Standards-based spec and tooling for securing software supply chains

Signing and verifying artifacts. Safeguarding the software delivery security from development to deployment.

Contributed by the community, in collaboration with

AWS logo
CNCF logo
Docker logo
Microsoft logo

Scenarios we fit and problems we solve for

Signing and validating software artifacts, ensure they have not been tampered with and provide security policies to determine which validated artifacts are allowed to be used in your systems

Secure containers and K8s

For Developers

DevSecOps

For DevOps engineers

Auditing and Compliance

For Security Operators

Why the Notary Project is unique

The Notary Project is aiming to provide enterprise-grade solutions and cross-industry standards for securing software supply chain

01

Cryptographic Signing

  • Support COSE and JWS signature format
  • Not only images, it allows to sign and verify any software artifacts
  • Built on standard PKI
  • Support online and air-gapped signing scenario
02

Fine-grained security policy

  • Able to custom trust policy and determine if a signed artifact is considered authentic
  • Ensure artifacts are signed with trusted identities and from trusted registry
  • Improve system integrity and authenticity
03

Easy to use and extensible

  • Automating signing and verification into a few simple CLI commands
  • Pluggable design allows you to develop plugins and ecosystem integration
  • Provides SDK which allows you to develop your own client
04

Multi-registry support

  • It supports push and store signatures alongside the artifacts in OCI registries, such as Docker Hub, ACR, Zot registry, etc.
  • Portable and immutable, you can copy an artifact with its signature across registries
05

Community-
driven

  • 100% open source, built and improved by the active communitye
  • 100+ contributors in total, from multiple organizations
  • Fast iteration cadence and open community governance

Adopted and trusted by

Industry-leading enterprises and organizations are using the Notary Project for research, production, and integration with security products. If you are using the Notary Project, please share your case with us

Aqua logo

AWS team is using and contributing to Notation, building the cryptographic signing services for customers

Aqua logo

Notation is widely adopted by multiple Microsoft teams and services, such as Windows container team, AKS team, Azure Code Signing service, Ratify, etc.

Zot logo

Zot registry supports store Notation signature as OCI artifacts

Aqua logo

Docker Hub supports signing container images with Notation and storing signatures and other supply chain artifacts

News & Blogs

Notary fuzz test

Notation signatures as ORAS and OCI artifacts

March 17, 2023
Blog

The Notary Project is happy to announce the completion of its fuzzing security audit.

notary logo

Notation v1.0.0-RC.3 is available!

Mar 08, 2023
Blog

Notary project is a CNCF incubating project