高级java每日一道面试题-2026年02月18日-实战篇[Docker]-如何确保镜像的来源可信?Notation 和 Cosign 的作用?

极客先躯2026-06-20 16:45

镜像来源可信是软件供应链安全的核心。在 Java 微服务交付中,镜像可能经过多次传递与存储,仅靠哈希摘要无法证明发布者身份。容器镜像签名 通过密码学手段将镜像与可信身份绑定,确保镜像在发布后未被篡改且确实来自声称的发布者。NotationCosign 是目前云原生生态中的两种主流签名验证工具,它们分别代表了基于 OCI 分发和基于 Sigstore 无密钥生态的签名理念。

一、签名如何保证镜像来源可信

镜像签名不是简单地"盖章",而是构建一条从身份镜像内容的信任链。
#mermaid-svg-mdKG7dTwwuMygOmB{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-mdKG7dTwwuMygOmB .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-mdKG7dTwwuMygOmB .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-mdKG7dTwwuMygOmB .error-icon{fill:#552222;}#mermaid-svg-mdKG7dTwwuMygOmB .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-mdKG7dTwwuMygOmB .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-mdKG7dTwwuMygOmB .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-mdKG7dTwwuMygOmB .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-mdKG7dTwwuMygOmB .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-mdKG7dTwwuMygOmB .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-mdKG7dTwwuMygOmB .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-mdKG7dTwwuMygOmB .marker{fill:#333333;stroke:#333333;}#mermaid-svg-mdKG7dTwwuMygOmB .marker.cross{stroke:#333333;}#mermaid-svg-mdKG7dTwwuMygOmB svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-mdKG7dTwwuMygOmB p{margin:0;}#mermaid-svg-mdKG7dTwwuMygOmB .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-mdKG7dTwwuMygOmB .cluster-label text{fill:#333;}#mermaid-svg-mdKG7dTwwuMygOmB .cluster-label span{color:#333;}#mermaid-svg-mdKG7dTwwuMygOmB .cluster-label span p{background-color:transparent;}#mermaid-svg-mdKG7dTwwuMygOmB .label text,#mermaid-svg-mdKG7dTwwuMygOmB span{fill:#333;color:#333;}#mermaid-svg-mdKG7dTwwuMygOmB .node rect,#mermaid-svg-mdKG7dTwwuMygOmB .node circle,#mermaid-svg-mdKG7dTwwuMygOmB .node ellipse,#mermaid-svg-mdKG7dTwwuMygOmB .node polygon,#mermaid-svg-mdKG7dTwwuMygOmB .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-mdKG7dTwwuMygOmB .rough-node .label text,#mermaid-svg-mdKG7dTwwuMygOmB .node .label text,#mermaid-svg-mdKG7dTwwuMygOmB .image-shape .label,#mermaid-svg-mdKG7dTwwuMygOmB .icon-shape .label{text-anchor:middle;}#mermaid-svg-mdKG7dTwwuMygOmB .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-mdKG7dTwwuMygOmB .rough-node .label,#mermaid-svg-mdKG7dTwwuMygOmB .node .label,#mermaid-svg-mdKG7dTwwuMygOmB .image-shape .label,#mermaid-svg-mdKG7dTwwuMygOmB .icon-shape .label{text-align:center;}#mermaid-svg-mdKG7dTwwuMygOmB .node.clickable{cursor:pointer;}#mermaid-svg-mdKG7dTwwuMygOmB .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-mdKG7dTwwuMygOmB .arrowheadPath{fill:#333333;}#mermaid-svg-mdKG7dTwwuMygOmB .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-mdKG7dTwwuMygOmB .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-mdKG7dTwwuMygOmB .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-mdKG7dTwwuMygOmB .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-mdKG7dTwwuMygOmB .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-mdKG7dTwwuMygOmB .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-mdKG7dTwwuMygOmB .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-mdKG7dTwwuMygOmB .cluster text{fill:#333;}#mermaid-svg-mdKG7dTwwuMygOmB .cluster span{color:#333;}#mermaid-svg-mdKG7dTwwuMygOmB div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-mdKG7dTwwuMygOmB .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-mdKG7dTwwuMygOmB rect.text{fill:none;stroke-width:0;}#mermaid-svg-mdKG7dTwwuMygOmB .icon-shape,#mermaid-svg-mdKG7dTwwuMygOmB .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-mdKG7dTwwuMygOmB .icon-shape p,#mermaid-svg-mdKG7dTwwuMygOmB .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-mdKG7dTwwuMygOmB .icon-shape .label rect,#mermaid-svg-mdKG7dTwwuMygOmB .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-mdKG7dTwwuMygOmB .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-mdKG7dTwwuMygOmB .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-mdKG7dTwwuMygOmB :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 消费端


