Coming soon: Notation plugin
This Notation plugin (notation-digicert-stm) lets you sign and verify OCI container images using keys stored securely in DigiCert® Software Trust Manager.
The plugin ensures that private keys never leave DigiCert’s hardware security module (HSM). All cryptographic operations are performed securely in DigiCert’s cloud.
What can the Notation plugin sign?
The Notation plugin connects the Notation CLI to the Software Trust Manager API to enable secure container image signing and verification.
It supports:
JWS and COSE signature formats
RFC 3161 timestamping (optional)
Full certificate chain and revocation validation
Before you begin
Before you begin, make sure you have:
Notation
1.1.0or laterOCI registry
1.1or laterDocker or OCI client
A DigiCert ONE account with Software Trust Manager access:
ヒント
Important limitations
Notation does not support partial wildcards like
registry.example.com/*Only "*" is allowed as a global wildcard in trust policies
Always use full repository paths for scoped policies
Step 1: Download Notation plugin
In the Software Trust menu, go to Resources > Client tool repository.
Select the Client tools tab.
Select the download icon next to Notation plugin.
Step 2: Install notation plugin
The --force flag overwrites a previous installation.
From GitHub, download Notation CLI.
From the Notation CLI, install the Software Trust notation plugin::
Verify the notation plugin:
notation plugin list
Expected output:
NAME DESCRIPTION VERSION CAPABILITIES ERROR digicert-stm DigiCert Software Trust Manager plugin for Notation 1.x.x [SIGNATURE_GENERATOR.RAW SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK]
Step 3: Set your environment variables
Set the required environment variables before running any commands.
See also
Sign container images with Notation CLI using Notation plugin