Which signing methods are supported by Notary? Especially by Docker Hub?

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data

Apache License 2.0

3.22k stars 508 forks source link

Which signing methods are supported by Notary? Especially by Docker Hub? #1548

Open drauch opened 4 years ago

drauch commented 4 years ago

According to https://github.com/theupdateframework/specification/blob/master/tuf-spec.md the TUF reference implementation only supports rsassa-pss-sha256, ed25519 and ecdsa-sha2-nistp256 - is this true for Notary, and especially for Docker Hub?

Is it possible to use RSA PKCS1 instead or are such signatures rejected?

Best regards, D.R.

drauch commented 4 years ago

(Is RSASSA-PSS-SHA256 even supported or is Docker supporting the ECDSA-based method only?)

aabashkin commented 3 years ago

It's currently hardcoded to ECDSA - https://github.com/theupdateframework/notary/blob/master/client/client.go#L418

aabashkin commented 3 years ago

More evidence - https://github.com/theupdateframework/notary/blob/master/cmd/notary/keys.go#L202

drauch commented 3 years ago

That's true for creating new signatures with the Notary framework, how about verifying existing signatures? Does Docker Hub accept other signatures as well? E.g., RSA PKCS1 signatures?