Notary v2 & OCI Signing

"Notary v2 & OCI Signing: Shipping Trusted Container Images"
This book is for experienced platform engineers, security engineers, and DevOps practitioners who are done with “tag-based trust” and want verifiable, portable guarantees for what actually runs in production. It starts from the realities of OCI distribution—digests, manifests, indexes, and registries—and builds a rigorous, systems-level understanding of how modern container signing works when multiple teams, multiple registries, and real operational constraints collide.
You’ll learn how Notary v2’s specifications map to interoperable behavior, and how to use Notation to sign and verify OCI artifacts in a way that survives promotion, rollback, replication, and multi-arch releases. The book goes deep on producer and consumer workflows: digest-first signing, signature publication and discovery via referrers, trust store and policy design, and the internals of signature envelopes (COSE/JWS) so you can debug failures rather than work around them. It then hardens the story for long-lived trust with RFC 3161 timestamping, OCSP/CRL revocation trade-offs, deterministic verification under time/network variability, and incident response for compromised identities.
Expect an operator’s perspective throughout: concrete flows, decision criteria, failure modes, and enforcement patterns across CI gates, registries, and cluster admission—designed to fail closed without causing outages. Familiarity with OCI images, registries, PKI basics, and CI/CD is assumed.