Why not use Notary v2?

[AlekSi]

The most interesting FAQ entry is empty: https://github.com/sigstore/cosign#why-not-use-notary-v2

[dlorenc]

Hey @AlekSi!

The simple answer is that you can't use notary v2 right now :)

Many of us are actively engaged in the Notary V2 working groups, but I don't have a clear enough picture of what that project is intending to eventually build/become to write a detailed explanation of the differences. My hope is that we can eventually align on an interoperable signature format, see some of my proposals over there:

notaryproject/notation#40
notaryproject/notation#39

[AlekSi]

The simple answer is that you can't use notary v2 right now :)

The first FAQ entry tells me that I can't (should not) use cosign too.

https://www.docker.com/blog/secure-software-supply-chain-best-practices/ tells me

We are currently working with the CNCF, Amazon and Microsoft on the Notary v2 project to update container signing which we will ship in a few months.

You plan to release 1.0.0 this month.

I… just don't understand how two projects that are so close to shipping are not compared in the README / FAQ. As a user, I'm looking for that information.

[dlorenc]

I can't really comment on that blog post, other than to say that it's quite far from my understanding of the state of the notary v2 project.

Here's my understanding of the differences as of today, July 8th:

Cosign

• Cosign was designed to work with existing registries over existing OCI specifications and APIs, and can be used by over a dozen production registries today.
• We're using it in production, despite the warnings, which will be removed later this month as you saw: https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html. We're encouraging people to try it out today, but not to take any critical production dependencies on it until the 1.0.

Notary V2

• The Notary V2 project currently uses a new, proposed set of OCI APIs that is still under discussion and is not supported by any production registries today.
• See here for a recent writeup I did on the state of these new APIs.

[SantiagoTorres]

You plan to release 1.0.0 this month.

Just want to point out that there's a whole sea of difference between "this software has been released a couple of times, and is about to reach API stability" with "there's a blogpost somewhere that promises that they will work very hard to release something in 'a few months if all is well'"

Part of the challenge is that there is no public Notary V2 design yet (at least that I'm aware of). I can't tell you why or why not use a product that does not exist.

Admittedly, Half-Life 3 always sounded good, but I can't recommend that one either.

[trishankatdatadog]

@AlekSi AFAICT, Notary v2 has not publicly committed to offer security levels comparable to TUF (implemented in Notary v1). It is strange why they would downgrade security by default.

OTOH, cosign works well with TUF and in-toto.

[dlorenc]

Update: now that the notation alpha is out I'm working on a document to compare these and will share when it's finished. I've asked some of the notary maintainers to review it as well.

If you'd like to help review or edit before it's finished, please let me know and I'll add you to the document!

[trishankatdatadog]

If you'd like to help review or edit before it's finished, please let me know and I'll add you to the document!

Count me in after it's finished

[derwei]

I'd love to read up on the comparison between notation alpha and cosign and to help however I can. Please count me in too!

[dlorenc]

The draft is almost ready and I'm going to be publishing it tomorrow. Thanks everyone for the reviews!

[dlorenc]

Closing with #1014.