Standards-based spec and tooling for securing software supply chains

Signing and verifying artifacts. Safeguarding the software delivery security from development to deployment.

Contributed by the community, in collaboration with

AWS logo
CNCF logo
Docker logo
Microsoft logo

Scenarios we fit and problems we solve for

Signing and validating software artifacts, ensure they have not been tampered with and provide security policies to determine which validated artifacts are allowed to be used in your systems

Secure containers and K8s

For Developers

DevSecOps

For DevOps engineers

Auditing and Compliance

For Security Operators

Why the Notary Project is unique

The Notary Project is aiming to provide enterprise-grade solutions and cross-industry standards for securing software supply chain

01

Cryptographic Signing

  • Support COSE and JWS signature format
  • Not only images, it allows to sign and verify any software artifacts
  • Built on standard PKI
  • Support online and air-gapped signing scenario
02

Fine-grained security policy

  • Able to custom trust policy and determine if a signed artifact is considered authentic
  • Ensure artifacts are signed with trusted identities and from trusted registry
  • Improve system integrity and authenticity
03

Easy to use and extensible

  • Automating signing and verification into a few simple CLI commands
  • Pluggable design allows you to develop plugins and ecosystem integration
  • Provides SDK which allows you to develop your own client
04

Multi-registry support

  • It supports pushing and storing signatures alongside the artifacts in OCI compliant registries
  • Portable and immutable, you can copy an artifact with its signature across registries
05

Community-
driven

  • 100% open source, built and improved by the active community
  • 100+ contributors in total, from multiple organizations
  • Fast iteration cadence and open community governance

Adopted and trusted by

Industry-leading enterprises and organizations are using the Notary Project for research, production, and integration with security products. If you are using the Notary Project, please share your case with us

Aqua logo

AWS team is using and contributing to Notation, building the cryptographic signing services for customers

Aqua logo

Notation is widely adopted by multiple Microsoft teams and services, such as Windows container team, AKS team, Azure Code Signing service, Ratify, etc.

Zot logo

Zot registry supports store Notation signature as OCI artifacts

Aqua logo

Harbor supports storing Notary Project signatures alongside artifacts in the registry

News & Blogs

Notary fuzz test

Ratify Joins the Notary Project - Strengthening Software Supply Chain Security Together!

June 2, 2025
Blog

We’re excited to announce that Ratify has officially joined the Notary Project as a subproject after …

notary logo

Announcing Notation v2.0.0-alpha.1 to enable signing and verification of any arbitrary blob files!

March 18, 2025
Blog
notary logo

Notary Project Completes Its Second Audit!

January 21, 2025
Blog
notary logo

Notary Project announces Notation v1.3.0 and tspclient-go v1.0.0!

January 17, 2025
Blog

Notary Project is a CNCF incubating project