Notary Project announces a major release!
The Notary Project maintainers are proud to announce a major release, including Notary Project specifications v1.0.0, notation v1.0.0, notation-go v1.0.0, and notation-core-go v1.0.0 which are ready for production use!
What is Notary Project and Notation?
As containers and cloud native artifacts become common deployment units, users want to make sure that they are authentic in their environments. The Notary Project is a set of specifications and tools intended to provide cross-industry standards for securing software supply chains through signing and verification, signature portability, and key/certificate management.
Notation is a sub-project of Notary Project, which consists of the
notation CLI and two Golang libraries which implement the latest Notary Project specifications. Notation was started in Dec 2019 and the code has matured through a series of minor and RC releases over the last few years; The first version of the CLI and libraries v0.7.0-alpha.1 was released in Oct 2021. Several alpha, beta, and RC releases later, the binaries reached the final v1.0.0-RC.7 release in May 2023.
Notable Capabilities in this Release
Here are some of the major capabilities and features included in this release.
Notary Project specifications reached its major release. All specifications, requirements, scenarios, threat model, and security audit reports are available in this release. ISVs and tool developers that want to interoperate with the Notary Project signatures and tooling should use the specifications to ensure compatibility.
- Notary Project OCI signature specification
- Notary Project OCI COSE signature envelope
- Notary Project OCI JWS signature envelope
- Notary Project OCI signing and verification workflow
- Notary Project signing scheme
- Notary Project Trust Store and Trust Policy
- Notation Plugin specification
Signing and verification functionalities
From the software producer’s perspective, signing a software artifact enables their consumers to detect tampering and ensure authenticity of the artifact. Signing software can also increase trust when distributing software artifacts to consumers. Notary Project provides the following core capabilities for the signing experience:
- Sign artifacts using signing keys stored securely in a key management system (KMS) or a signing service. See the available plugins in the section Extensibility: plugin support for Notation
- Sign artifacts as well as list and inspect signatures stored in OCI-compliant registries
- Support two signature envelope formats
- COSE: COSE is an efficient, binary envelope format that can be used for variety of scenarios ranging from signing traditional software to IoT workloads running on low-powered devices.
- JWS: JWS is a widely used JSON-based envelope format that can be used for interoperability with existing applications and various authentication schemes including OIDC.
From the software consumer’s perspective, verifying the signature of a signed artifact ensures its integrity and authenticity. Notary Project provides the following core capabilities for verification experience:
- Verify signatures using trust store and trust policy. This also includes fine-tuned OCI repository specific trust policies and support for various enforcement levels (e.g.
audit) to enable a wide range of scenarios.
notation policycommand can be used to simplify the experience of importing and inspecting the trust policy.
Experimental features are intended for testing and evaluation purposes only and should not be used in production environments. Users can enable experimental features in Notation CLI by setting the environment variable
NOTATION_EXPERIMENTAL to 1 as shown below.
There are two major features which are marked as experimental.
- Signing, listing, and verifying artifacts with OCI image layout before they are pushed to a registry. This enables users sign and verify artifacts stored on the local file system.
- OCI distribution referrers API. This allows the Notation CLI to fetch a list of signatures in an efficient and clean manner.
Extensibility: plugin support for Notation
Notation has an extensible design based on a plugin framework. This framework provides plugin interfaces for users and vendors to implement their own integrations with key/certificate management solutions or signing services. Currently, Notation has the following plugins available.
Integration with admission controller for Kubernetes usage
To enable users to verify and secure image deployment on Kubernetes, the Notary Project maintainers worked with the Ratify and Kyverno teams to provide solutions for verifying images signed by Notation before deploying them to Kubernetes. Users have two different options to build a complete end-to-end image integrity workflow for their environments. For more details, see:
- Sign and verify an image with Notation, Ratify, and OPA Gatekeeper
- Verify CNCF Notary Project signatures with Kyverno
As part of our commitment to security, the Notary Project maintainers engaged with CNCF to set up continuous fuzzing of the source code and completed a security audit in 2023. All vulnerabilities found during the testing and the audit were fixed before the release of the libraries and the CLI. Below are links to the security reports:
The Notary Project maintainers are considering the following features for future milestones. Feel free to reach out on the Slack channel or GitHub issues to ask questions, provide feedback, or share ideas.
- Sign and verify arbitrary blobs
- GitHub Actions and other CI/CD integration for signing and verification
- HashiCorp Vault plugin (experimental)
- Plugin lifecycle management
- Timestamping support
- Manage trust policy via CLI commands
The Notary Project release team wants to thank the entire Notary Project community for all the activity and engagement that has been vital for helping the project grow and reach this major milestone.