Artifact signing and signature verification are critical security capabilities that allow you to verify the integrity of an artifact. Harbor supports content trust through integrations with
Cosign, ensuring that only signed and verified images are pulled from your Harbor instance.
As a project administrator, you are able to enforce deployment security by activating the default deployment policy for Cosign or Notary for a given project.
Log into the Harbor interface and navigate to the Configuration tab for the Project you want to enforce content trust on.
Select the checkbox for Cosign or Notary. When checked, Harbor will only allow verified images to be pulled from the project. Verified images are determined by either Cosign or Notary, depending on the policy you have checked. You are able to select both options if you wish for both policies to be enforced. If you have both Notary and Cosign policies enforced, then images will need to be signed by both Notary and Cosign to be pulled.
You must have Notary installed to see the Notary deployment security checkbox.