拉取镜像及签名
使用公钥验证签名
签名有效且身份匹配?
信任镜像,允许部署
拒绝镜像
发布端
构建镜像
计算镜像清单 Digest
使用私钥对 Digest 签名
生成签名对象
推送签名至注册表

  • 完整性:签名覆盖镜像的不可变摘要(Digest),任何内容篡改都会导致签名验证失败。
  • 不可否认性:签名使用私钥生成,只有私钥持有者才能产生有效签名。
  • 身份绑定:签名包含签名者身份信息(如用户 ID、构建管道、组织),验证者可据此判断发布者。

二、Notation 与 Cosign 的核心区别

维度 Notation Cosign
所属项目 CNCF 毕业项目,由微软、Docker 等推动 Sigstore 项目,由 Google、Linux 基金会支持
签名标准 基于 OCI 1.1 签名规范,签名与镜像存储在同一仓库中 基于 Sigstore 协议,支持多种存储方式(含 OCI)
核心能力 管理签名与验证,支持插件扩展,与 Docker CLI 集成 支持无密钥签名(OIDC)、透明日志(Rekor)、SBOM 签名
信任建立 基于 X.509 证书链,可对接 SPIFFE/SPIRE 等 基于公钥对或 OIDC 身份(通过 Fulcio 签发短期证书)
典型场景 企业环境,已有 PKI 体系,需要细粒度证书策略 云原生 CI/CD,追求零密钥管理和公开可审计性
与 Docker 集成 Docker Desktop 内置 Notation,可直接 docker trust sign 调用 需独立安装 Cosign CLI,可嵌入流水线
Java 场景适配 适合与私有 CA 结合,对内部 Java 基础镜像强签名管理 适合开源项目、跨组织协作,结合 GitHub Actions 等 OIDC 认证

三、Notation 的工作原理与架构

Notation 完全遵循 OCI 1.1 Reference Types ,签名作为与镜像关联的工件存储在同一仓库中。它采用插件式架构,签名生成、验证、密钥管理均由插件提供。
#mermaid-svg-q6w2XmNHDzMniYvN{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-q6w2XmNHDzMniYvN .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-q6w2XmNHDzMniYvN .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-q6w2XmNHDzMniYvN .error-icon{fill:#552222;}#mermaid-svg-q6w2XmNHDzMniYvN .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-q6w2XmNHDzMniYvN .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-q6w2XmNHDzMniYvN .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-q6w2XmNHDzMniYvN .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-q6w2XmNHDzMniYvN .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-q6w2XmNHDzMniYvN .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-q6w2XmNHDzMniYvN .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-q6w2XmNHDzMniYvN .marker{fill:#333333;stroke:#333333;}#mermaid-svg-q6w2XmNHDzMniYvN .marker.cross{stroke:#333333;}#mermaid-svg-q6w2XmNHDzMniYvN svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-q6w2XmNHDzMniYvN p{margin:0;}#mermaid-svg-q6w2XmNHDzMniYvN .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-q6w2XmNHDzMniYvN .cluster-label text{fill:#333;}#mermaid-svg-q6w2XmNHDzMniYvN .cluster-label span{color:#333;}#mermaid-svg-q6w2XmNHDzMniYvN .cluster-label span p{background-color:transparent;}#mermaid-svg-q6w2XmNHDzMniYvN .label text,#mermaid-svg-q6w2XmNHDzMniYvN span{fill:#333;color:#333;}#mermaid-svg-q6w2XmNHDzMniYvN .node rect,#mermaid-svg-q6w2XmNHDzMniYvN .node circle,#mermaid-svg-q6w2XmNHDzMniYvN .node ellipse,#mermaid-svg-q6w2XmNHDzMniYvN .node polygon,#mermaid-svg-q6w2XmNHDzMniYvN .