commander providing a simple interface to create powerful modern CLI interfaces.
_workspace/src/github.com/spf13/pflag
pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.
pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.
_workspace/src/github.com/spf13/viper/remote
Package remote integrates the remote features of Viper.
Package remote integrates the remote features of Viper.
_workspace/src/github.com/stretchr/testify/assert
Package assert provides a set of comprehensive testing tools for use with the normal Go testing system.
Package assert provides a set of comprehensive testing tools for use with the normal Go testing system.
_workspace/src/golang.org/x/crypto/bcrypt
Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing algorithm.
Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing algorithm.
_workspace/src/golang.org/x/crypto/blowfish
Package blowfish implements Bruce Schneier's Blowfish encryption algorithm.
Package blowfish implements Bruce Schneier's Blowfish encryption algorithm.
_workspace/src/golang.org/x/crypto/nacl/secretbox
Package secretbox encrypts and authenticates small messages.
Package secretbox encrypts and authenticates small messages.
_workspace/src/golang.org/x/crypto/pbkdf2
Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC 2898 / PKCS #5 v2.0.
Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC 2898 / PKCS #5 v2.0.
_workspace/src/golang.org/x/crypto/poly1305
Package poly1305 implements Poly1305 one-time message authentication code as specified in http://cr.yp.to/mac/poly1305-20050329.pdf.
Package poly1305 implements Poly1305 one-time message authentication code as specified in http://cr.yp.to/mac/poly1305-20050329.pdf.
_workspace/src/golang.org/x/crypto/salsa20/salsa
Package salsa provides low-level access to functions in the Salsa family.
Package salsa provides low-level access to functions in the Salsa family.
_workspace/src/golang.org/x/crypto/scrypt
Package scrypt implements the scrypt key derivation function as defined in Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard Functions" (http://www.tarsnap.com/scrypt/scrypt.pdf).
Package scrypt implements the scrypt key derivation function as defined in Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard Functions" (http://www.tarsnap.com/scrypt/scrypt.pdf).
_workspace/src/golang.org/x/net/context
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
_workspace/src/golang.org/x/net/context/ctxhttp
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
_workspace/src/golang.org/x/net/http2
Package http2 implements the HTTP/2 protocol.
Package http2 implements the HTTP/2 protocol.
_workspace/src/golang.org/x/net/http2/h2i
The h2i command is an interactive HTTP/2 console.
The h2i command is an interactive HTTP/2 console.
_workspace/src/golang.org/x/net/http2/hpack
Package hpack implements HPACK, a compression format for efficiently representing HTTP header fields in the context of HTTP/2.
Package hpack implements HPACK, a compression format for efficiently representing HTTP header fields in the context of HTTP/2.
_workspace/src/golang.org/x/net/internal/timeseries
Package timeseries implements a time series structure for stats collection.
Package timeseries implements a time series structure for stats collection.
_workspace/src/golang.org/x/net/trace
Package trace implements tracing of requests and long-lived objects.
Package trace implements tracing of requests and long-lived objects.
_workspace/src/google.golang.org/grpc
Package grpc implements an RPC system called gRPC.
Package grpc implements an RPC system called gRPC.
_workspace/src/google.golang.org/grpc/benchmark
Package benchmark implements the building blocks to setup end-to-end gRPC benchmarks.
Package benchmark implements the building blocks to setup end-to-end gRPC benchmarks.
_workspace/src/google.golang.org/grpc/benchmark/grpc_testing
Package grpc_testing is a generated protocol buffer package.
Package grpc_testing is a generated protocol buffer package.
_workspace/src/google.golang.org/grpc/codes
Package codes defines the canonical error codes used by gRPC.
Package codes defines the canonical error codes used by gRPC.
_workspace/src/google.golang.org/grpc/credentials
Package credentials implements various credentials supported by gRPC library, which encapsulate all the state needed by a client to authenticate with a server and make various assertions, e.g., about the client's identity, role, or whether it is authorized to make a particular call.
