Project post originally published on the Notary Project blog by the Notary Project Release Team

The Notary Project maintainers are proud to announce a major release, including Notary Project specifications v1.0.0notation v1.0.0notation-go v1.0.0, and notation-core-go v1.0.0 which are ready for production use!

What is Notary Project and Notation?

As containers and cloud native artifacts become common deployment units, users want to make sure that they are authentic in their environments. The Notary Project is a set of specifications and tools intended to provide cross-industry standards for securing software supply chains through signing and verification, signature portability, and key/certificate management.

Notation is a sub-project of Notary Project, which consists of the notation CLI and two Golang libraries which implement the latest Notary Project specifications. Notation was started in Dec 2019 and the code has matured through a series of minor and RC releases over the last few years; The first version of the CLI and libraries v0.7.0-alpha.1 was released in Oct 2021. Several alpha, beta, and RC releases later, the binaries reached the final v1.0.0-RC.7 release in May 2023.

To learn more about the Notary Project, see the Notary Project Overview and the FAQ.

Notable Capabilities in this Release

Here are some of the major capabilities and features included in this release.

Specifications

Notary Project specifications reached its major release. All specifications, requirements, scenarios, threat model, and security audit reports are available in this release. ISVs and tool developers that want to interoperate with the Notary Project signatures and tooling should use the specifications to ensure compatibility.

Signing and verification functionalities

From the software producer’s perspective, signing a software artifact enables their consumers to detect tampering and ensure authenticity of the artifact. Signing software can also increase trust when distributing software artifacts to consumers. Notary Project provides the following core capabilities for the signing experience:

From the software consumer’s perspective, verifying the signature of a signed artifact ensures its integrity and authenticity. Notary Project provides the following core capabilities for verification experience:

Experimental features

Experimental features are intended for testing and evaluation purposes only and should not be used in production environments. Users can enable experimental features in Notation CLI by setting the environment variable NOTATION_EXPERIMENTAL to 1 as shown below.

export NOTATION_EXPERIMENTAL=1

There are two major features which are marked as experimental.

Extensibility: plugin support for Notation

Notation has an extensible design based on a plugin framework. This framework provides plugin interfaces for users and vendors to implement their own integrations with key/certificate management solutions or signing services. Currently, Notation has the following plugins available.

Integration with admission controller for Kubernetes usage

To enable users to verify and secure image deployment on Kubernetes, the Notary Project maintainers worked with the Ratify and Kyverno teams to provide solutions for verifying images signed by Notation before deploying them to Kubernetes. Users have two different options to build a complete end-to-end image integrity workflow for their environments. For more details, see:

Diagram flow showing e2e workflow

Built-in security

As part of our commitment to security, the Notary Project maintainers engaged with CNCF to set up continuous fuzzing of the source code and completed a security audit in 2023. All vulnerabilities found during the testing and the audit were fixed before the release of the libraries and the CLI. Below are links to the security reports:

What’s next

The Notary Project maintainers are considering the following features for future milestones. Feel free to reach out on the Slack channel or GitHub issues to ask questions, provide feedback, or share ideas.

Acknowledgements

The Notary Project release team wants to thank the entire Notary Project community for all the activity and engagement that has been vital for helping the project grow and reach this major milestone.

Try it now

You can follow this interactive tutorial to try Notation CLI v1.0.0 in an online cloud playground or follow the quick start on your computer.