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-q6w2XmNHDzMniYvN .rough-node .label text,#mermaid-svg-q6w2XmNHDzMniYvN .node .label text,#mermaid-svg-q6w2XmNHDzMniYvN .image-shape .label,#mermaid-svg-q6w2XmNHDzMniYvN .icon-shape .label{text-anchor:middle;}#mermaid-svg-q6w2XmNHDzMniYvN .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-q6w2XmNHDzMniYvN .rough-node .label,#mermaid-svg-q6w2XmNHDzMniYvN .node .label,#mermaid-svg-q6w2XmNHDzMniYvN .image-shape .label,#mermaid-svg-q6w2XmNHDzMniYvN .icon-shape .label{text-align:center;}#mermaid-svg-q6w2XmNHDzMniYvN .node.clickable{cursor:pointer;}#mermaid-svg-q6w2XmNHDzMniYvN .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-q6w2XmNHDzMniYvN .arrowheadPath{fill:#333333;}#mermaid-svg-q6w2XmNHDzMniYvN .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-q6w2XmNHDzMniYvN .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-q6w2XmNHDzMniYvN .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-q6w2XmNHDzMniYvN .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-q6w2XmNHDzMniYvN .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-q6w2XmNHDzMniYvN .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-q6w2XmNHDzMniYvN .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-q6w2XmNHDzMniYvN .cluster text{fill:#333;}#mermaid-svg-q6w2XmNHDzMniYvN .cluster span{color:#333;}#mermaid-svg-q6w2XmNHDzMniYvN div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-q6w2XmNHDzMniYvN .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-q6w2XmNHDzMniYvN rect.text{fill:none;stroke-width:0;}#mermaid-svg-q6w2XmNHDzMniYvN .icon-shape,#mermaid-svg-q6w2XmNHDzMniYvN .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-q6w2XmNHDzMniYvN .icon-shape p,#mermaid-svg-q6w2XmNHDzMniYvN .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-q6w2XmNHDzMniYvN .icon-shape .label rect,#mermaid-svg-q6w2XmNHDzMniYvN .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-q6w2XmNHDzMniYvN .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-q6w2XmNHDzMniYvN .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-q6w2XmNHDzMniYvN :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} docker push
notation sign
调用签名插件
使用私钥/证书
生成 JWS 签名
推送
notation verify
调用验证插件
拉取信任策略/证书
拉取
比对 Digest 与签名
通过/拒绝
开发者
镜像仓库
Notation CLI
签名插件

