goharbor · a-mccarthy · Mar 30, 2022 · Mar 17, 2022 · Mar 22, 2022 · Mar 22, 2022
@@ -3,12 +3,12 @@ title: Configuring Replication
 weight: 30
 ---
 
-Replication allows users to replicate resources, namely images and charts, between Harbor and non-Harbor registries, in both pull or push mode. 
+Replication allows users to replicate resources, namely images and charts, between Harbor and non-Harbor registries, in both pull or push mode.
 
-When the Harbor system administrator has set a replication rule, all resources that match the defined filter patterns are replicated to the destination registry when the triggering condition is met. Each resource that is replicated starts a replication task. If the namespace does not exist in the destination registry, a new namespace is created automatically. If it already exists and the user account that is configured in the replication policy does not have write privileges in it, the process fails. Member information is not replicated.  
+When the Harbor system administrator has set a replication rule, all resources, and any associated Cosign signatures, that match the defined filter patterns are replicated to the destination registry when the triggering condition is met. Each resource that is replicated starts a replication task. If the namespace does not exist in the destination registry, a new namespace is created automatically. If it already exists and the user account that is configured in the replication policy does not have write privileges in it, the process fails. Member information is not replicated.  
 
 There might be some delay during replication based on the condition of the network. If a replication task fails, it is re-scheduled for a few minutes later and retried several times.  
 
 {{< note >}}
 Due to API changes, replication between different versions of Harbor is not supported.
-{{< /note >}}
+{{< /note >}}
@@ -16,6 +16,6 @@ Clair has been removed as a default scanner in v2.2. You are still able to use C
 {{< /important >}}
 
 
-You can manually initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to automatically scan all of the images at specific intervals.
+You can manually initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to automatically scan all of the images at specific intervals. Vulnerability scans of [Cosign signatures](../../working-with-projects/working-with-images/sign-images/#use-cosign-to-sign-artifacts) are not supported.
 
 You can also export scans for an image using the Harbor API endpoint `/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities`. See more information about using this endpoint in the [Harbor Swagger file](https://github.com/goharbor/harbor/blob/main/api/v2.0/swagger.yaml).
@@ -6,7 +6,7 @@ weight: 30
 After the initial creation of a project, you can configure or reconfigure its properties in the **Configuration** tab for that project.
 
 1. Log in to the Harbor interface with an account that has at least project administrator privileges.
-1. Go to **Projects** and select a project. 
+1. Go to **Projects** and select a project.
 1. Select the **Configuration** tab.
 1. To make all repositories under the project accessible to everyone, select the `Public` checkbox, or deselect this checkbox to make the project private.
 1. To prevent un-signed images under the project from being pulled, select the `Enable content trust` checkbox.
@@ -24,7 +24,7 @@ Enter a keyword in the search field at the top to list all matching projects and
 You can configure projects so that images with vulnerabilities cannot be run, and to automatically scan images as soon as they are pushed into the project.
 
 1. Log in to the Harbor interface with an account that has at least project administrator privileges.
-1. Go to **Projects** and select a project. 
+1. Go to **Projects** and select a project.
 1. Select the **Configuration** tab.
 1. To prevent vulnerable images under the project from being pulled, select the **Prevent vulnerable images from running** checkbox.
 
@@ -33,12 +33,14 @@ You can configure projects so that images with vulnerabilities cannot be run, an
 1. Select the severity level of vulnerabilities to prevent images from running.
 
    ![Set vulnerability threshold](../../img/set-vulnerability-threshold.png)
-   
+
    Images cannot be pulled if their level is equal to or higher than the selected level of severity. Harbor does not prevent images with a vulnerability severity of `negligible` from running.
 1. To activate an immediate vulnerability scan on new images that are pushed to the project, select the **Automatically scan images on push** check box.
 
    ![Automatically scan images on push](../../img/scan-on-push.png)
 
+Harbor also supports additional deployment security options, allowing you to [implement content trust](../../working-with-projects/project-configuration/implementing-content-trust/) on your Harbor instance.
+
 ## Build history
 
 Build history makes it easy to see the contents of a container image, find the code which builds an image, or locate the image for a source repository.

@@ -3,32 +3,20 @@ title: Implementing Content Trust
 weight: 55
 ---
 
-{{< note >}}
-Notary is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.
-{{< /note >}}
+Artifact signing and signature verification are critical security capabilities that allow you to verify the integrity of an artifact. Harbor supports content trust through integrations with [Notary](https://github.com/notaryproject/notarys) and [Cosign](https://github.com/sigstore/cosign), ensuring that only signed and verified images are pulled from your Harbor instance.
 
-If you want to enable content trust to ensure that images are signed, please set two environment variables in the command line before pushing or pulling any image:
+This page describes how to [enforce content trust](#enforce-content-trust) using a default Harbor deployment policy. For more information on using Cosign and Notary with Harbor, see more how to [Sign Artifacts with Cosign and Notary](../../working-with-images/sign-images).
 
-```sh
-export DOCKER_CONTENT_TRUST=1
-export DOCKER_CONTENT_TRUST_SERVER=https://10.117.169.182:4443
-```
+## Enforce deployment security
 
-If you push the image for the first time, You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the `DOCKER_CONTENT_TRUST` flag is set.
-The root key is generated at: `/root/.docker/trust/private/root_keys`
-You will also be asked to enter a new passphrase for the image. This is generated at `/root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]`.
-If you are using a self-signed cert, make sure to copy the CA cert into `/etc/docker/certs.d/10.117.169.182` and `$HOME/.docker/tls/10.117.169.182:4443/`. When an image is signed, it is indicated in the Web UI.
+As a project administrator, you are able to enforce deployment security by activating the default deployment policy for Cosign or Notary for a given project.
 
-A signed image will have a checkbox next to it, otherwise an X is displayed instead.
+1. Log into the Harbor interface and navigate to the Configuration tab for the Project you want to enforce content trust on.
+1. Select the checkbox for **Cosign** or **Notary**. When checked, Harbor will only allow verified images to be pulled from the project. Verified images are determined by either Cosign or Notary, depending on the policy you have checked. You are able to select both options if you wish for both policies to be enforced. If you have both Notary and Cosign policies enforced, then images will need to be signed by both Notary and Cosign to be pulled.
+1. Click **Save**.
 
-If you want to remove a tag signature from harbor, you can use 'notary remove' command:
+  ![Enable deployment security in project configuration page](../../../img/enable-deployment-security.png)
 
-```sh
-notary remove -p 10.117.169.182/libary/alpine latest
-```
-
-{{< note >}}
-Replace "10.117.169.182" with the IP address or domain name of your Harbor node. In order to use content trust, HTTPS must be enabled in Harbor.
-{{< /note >}}
-
-![browse project](../../../img/content-trust.png)
+  {{< note >}}
+  You must have Notary [installed](../../../install-config/run-installer-script/#installation-with-notary) to see the Notary deployment security checkbox.
+  {{< /note >}}
@@ -31,9 +31,9 @@ You can now pull an image:
 docker pull <harbor_address>/library/ubuntu:14.04
 ```
 
-{{< note >}}
-You cannot pull an unsigned image if you have enabled content trust.
-{{< /note >}}
+{{< important >}}
+Harbor supports content trust through Cosign and Notary. If you have enforced content trust in your project, you will not be able to pull an unsigned image. Read more about [implementing content trust](../../project-configuration/implementing-content-trust/).
+{{< /important >}}
 
 ## Pushing Images
 
@@ -109,52 +109,3 @@ Kubernetes users can easily deploy pods with images stored in Harbor. The settin
 
 1. When your Harbor instance is hosting HTTP and the certificate is self-signed, you must modify `daemon.json` on each work node of your cluster. For information, see https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry.
 2. If your pod references an image under a private project, you must create a secret with the credentials of a user who has permission to pull images from the project. For information, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/.
-
-## Configure Notary Content Trust
-
-Make sure that `https` is enabled in `harbor.yml` and the attributes `ssl_cert` and `ssl_cert_key` point to valid certificates. For more information about generating a HTTPS certificate, see [Configure HTTPS Access to Harbor](../../install-config/configure-https.md).
-
-### Copy the Root Certificate
-
-If Harbor instance is hosted at 192.168.0.5, ff you are using a self-signed certificate, copy the Harbor CA root cert to `/etc/docker/certs.d/192.168.0.5/` and `~/.docker/tls/192.168.0.5:4443/` on the machine on which you run the Docker client.
-
-### Enable Docker Content Trust
-
-You can enable content trust by setting the following environment variables on the machine on which you run the Docker client.
-
-```sh
-export DOCKER_CONTENT_TRUST=1
-export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5:4443
-```
-
-### Set Alias for Notary (optional)
-
-By default the local directory for storing meta files for the Notary client is different from the one for the Docker client. To simplify the use of the Notary client to manipulate the keys/meta files that are generated by Docker content trust, you can set an alias.
-
-```sh
-alias notary="notary -s https://192.168.0.5:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/192.168.0.5/ca.crt"
-```
-
-### Lost Notary Keys
-
-In the event that your Notary root key is deleted without backups, you can resolve orphaned images using the following steps.
-
-1. Remove data from the `notarysigner` and `notaryserver` database. Replace the fully qualified URI of your repository in the SQL commands below.
-
-    ```
-    docker exec -it harbor-db /bin/bash
-    postgres [ / ]$ psql
-    ....
-    postgres=# \c notaryserver
-    notaryserver=# delete from tuf_files where gun='<fully_qualified_URI_of_repository>';
-    ....
-    notaryserver=# \c notarysigner
-    notarysigner=# delete from private_keys where gun='<fully_qualified_URI_of_repository>';
-    notarysigner=# \q
-    ```
-
-1. Restart harbor-core to clear some temporary cache.
-
-    ```
-    docker restart harbor-core
-    ```