Glossary

Notary Project

The Notary Project refers to the GitHub organization, the community, all specifications, and all the repositories under the GitHub organization, including community-released tools like notary and notation.

Notary

Notary is a TUF (The Update Framework) based artifact signing implementation. It consists of a server and client components. The server infrastructure tightly integrates with the container registry and keeps track of the images pushed to the registry. The client component is referred to as the notary command-line interface (CLI), which handles tasks such as signing and pushing container images to a registry and updating metadata. The CLI communicates with the registry and the key and metadata management server component. The most prominent use of this implementation is in Docker Content Trust (DCT). The server and the client implementation can be found in the notary repository under the Notary Project organization.

Notation

Notation, based on new set of specifications unrelated to TUF, is a newer implementation from the Notary Project. It refers to the implementation of the Notation CLI and the Notation libraries. Notation offers signing and verification workflows for OCI artifacts, enables signature portability across OCI-compliant registries, and facilitates integration with third-party key management solutions through a plugin model. The CLI itself is referred to as the Notation CLI while the libraries are referred to as the Notation-Go library and the Notation-Core-Go library. Stakeholders can use libraries independently of the Notation CLI for integrating Notation with their own client tools.

Notary Project Specifications

Notary Project Specifications, mainly created between years 2021-2022, are a collection of specifications distributed across “subprojects” within the Notary Project. Notation CLI and libraries have implemented these specifications, which are also utilized by other OSS projects and/or vendor tools that seek to interoperate with the Notary Project tooling. These specifications are stored in the specifications repository under the Notary Project.

Notary Project specifications are categorized into:

OCI Signature Specifications: These specifications are specific to the Open Container Initiative (OCI). It describes how the Notary Project’s Signing Scheme is applied to signatures stored in OCI registries. This category includes the following specifications:

• Notary Project OCI Signature Specification
• Notary Project OCI Signing and Verification Workflow
• Notary Project OCI COSE Envelope
• Notary Project OCI JWS Envelope

Signing Scheme Specification: The Signing Scheme Specification is not specific to any particular storage method. It describes the supported signing schemes. Any tool that supports those schemes might be able to produce signatures that are compatible with Notary Project tools. The specification under this category includes the Notary Project Signing Scheme.

TUF

TUF refers to The Update Framework. A tuf repository under the Notary Project organization is intended for prototyping the storage of TUF metadata in OCI-compliant registries. It is not under active development at the moment.