如: notation-azure-kv
密钥管理

Azure Key Vault / HSM
OCI 签名工件
消费端
验证插件

如: notation-x509
信任存储

CA 证书链
部署流水线

关键机制

  • 信任策略 :Notation 使用 trustpolicy.json 定义哪些签名者可信、允许哪些身份、是否需要 Sigstore 等。例如,仅信任由企业内部 CA 签发、组织名为 myorg.com 的签名。
  • 证书管理:支持 X.509 证书链验证、时间戳、吊销检查,适合需合规审计的企业。
  • 与 Docker 集成 :Docker CLI 通过 docker trust signdocker trust inspect 与 Notation 交互,为用户提供统一的体验。

四、Cosign 的工作原理与架构

Cosign 是 Sigstore 生态的核心工具,支持无密钥签名透明日志,旨在让签名变得极简且可公开审计。
#mermaid-svg-la3R2CMVPeqHVRnR{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-la3R2CMVPeqHVRnR .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-la3R2CMVPeqHVRnR .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-la3R2CMVPeqHVRnR .error-icon{fill:#552222;}#mermaid-svg-la3R2CMVPeqHVRnR .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-la3R2CMVPeqHVRnR .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-la3R2CMVPeqHVRnR .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-la3R2CMVPeqHVRnR .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-la3R2CMVPeqHVRnR .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-la3R2CMVPeqHVRnR .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-la3R2CMVPeqHVRnR .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-la3R2CMVPeqHVRnR .marker{fill:#333333;stroke:#333333;}#mermaid-svg-la3R2CMVPeqHVRnR .marker.cross{stroke:#333333;}#mermaid-svg-la3R2CMVPeqHVRnR svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-la3R2CMVPeqHVRnR p{margin:0;}#mermaid-svg-la3R2CMVPeqHVRnR .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-la3R2CMVPeqHVRnR .cluster-label text{fill:#333;}#mermaid-svg-la3R2CMVPeqHVRnR .cluster-label span{color:#333;}#mermaid-svg-la3R2CMVPeqHVRnR .cluster-label span p{background-color:transparent;}#mermaid-svg-la3R2CMVPeqHVRnR .label text,#mermaid-svg-la3R2CMVPeqHVRnR span{fill:#333;color:#333;}#mermaid-svg-la3R2CMVPeqHVRnR .node rect,#mermaid-svg-la3R2CMVPeqHVRnR .node circle,#mermaid-svg-la3R2CMVPeqHVRnR .node ellipse,#mermaid-svg-la3R2CMVPeqHVRnR .node polygon,#mermaid-svg-la3R2CMVPeqHVRnR .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-la3R2CMVPeqHVRnR .rough-node .label text,#mermaid-svg-la3R2CMVPeqHVRnR .node .label text,#mermaid-svg-la3R2CMVPeqHVRnR .image-shape .label,#mermaid-svg-la3R2CMVPeqHVRnR .icon-shape .label{text-anchor:middle;}#mermaid-svg-la3R2CMVPeqHVRnR .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-la3R2CMVPeqHVRnR .rough-node .label,#mermaid-svg-la3R2CMVPeqHVRnR .node .label,#mermaid-svg-la3R2CMVPeqHVRnR .image-shape .label,#mermaid-svg-la3R2CMVPeqHVRnR .icon-shape .label{text-align:center;}#mermaid-svg-la3R2CMVPeqHVRnR .node.clickable{cursor:pointer;}#mermaid-svg-la3R2CMVPeqHVRnR .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-la3R2CMVPeqHVRnR .arrowheadPath{fill:#333333;}#mermaid-svg-la3R2CMVPeqHVRnR .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-la3R2CMVPeqHVRnR .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-la3R2CMVPeqHVRnR .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-la3R2CMVPeqHVRnR .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-la3R2CMVPeqHVRnR .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-la3R2CMVPeqHVRnR .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-la3R2CMVPeqHVRnR .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-la3R2CMVPeqHVRnR .cluster text{fill:#333;}#mermaid-svg-la3R2CMVPeqHVRnR .cluster span{color:#333;}#mermaid-svg-la3R2CMVPeqHVRnR div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-la3R2CMVPeqHVRnR .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-la3R2CMVPeqHVRnR rect.text{fill:none;stroke-width:0;}#mermaid-svg-la3R2CMVPeqHVRnR .icon-shape,#mermaid-svg-la3R2CMVPeqHVRnR .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-la3R2CMVPeqHVRnR .icon-shape p,#mermaid-svg-la3R2CMVPeqHVRnR .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-la3R2CMVPeqHVRnR .icon-shape .label rect,#mermaid-svg-la3R2CMVPeqHVRnR .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-la3R2CMVPeqHVRnR .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-la3R2CMVPeqHVRnR .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-la3R2CMVPeqHVRnR :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 验证流程
签名流程
cosign sign
获取 OIDC Token
请求短期证书
签发证书
生成签名
上传签名记录
cosign verify
拉取签名
查询 Rekor
验证证书链
验证身份绑定
通过/拒绝
开发者
Cosign CLI
OIDC Provider

GitHub, Google
Fulcio CA
OCI 注册表

标签: sha256-xxx.sig
Rekor 透明日志
消费端
Cosign CLI
Fulcio / TUF 根
准入控制器

关键机制

  • 无密钥模式:开发者无需管理私钥。构建时 Cosign 自动获取 OIDC Token(如 GitHub Actions 工作流身份),由 Fulcio 签发短期证书用于签名。证书在几分钟内过期,即使泄露影响极小。
  • Rekor 透明日志:所有签名事件公开记录在防篡改的 Merkle Tree 日志中。任何用户可查证签名时间、签名者身份,实现不可否认性。
  • 密钥对模式:也支持传统公私钥对,适合离线或私密环境。
  • 扩展能力:可签名 SBOM、in-toto 证明、加密镜像等。

五、选择决策与实践流程

在 Java 企业项目中,如何确保基础镜像 eclipse-temurin:17-jre 或团队构建的微服务镜像可信?
#mermaid-svg-thnMbiyo5p2lCgPz{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-thnMbiyo5p2lCgPz .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-thnMbiyo5p2lCgPz .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-thnMbiyo5p2lCgPz .error-icon{fill:#552222;}#mermaid-svg-thnMbiyo5p2lCgPz .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-thnMbiyo5p2lCgPz .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-thnMbiyo5p2lCgPz .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-thnMbiyo5p2lCgPz .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-thnMbiyo5p2lCgPz .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-thnMbiyo5p2lCgPz .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-thnMbiyo5p2lCgPz .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-thnMbiyo5p2lCgPz .marker{fill:#333333;stroke:#333333;}#mermaid-svg-thnMbiyo5p2lCgPz .marker.cross{stroke:#333333;}#mermaid-svg-thnMbiyo5p2lCgPz svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-thnMbiyo5p2lCgPz p{margin:0;}#mermaid-svg-thnMbiyo5p2lCgPz .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-thnMbiyo5p2lCgPz .cluster-label text{fill:#333;}#mermaid-svg-thnMbiyo5p2lCgPz .cluster-label span{color:#333;}#mermaid-svg-thnMbiyo5p2lCgPz .cluster-label span p{background-color:transparent;}#mermaid-svg-thnMbiyo5p2lCgPz .label text,#mermaid-svg-thnMbiyo5p2lCgPz span{fill:#333;color:#333;}#mermaid-svg-thnMbiyo5p2lCgPz .node rect,#mermaid-svg-thnMbiyo5p2lCgPz .node circle,#mermaid-svg-thnMbiyo5p2lCgPz .node ellipse,#mermaid-svg-thnMbiyo5p2lCgPz .node polygon,#mermaid-svg-thnMbiyo5p2lCgPz .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-thnMbiyo5p2lCgPz .rough-node .label text,#mermaid-svg-thnMbiyo5p2lCgPz .node .label text,#mermaid-svg-thnMbiyo5p2lCgPz .image-shape .label,#mermaid-svg-thnMbiyo5p2lCgPz .icon-shape .label{text-anchor:middle;}#mermaid-svg-thnMbiyo5p2lCgPz .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-thnMbiyo5p2lCgPz .rough-node .label,#mermaid-svg-thnMbiyo5p2lCgPz .node .label,#mermaid-svg-thnMbiyo5p2lCgPz .image-shape .label,#mermaid-svg-thnMbiyo5p2lCgPz .icon-shape .label{text-align:center;}#mermaid-svg-thnMbiyo5p2lCgPz .node.clickable{cursor:pointer;}#mermaid-svg-thnMbiyo5p2lCgPz .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-thnMbiyo5p2lCgPz .arrowheadPath{fill:#333333;}#mermaid-svg-thnMbiyo5p2lCgPz .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-thnMbiyo5p2lCgPz .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-thnMbiyo5p2lCgPz .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-thnMbiyo5p2lCgPz .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-thnMbiyo5p2lCgPz .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-thnMbiyo5p2lCgPz .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-thnMbiyo5p2lCgPz .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-thnMbiyo5p2lCgPz .cluster text{fill:#333;}#mermaid-svg-thnMbiyo5p2lCgPz .cluster span{color:#333;}#mermaid-svg-thnMbiyo5p2lCgPz div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-thnMbiyo5p2lCgPz .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-thnMbiyo5p2lCgPz rect.text{fill:none;stroke-width:0;}#mermaid-svg-thnMbiyo5p2lCgPz .icon-shape,#mermaid-svg-thnMbiyo5p2lCgPz .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-thnMbiyo5p2lCgPz .icon-shape p,#mermaid-svg-thnMbiyo5p2lCgPz .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-thnMbiyo5p2lCgPz .icon-shape .label rect,#mermaid-svg-thnMbiyo5p2lCgPz .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-thnMbiyo5p2lCgPz .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-thnMbiyo5p2lCgPz .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-thnMbiyo5p2lCgPz :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 是,有内部 CA
否,主要使用云 CI
需公开审计
仅内部审计
需保护镜像来源
是否已有 PKI 体系?
采用 Notation

配合 X.509 证书链
采用 Cosign

无密钥签名 + OIDC
集成到 Docker Build Pipeline
部署时验证签名

Kubernetes Admission Webhook
审计需求?
Cosign + Rekor 透明日志
Notation 信任策略 + 日志

典型的交付流水线整合(以 Cosign 为例):
Kubernetes Rekor 日志 Fulcio CA Harbor GitHub Actions Java 开发者 Kubernetes Rekor 日志 Fulcio CA Harbor GitHub Actions Java 开发者 #mermaid-svg-Uqd3UKtYfBKHnWr1{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .error-icon{fill:#552222;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .marker.cross{stroke:#333333;}#mermaid-svg-Uqd3UKtYfBKHnWr1 svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-Uqd3UKtYfBKHnWr1 p{margin:0;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-Uqd3UKtYfBKHnWr1 text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-Uqd3UKtYfBKHnWr1 .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-Uqd3UKtYfBKHnWr1 #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .sequenceNumber{fill:white;}#mermaid-svg-Uqd3UKtYfBKHnWr1 #sequencenumber{fill:#333;}#mermaid-svg-Uqd3UKtYfBKHnWr1 #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .messageText{fill:#333;stroke:none;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .labelText,#mermaid-svg-Uqd3UKtYfBKHnWr1 .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .loopText,#mermaid-svg-Uqd3UKtYfBKHnWr1 .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-Uqd3UKtYfBKHnWr1 .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .noteText,#mermaid-svg-Uqd3UKtYfBKHnWr1 .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .actorPopupMenu{position:absolute;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-Uqd3UKtYfBKHnWr1 .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-Uqd3UKtYfBKHnWr1 .actor-man circle,#mermaid-svg-Uqd3UKtYfBKHnWr1 line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-Uqd3UKtYfBKHnWr1 :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 提交代码,触发构建docker build -t myapp:v1 .cosign sign myapp:v1用 GitHub Token 换取短期证书上传签名记录推送镜像及签名构建完成部署时拉取 myapp:v1准入控制器调用 cosign verify拉取签名工件验证证书链查询签名条目身份匹配 (来自 CI 管道),签名有效允许 Pod 创建

六、Java 面试追问与回答思路

问:签名和 Digest 验证的区别?为何 Digest 不够?

答:Digest(如 sha256:...)可保证镜像内容在传输中未被损坏,但不能证明"谁"发布的。攻击者可以替换镜像并重新计算 Digest。签名将内容与发布者身份通过私钥绑定,是无法伪造的。

问:Notation 和 Cosign 能互相替代吗?

答:部分重叠但非完全替代。Notation 专注于 OCI 签名标准化和证书生态,适合企业强 PKI 需求。Cosign 偏向零密钥管理和透明审计,适合 DevSecOps 和开源协作。很多企业两者混用,例如用 Cosign 签开源组件,用 Notation 签内部服务。

问:如何防止签名密钥泄露风险?

答:使用无密钥模式(Cosign OIDC)完全避免长期密钥存储;若用传统密钥,应将私钥存放在硬件安全模块(HSM)或云密钥管理服务中,并定期轮转。Notation 支持插件与 Azure Key Vault、AWS KMS 集成,避免私钥落入 CI 环境。

问:Java 镜像的签名粒度如何把握?

答:应对所有生产发布的镜像签名,包括基础 JDK 镜像(如果是自己维护的)和应用镜像。开发快照镜像可适当放宽。配合 Harbor 等仓库的策略,可强制只拉取已签名的镜像。

七、思维导图总结

#mermaid-svg-MUwv2vn5BGdpJhfK{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-MUwv2vn5BGdpJhfK .error-icon{fill:#552222;}#mermaid-svg-MUwv2vn5BGdpJhfK .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-MUwv2vn5BGdpJhfK .marker{fill:#333333;stroke:#333333;}#mermaid-svg-MUwv2vn5BGdpJhfK .marker.cross{stroke:#333333;}#mermaid-svg-MUwv2vn5BGdpJhfK svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-MUwv2vn5BGdpJhfK p{margin:0;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge{stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .section--1 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section--1 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section--1 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section--1 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section--1 path{fill:hsl(240, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section--1 text{fill:#ffffff;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon--1{font-size:40px;color:#ffffff;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge--1{stroke:hsl(240, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth--1{stroke-width:17;}#mermaid-svg-MUwv2vn5BGdpJhfK .section--1 line{stroke:hsl(60, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-0 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-0 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-0 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-0 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-0 path{fill:hsl(60, 100%, 73.5294117647%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-0 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-0{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-0{stroke:hsl(60, 100%, 73.5294117647%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-0{stroke-width:14;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-0 line{stroke:hsl(240, 100%, 83.5294117647%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-1 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-1 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-1 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-1 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-1 path{fill:hsl(80, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-1 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-1{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-1{stroke:hsl(80, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-1{stroke-width:11;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-1 line{stroke:hsl(260, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 path{fill:hsl(270, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 text{fill:#ffffff;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-2{font-size:40px;color:#ffffff;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-2{stroke:hsl(270, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-2{stroke-width:8;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 line{stroke:hsl(90, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-3 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-3 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-3 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-3 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-3 path{fill:hsl(300, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-3 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-3{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-3{stroke:hsl(300, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-3{stroke-width:5;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-3 line{stroke:hsl(120, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-4 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-4 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-4 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-4 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-4 path{fill:hsl(330, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-4 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-4{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-4{stroke:hsl(330, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-4{stroke-width:2;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-4 line{stroke:hsl(150, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-5 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-5 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-5 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-5 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-5 path{fill:hsl(0, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-5 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-5{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-5{stroke:hsl(0, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-5{stroke-width:-1;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-5 line{stroke:hsl(180, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-6 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-6 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-6 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-6 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-6 path{fill:hsl(30, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-6 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-6{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-6{stroke:hsl(30, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-6{stroke-width:-4;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-6 line{stroke:hsl(210, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-7 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-7 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-7 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-7 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-7 path{fill:hsl(90, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-7 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-7{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-7{stroke:hsl(90, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-7{stroke-width:-7;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-7 line{stroke:hsl(270, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-8 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-8 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-8 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-8 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-8 path{fill:hsl(150, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-8 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-8{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-8{stroke:hsl(150, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-8{stroke-width:-10;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-8 line{stroke:hsl(330, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-9 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-9 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-9 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-9 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-9 path{fill:hsl(180, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-9 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-9{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-9{stroke:hsl(180, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-9{stroke-width:-13;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-9 line{stroke:hsl(0, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-10 rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-10 path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-10 circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-10 polygon,#mermaid-svg-MUwv2vn5BGdpJhfK .section-10 path{fill:hsl(210, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-10 text{fill:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .node-icon-10{font-size:40px;color:black;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-edge-10{stroke:hsl(210, 100%, 76.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .edge-depth-10{stroke-width:-16;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-10 line{stroke:hsl(30, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled circle,#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:lightgray;}#mermaid-svg-MUwv2vn5BGdpJhfK .disabled text{fill:#efefef;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-root rect,#mermaid-svg-MUwv2vn5BGdpJhfK .section-root path,#mermaid-svg-MUwv2vn5BGdpJhfK .section-root circle,#mermaid-svg-MUwv2vn5BGdpJhfK .section-root polygon{fill:hsl(240, 100%, 46.2745098039%);}#mermaid-svg-MUwv2vn5BGdpJhfK .section-root text{fill:#ffffff;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-root span{color:#ffffff;}#mermaid-svg-MUwv2vn5BGdpJhfK .section-2 span{color:#ffffff;}#mermaid-svg-MUwv2vn5BGdpJhfK .icon-container{height:100%;display:flex;justify-content:center;align-items:center;}#mermaid-svg-MUwv2vn5BGdpJhfK .edge{fill:none;}#mermaid-svg-MUwv2vn5BGdpJhfK .mindmap-node-label{dy:1em;alignment-baseline:middle;text-anchor:middle;dominant-baseline:middle;text-align:center;}#mermaid-svg-MUwv2vn5BGdpJhfK :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 镜像来源可信
核心概念
签名 = 完整性 + 身份
摘要 != 身份认证
工具
Notation
OCI 1.1 标准
X.509 证书链
插件式密钥管理
信任策略文件
Cosign
Sigstore 生态
无密钥签名 + OIDC
Rekor 透明日志
支持密钥对模式
决策因素
现有 PKI 系统
零密钥管理需求
审计透明度
与 CI/CD 集成度
Java 实践
构建流水线自动签名
部署时准入验证
基础镜像可信来源
定期轮转密钥/证书

总结:确保镜像来源可信是软件供应链安全的基石。Notation 与 Cosign 分别代表了标准化证书签名和现代化的无密钥生态。Java 工程师需要在理解两者原理的基础上,根据企业现有安全基础设施与合规要求,选择合适的工具链,将签名无缝嵌入 CI/CD 与部署流程,从而构建防篡改、可追溯的镜像交付体系。

热门推荐
012026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?022026年6月AI大模型全景报告:GPT-5.6、Claude Opus 4.8、Gemini 3.5,中美AI三足鼎立谁主沉浮?03GitHub 镜像站点04【AI】2026 年具身智能模型和世界模型总结052026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf06AI科技热点日报 | 2026年6月1日07AI一周事件 · 2026-06-03 至 2026-06-0908Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析09Snowflake (SNOW) 可比公司分析报告10上线仅72小时被强制下架:Claude Fable 5 的短命