added secure deployment guide

Signed-off-by: Zach Rhoads <[email protected]>
notaryproject · Jun 13, 2023 · 31c8797 · 31c8797
1 parent 1bd87af
commit 31c8797
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/content/en/docs/concepts/secure-deployment.md b/content/en/docs/concepts/secure-deployment.md
@@ -0,0 +1,35 @@
+---
+title: "Securely deploying Notation"
+description: "Best practices for securely deploying Notation"
+type: docs
+weight: 2
+---
+
+A deployment of Notation, specifically the `notation` CLI, is used for signing and verifying container images. The `notation` CLI is usually deployed on a development computer or in a CI/CD pipeline, such as GitHub Actions.
+
+A deployment has several sensitive components:
+
+- [Trust policies]({{< ref "/docs/how-to/manage-trust-policy" >}})
+- [Trust stores and certificates]({{< ref "/docs/concepts/directory-structure" >}})
+- Plugins
+
+It is strongly recommended that you follow the best practices in this document to secure your deployment of Notation. Notation works with a shared responsibility model, meaning users and organizations are responsible for securing the `notation` CLI deployment.
+
+Failure to secure the filesystem on development computers and hosts with `notation` CLI deployments can result in malicious plugins being installed, trust policies being modified to allow verification compromised or untrusted artifacts, and trust stores being modified to have untrusted or compromised certificates.
+
+## Secure filesystem access
+
+The sensitive components of a deployment of Notation are stored on the filesystem. For development computers managed by individuals and hosts directly managed by your organization, you should follow general best practices as well as your organization's best practices for securing those development computers and hosts, such as:
+
+- Ensuring the operating system is fully patched
+- The disk encryption follows your organizations encryption policies
+- Use strong passwords and adhere to your organization's password policies
+- Access to the Notation deployment directory is restricted to only authorized users, such as those with `sudo` access, administrators, or the user that owns the directory 
+
+Every organization has different policies and best practices for securing development computers and hosts, and they should be followed as a part securing filesystem on development computers and hosts with `notation` CLI deployments.
+
+## Other security best practices
+
+For development computers managed by individuals and hosts directly managed by your organization, ensure the access to those systems as well as locations of the sensitive components of a deployment of Notation are restricted to only authorized users.
+
+For computers not directly managed by individuals or your organization, such as hosts used for CI/CD pipelines, ensure manner in which the sensitive components of a deployment of Notation are stored, accessed, and transmitted to those computers follows your organizations best practices and are restricted only to authorized users.
diff --git a/content/en/docs/concepts/specs-requirements.md b/content/en/docs/concepts/specs-requirements.md
@@ -2,7 +2,7 @@
 title: "Notary project specifications and requirements"
 description: "Notary project specifications and requirements"
 type: docs
-weight: 4
+weight: 10
 ---
 
 More information on the specifications, requirements, and other details about the Notary project can be found in the [Notary repository](https://github.com/notaryproject/notaryproject/tree/main).