Standards-based spec and tooling for securing software supply chains

Signing and verifying artifacts. Safeguarding the software delivery security from development to deployment.

Contributed by the community, in collaboration with

AWS logo
CNCF logo
Docker logo
Microsoft logo

Scenarios we fit and problems we solve for

Signing and validating software artifacts, ensure they have not been tampered with and provide security policies to determine which validated artifacts are allowed to be used in your systems

Secure containers and K8s

For Developers

DevSecOps

For DevOps engineers

Auditing and Compliance

For Security Operators

Why the Notary Project is unique

The Notary Project is aiming to provide enterprise-grade solutions and cross-industry standards for securing software supply chain

01

Cryptographic Signing

  • Support COSE and JWS signature format
  • Not only images, it allows to sign and verify any software artifacts
  • Built on standard PKI
  • Support online and air-gapped signing scenario
02

Fine-grained security policy

  • Able to custom trust policy and determine if a signed artifact is considered authentic
  • Ensure artifacts are signed with trusted identities and from trusted registry
  • Improve system integrity and authenticity
03

Easy to use and extensible

  • Automating signing and verification into a few simple CLI commands
  • Pluggable design allows you to develop plugins and ecosystem integration
  • Provides SDK which allows you to develop your own client
04

Multi-registry support

  • It supports pushing and storing signatures alongside the artifacts in OCI compliant registries
  • Portable and immutable, you can copy an artifact with its signature across registries
05

Community-
driven

  • 100% open source, built and improved by the active community
  • 100+ contributors in total, from multiple organizations
  • Fast iteration cadence and open community governance

Adopted and trusted by

Industry-leading enterprises and organizations are using the Notary Project for research, production, and integration with security products. If you are using the Notary Project, please share your case with us

Aqua logo

AWS team is using and contributing to Notation, building the cryptographic signing services for customers

Aqua logo

Notation is widely adopted by multiple Microsoft teams and services, such as Windows container team, AKS team, Azure Code Signing service, Ratify, etc.

Zot logo

Zot registry supports store Notation signature as OCI artifacts

Aqua logo

Harbor supports storing Notary Project signatures alongside artifacts in the registry

News & Blogs

Notary fuzz test

Bitnami now uses Notation for signing and verifying containers and Helm charts on Docker Hub

March 18, 2024
Blog

Bitnami-packaged open source software container images and Helm charts available in DockerHub are …

notary logo

Notary Project announces Notation v1.1.0!

February 8, 2024
Blog
notary logo

VMware Tanzu Application Catalog now uses Notation for signing and verifying OCI artifacts

December 19, 2023
Blog
notary logo

Notary Project featured on the Enlightning Podcast

October 4, 2023
Blog

Notary project is a CNCF incubating project