The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. Notation Project specification and tooling provides signing and verification workflows for OCI artifacts, signature portability across OCI compliant registries, and integration with 3rd party key management solutions through a plugin model.
The Notary Project started in 2016 with an implementation for signing images in container registries and ensuring their integrity before deployment. The initial implementation uses The Update Framework (TUF) and requires registries to host additional server infrastructure for managing signing keys and TUF metadata. This server infrastructure tightly integrates with the container registry and keeps track of the images pushed to the registry. There is also a client component in the form of the notary command line interface (CLI) that can be used by developers or CI/CD pipelines to sign and push container images and update the metadata. The CLI wraps the communication to the registry as well as to the key and metadata management server component. The most prominent use of this implementation is in Docker Content Trust (DCT). The server and the client implementation can be found in the notary repository under the Notary Project organization.
Container images are portable artifacts that can move between registries. Due to the tight integration between the registry, key, and metadata management server component, portability of signatures and therefore images between registries is limited. To overcome the portability challenges by leveraging Open Containers Initiative (OCI) standards, and enable future flexibility and standardization, the Notary Project community decided to concentrate on specifications for helping enhance the software supply chains and provide reference implementations (refer to the kick-off meeting notes for details).
The first formal specification from the Notary Project is the signature specification that specifies how portable signatures wrapped in COSE or JWS envelopes can be produced. The specification defines the signing and verification workflow (aka Notary Project signing and verification), the signing scheme, the signature format and how to wrap the signature using COSE or JWS envelopes. A signature, also called a Notary Project signature, produced according to the Notary Project signature specification can be copied between OCI registries and validated in connected, occasionally connected, and disconnected environments without the need of additional server insfrastructure. The signature specification concnetrates only on specifying the signature and not how the keys and artifact metadata should be managed and stored. This allows signature portability and enables users to use existing key management systems to produce and consume the signatures. The signature specification is available in the specifications repository under the Notary Project.
The specifications repository also contains information about the requirements and scenarios that the Notary Project supports or plans to support as well as the reports from security testing and audits.
A reference implementation to produce and verify Notary Project signatures in Golang is provided in the notation-core-go library. A convenience Golang library that interacts with OCI registries and manages the relation between a signed artifact and signatures is provided in the notation-go library. notation-go provides an easy way to implement the signing and verification in Golang. The notation-go library is also used by the notation CLI that can be used by developers and CI/CD pipelines to produce portable signatures and store them together with the signed artifacts in OCI-compliant registries. The notation CLI implements Notary Project specifications for signing and verification, and can also be used to verify signatures of artifacts stored in OCI-compliant registries. notation-core-go and notation-go libraries can be used independently from the CLI to implement the Notary Project signing and verification flows in other projects for securing software supply chains.
You can learn more about the Notary Project on the notaryproject.dev website.
Here is a list of repositories under the Notary Project organization
| Repository | Description |
|---|---|
| .github | This repository contains the Notary Project governance and other common documents that are shared across all repositories under the Notary Project organization. |
| meeting-notes | This repository contains the archived meeting notes. |
| notary | This repository contains the source code for the server and the client of the initial TUF-based implementation circa 2016. |
| specifications | This repository contains the latest Notary Project requirements, scenarios, specifications, and security audits to overcome the challenges from the initial implementation of 2016. |
| notaryproject.dev | This repository contains the source code and content for the Notary Project website. |
| notation | This repository contains the source code for the convenient CLI implementation of the new Notary Project specifications. |
| notation-go | This repository contains the source code for the convenient Golang library implementation of the new Notary Project signing and verification flow. |
| notation-core-go | This repository contains the source code for the Golang library implementation of the Notary Project signature (hereafter "Notary Project signature") specification and wrapping (COSE and JWS). |
| roadmap | This repository is intended for keeping track of development activities in the Notary Project. It may be retired in the future as feature request and milestones are moved to the appropriate repositories. |
| tuf | This repository is intended for prototyping the storage of TUF metadata in OCI-compliant registries. It is not under active development at the moment but there are plans to revive it in the future. |
The Notary Project is in active development. The latest release announcements are published on the Notary Project blog. The Notary Project community uses the project board for project planning and status tracking. You can also use GitHub milestones to track the progress of each repository:
- The Notary Project specification milestones
- notation CLI milestones
- notation-go library milestones
- notation-core-go library milestones
- notary milestones
You can also check the release pages of each repository for the latest release binaries:
- The Notary Project specification releases
- notation CLI releases
- notation-go library releases
- notation-core-go library releases
- notary releases
The Notary Project has a continuous fuzz testing implemented for the following repositories: notary, notation-go, and notation-core-go.
In addition, the Notary Project has had several public security audits:
- Jul 7, 2023 by ADA Logics security audit covering
notation,notation-go, andnotation-core-gorepositories. - Mar 21, 2023 by ADA Logics fuzz testing audit covering
notary,notation-go, andnotation-core-gorepositories. - August 7, 2018 by Cure53) covering TUF and the
notaryrepository. - July 31, 2015 by NCC covering
notaryrepository.
You can reach the Notary Project community and developers via the following channels:
- Join the Notary Project Slack channel for discussions and to ask questions.
- Follow the @NotaryProject for news about the Notary Project.
- Join the Notary Project community meetings to stay on top of the latest discussions and development activities.
- Active meeting notes are captured at the Notary Project meeting notes
- Archived meeting notes are stored in the meeting-notes repository