Skip to main content

Coming soon: Notation plugin

This Notation plugin (notation-digicert-stm) lets you sign and verify OCI container images using keys stored securely in DigiCert​​®​​ Software Trust Manager.

The plugin ensures that private keys never leave DigiCert’s hardware security module (HSM). All cryptographic operations are performed securely in DigiCert’s cloud.

What is the Notation plugin used for?

The Notation plugin connects the Notation CLI to the Software Trust Manager API to enable secure container image signing and verification.

It supports:

  • JWS and COSE signature formats

  • RFC 3161 timestamping (optional)

  • Full certificate chain and revocation validation

When should you use the Notation plugin?

Use this plugin when you need to:

  • Sign container images using centrally managed keys

  • Enforce supply chain security policies

  • Keep private keys inside a cloud HSM

  • Integrate signing into CI/CD pipelines

What can the notation plugin do?

The plugin provides the following capabilities:

  • Generate a signature

    Creates a secure digital signature for your container image

  • Create a full signed package

    Adds the signature along with certificate details

  • Verify identity

    Confirms that the signer is trusted

  • Check certificate status

    Ensures the signing certificate is still valid and not revoked

How does the Notation plugin work?

The Notation CLI delegates signing operations to the plugin, which securely communicates with Software Trust Manager:

Notation CLI
   → plugin (notation-digicert-stm)
      → DigiCert Software Trust Manager API (mTLS)
         → HSM performs signing
      ← signature returned
   → signature stored in OCI registry

Prerequisites

Requirement

Minimum version

Notes

notation

v1.1.0

Verify with notation version

Docker or OCI client

Required for pushing images

OCI registry

OCI 1.1+

Docker Hub, ECR, ACR, GCR, etc.

DigiCert Software Trust Manager account

Required for authentication

API key

From Software Trust Manager portal

Client certificate (.p12)

Used for mTLS authentication

Keypair in Software Trust Manager

Retrieve alias with smctl keypair list

Dica

Important limitations

  • Notation does not support partial wildcards like registry.example.com/*

  • Only "*" is allowed as a global wildcard in trust policies

  • Always use full repository paths for scoped policies

Step 1: Download Notation plugin

  1. In the Software Trust menu, go to Resources > Client tool repository.

  2. Select the Client tools tab.

  3. Select the download icon next to Notation plugin.

Step 2: Install notation plugin

The --force flag overwrites a previous installation.

  1. From GitHub, download Notation CLI.

  2. From the Notation CLI, install the Software Trust notation plugin::

  3. Verify the notation plugin:

    notation plugin list

    Expected output:

    NAME           DESCRIPTION                                          VERSION  CAPABILITIES                                                    ERROR
digicert-stm   DigiCert Software Trust Manager plugin for Notation  1.x.x    [SIGNATURE_GENERATOR.RAW SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK]

Step 3: Authentication (environment variables)

Set the required environment variables before running any commands.

See also

Sign container images with Notation CLI using Notation plugin

Nesta secção: