Scenarios we fit and problems we solve for
Signing and validating software artifacts, ensure they have not been tampered with and provide security policies to determine which validated artifacts are allowed to be used in your systems
Secure containers and K8s
For Developers
DevSecOps
For DevOps engineers
Auditing and Compliance
For Security Operators
Why the Notary Project is unique
The Notary Project is aiming to provide enterprise-grade solutions and cross-industry standards for securing software supply chain
Cryptographic Signing
- Support COSE and JWS signature format
- Not only images, it allows to sign and verify any software artifacts
- Built on standard PKI
- Support online and air-gapped signing scenario
Fine-grained security policy
- Able to custom trust policy and determine if a signed artifact is considered authentic
- Ensure artifacts are signed with trusted identities and from trusted registry
- Improve system integrity and authenticity
Easy to use and extensible
- Automating signing and verification into a few simple CLI commands
- Pluggable design allows you to develop plugins and ecosystem integration
- Provides SDK which allows you to develop your own client
Multi-registry support
- It supports push and store signatures alongside the artifacts in OCI registries, such as Docker Hub, ACR, Zot registry, etc.
- Portable and immutable, you can copy an artifact with its signature across registries
Community-
driven
- 100% open source, built and improved by the active community
- 100+ contributors in total, from multiple organizations
- Fast iteration cadence and open community governance
Adopted and trusted by
Industry-leading enterprises and organizations are using the Notary Project for research, production, and integration with security products. If you are using the Notary Project, please share your case with us
AWS team is using and contributing to Notation, building the cryptographic signing services for customers
Notation is widely adopted by multiple Microsoft teams and services, such as Windows container team, AKS team, Azure Code Signing service, Ratify, etc.
Zot registry supports store Notation signature as OCI artifacts
Docker Hub supports signing container images with Notation and storing signatures and other supply chain artifacts