Package credentials implements various credentials supported by gRPC library, which encapsulate all the state needed by a client to authenticate with a server and make various assertions, e.g., about the client's identity, role, or whether it is authorized to make a particular call.
_workspace/src/google.golang.org/grpc/credentials/oauth
Package oauth implements gRPC credentials using OAuth.
Package oauth implements gRPC credentials using OAuth.
_workspace/src/google.golang.org/grpc/examples/helloworld/helloworld
Package helloworld is a generated protocol buffer package.
Package helloworld is a generated protocol buffer package.
_workspace/src/google.golang.org/grpc/examples/route_guide/client
Package main implements a simple gRPC client that demonstrates how to use gRPC-Go libraries to perform unary, client streaming, server streaming and full duplex RPCs.
Package main implements a simple gRPC client that demonstrates how to use gRPC-Go libraries to perform unary, client streaming, server streaming and full duplex RPCs.
_workspace/src/google.golang.org/grpc/examples/route_guide/routeguide
Package proto is a generated protocol buffer package.
Package proto is a generated protocol buffer package.
_workspace/src/google.golang.org/grpc/examples/route_guide/server
Package main implements a simple gRPC server that demonstrates how to use gRPC-Go libraries to perform unary, client streaming, server streaming and full duplex RPCs.
Package main implements a simple gRPC server that demonstrates how to use gRPC-Go libraries to perform unary, client streaming, server streaming and full duplex RPCs.
_workspace/src/google.golang.org/grpc/grpclog
Package grpclog defines logging for grpc.
Package grpclog defines logging for grpc.
_workspace/src/google.golang.org/grpc/grpclog/glogger
Package glogger defines glog-based logging for grpc.
Package glogger defines glog-based logging for grpc.
_workspace/src/google.golang.org/grpc/health
Package health provides some utility functions to health-check a server.
Package health provides some utility functions to health-check a server.
_workspace/src/google.golang.org/grpc/health/grpc_health_v1alpha
Package grpc_health_v1alpha is a generated protocol buffer package.
Package grpc_health_v1alpha is a generated protocol buffer package.
_workspace/src/google.golang.org/grpc/interop/grpc_testing
Package grpc_testing is a generated protocol buffer package.
Package grpc_testing is a generated protocol buffer package.
_workspace/src/google.golang.org/grpc/metadata
Package metadata define the structure of the metadata supported by gRPC library.
Package metadata define the structure of the metadata supported by gRPC library.
_workspace/src/google.golang.org/grpc/naming
Package naming defines the naming API and related data structures for gRPC.
Package naming defines the naming API and related data structures for gRPC.
_workspace/src/google.golang.org/grpc/test/codec_perf
Package codec_perf is a generated protocol buffer package.
Package codec_perf is a generated protocol buffer package.
_workspace/src/google.golang.org/grpc/test/grpc_testing
Package grpc_testing is a generated protocol buffer package.
Package grpc_testing is a generated protocol buffer package.
_workspace/src/google.golang.org/grpc/transport
Package transport defines and implements message oriented communication channel to complete various transactions (e.g., an RPC).
Package transport defines and implements message oriented communication channel to complete various transactions (e.g., an RPC).
_workspace/src/gopkg.in/yaml.v2
Package yaml implements YAML support for the Go language.
Package yaml implements YAML support for the Go language.
cmd
pkg
passphrase
Package passphrase is a utility function for managing passphrase for TUF and Notary keys.
Package passphrase is a utility function for managing passphrase for TUF and Notary keys.
Package proto is a generated protocol buffer package.
Package proto is a generated protocol buffer package.
api
tuf
Package tuf defines the core TUF logic around manipulating a repo.
Package tuf defines the core TUF logic around manipulating a repo.
encrypted
Package encrypted provides a simple, secure system for encrypting data symmetrically with a passphrase.
Package encrypted provides a simple, secure system for encrypting data symmetrically with a passphrase.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL