Justincappos

**Name of the Vulnerable Software and Affected Versions** The Notary Project (affected versions not specified) **Description** An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. The Notary Project offers various signature validation options such as `permissive`, `audit`, and `skip` to support various scenarios. Artifact publishers can control the validity period of artifacts by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. **Recommendations** To resolve the issue, artifact publishers should specify signature expiry during the signing process and use shorter signature validity periods along with processes to periodically resign artifacts. Artifact consumers should use a `strict` or equivalent trust policy that enforces signature expiry. As a temporary workaround, consider disabling the use of `permissive` trust policies until a more secure configuration is implemented. Restrict access to compromised container registries to minimize the risk of exploitation. Avoid using outdated versions of OCI artifacts until the issue is resolved. The Notary Project supports revocation to ensure signature freshness, and artifact publishers can sign with short-lived certificates and revoke older certificates when necessary.