Overview
Introduction
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. Notation Project specifications and tooling provides signing and verification workflows for OCI artifacts, signature portability across OCI compliant registries, and integration with 3rd party key management solutions through a plugin model. Notary Project is also the name of the GitHub organization that has multiple prominent subprojects like Notation, Notary Project specifications, and Notary. Very often we use the name Notary Project to refer to all the above as well as the community that drives the specifications and the implementations. To learn more about Notary Project terms, please refer to the FAQ.
Here is a list of repositories under the Notary Project organization
| Repository | Description |
|---|---|
| .github | This repository contains the Notary Project governance and other common documents that are shared across all repositories under the Notary Project organization. |
| meeting-notes | This repository contains the archived meeting notes. |
| notary | This repository contains the source code for the server and the client of the initial TUF-based implementation circa 2016. |
| specifications | This repository contains the latest Notary Project requirements, scenarios, specifications, and security audits to overcome the challenges from the initial implementation of 2016. |
| notaryproject.dev | This repository contains the source code and content for the Notary Project website. |
| notation | This repository contains the source code for the convenient CLI implementation of the new Notary Project specifications. |
| notation-go | This repository contains the source code for the convenient Golang library implementation of the new Notary Project signing and verification flow. |
| notation-core-go | This repository contains the source code for the Golang library implementation of the Notary Project signature (hereafter “Notary Project signature”) specification and wrapping (COSE and JWS). |
| roadmap | This repository is intended for keeping track of development activities in the Notary Project. It may be retired in the future as feature request and milestones are moved to the appropriate repositories. |
| tuf | This repository is intended for prototyping the storage of TUF metadata in OCI-compliant registries. It is not under active development at the moment but there are plans to revive it in the future. |
Project status
The Notary Project is in active development. The latest release announcements are published on the Notary Project blog. The Notary Project community uses the project board for project planning and status tracking. You can also use GitHub milestones to track the progress of each repository:
- The Notary Project specification milestones
- notation CLI milestones
- notation-go library milestones
- notation-core-go library milestones
- notary milestones
Security
The Notary Project has a continuous fuzz testing implemented for the following repositories: notary, notation-go, and notation-core-go.
In addition, the Notary Project has had several public security audits:
- Jul 7, 2023 by ADA Logics security audit covering
notation,notation-go, andnotation-core-gorepositories. - Mar 21, 2023 by ADA Logics fuzz testing audit covering
notary,notation-go, andnotation-core-gorepositories. - August 7, 2018 by Cure53) covering TUF and the
notaryrepository. - July 31, 2015 by NCC covering
notaryrepository.
Community
You can reach the Notary Project community and developers via the following channels:
- Join the Notary Project Slack channel for discussions and to ask questions.
- Follow the @NotaryProject for news about the Notary Project.
- Join the Notary Project community meetings to stay on top of the latest discussions and development activities.
- Active meeting notes are captured at the Notary Project meeting notes
- Archived meeting notes are stored in the meeting-notes repository