As containers and cloud native artifacts become common deployment units, users want to make sure that they are authentic in their environments. Notary Project is a set of tools and specifications intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts.

Notary Project specification and tooling provides signing and verification workflows for OCI artifacts, signature portability across OCI compliant registries, and integration with 3rd party key management solutions through an extensible plugin model. Notation is a sub-project of Notary Project, which consists of the notation CLI and two Golang libraries which implement the latest Notary Project specifications.

Notary Project is a CNCF Incubating project. We are pleased to share some exciting updates and live demos of Notary Project with its ecosystem partners at KubeCon + CloudNativeCon Europe and host a project booth for interactive communication in Paris.

Want to have the first glance at the exciting updates of Notary Project in 2024? This blog post gives you a pre-event preview.

Exciting updates for the upcoming KubeCon

Notary Project now has a new brand named “Notary Project” with the new logo released! The original brand “Notary” will not be used anymore. See Glossary for the reference.

Notary Project Logo old vs new

Meanwhile, there are some new functionalities available in recent releases.

Notation v1.1.0 with easier plugin management

Notary Project announced Notation v1.1.0 on Feb 8, 2024. Notation supports plugin lifecycle management and extends plugin ecosystem, now there are four Notation plugins avaialble:

You can follow this interactive tutorial to try Notation CLI v1.1.0 in an online cloud playground or follow the quick start on your computer.

Integration with CI/CD

Notation has integration with a few popular CI/CD systems including GitHub Actions and Azure DevOps. It helps users to install Notation and automate the signing and verification workflows in their pipelines.

Sign and verify any arbitrary files

Another exciting update is arbitrary blob signing, this will be available in the next release. It extends the signing objects from OCI artifacts to any arbitrary files. A typical scenario is that open-source project maintainers will be able to sign their release assets on GitHub.

Timestamped signature support

Notation will also support timestaping in the next release to enables users to trust images that are signed before certificates expire. Support of Time-stamping (RFC 3161) extends the trust of signature beyond the validity period of a certificate, thus signers do not need to regularly re-sign images before certificates are expired.

Sign and verify artifacts in an air-gapped environment

In addition, Notation supports signing and verifying artifacts on local filesystem. Users can sign images on local disk before pushing them to the remote registry. This enables users to sign and verify artifacts in an air-gapped environment, which helps improve the security posture.

Integration with admission controller for Kubernetes usage

To enable users to verify and secure image deployment on Kubernetes, the Notary Project maintainers worked with the Ratify and Kyverno teams to provide solutions for verifying images signed by Notation before deploying them to Kubernetes. Users have two different options to build a complete end-to-end image integrity workflow for their environments. For more details, see:

Diagram showing integration with admission controller for Kubernetes usage

Connect with us at KubeCon!

To learn more announcements and live demos around Notary Project, come and join us at Notary Project Maintainers Track on March 20, 2024 14:30 – 15:05 CET and meet us at the project booth. We prepared a bunch of Notary Project swags for you! Wish you will have a wonderful KubeCon journey!