As containers and cloud native artifacts become common deployment units, users want to make sure that they are authentic in their environments. Notary Project is a set of tools and specifications intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts.
Comment
Notary Project specification and tooling provides signing and verification workflows for OCI artifacts, signature portability across OCI compliant registries, and integration with 3rd party key management solutions through an extensible plugin model. Notation is a sub-project of Notary Project, which consists of the notation CLI and two Golang libraries which implement the latest Notary Project specifications.
Notary Project is a CNCF Incubating project. We are pleased to share some exciting updates and live demos of Notary Project with its ecosystem partners at KubeCon + CloudNativeCon Europe and host a project booth for interactive communication in Paris.
Want to have the first glance at the exciting updates of Notary Project in 2024? This blog post gives you a pre-event preview.
Exciting updates for the upcoming KubeCon
Notary Project now has a new brand named “Notary Project” with the new logo released! The original brand “Notary” will not be used anymore. See Glossary for the reference.
Meanwhile, there are some new functionalities available in recent releases.
Notation v1.1.0 with easier plugin management
Notary Project announced Notation v1.1.0 on Feb 8, 2024. Notation supports plugin lifecycle management and extends plugin ecosystem, now there are four Notation plugins avaialble:
- AWS Signer plugin for Notation
- Azure Key Vault for Notation
- Venafi CodeSign Protect Signing Plugin for Notation
- HashiCorp Vault plugin (experimental)
You can follow this interactive tutorial to try Notation CLI v1.1.0 in an online cloud playground or follow the quick start on your computer.
Integration with CI/CD
Notation has integration with a few popular CI/CD systems including GitHub Actions and Azure DevOps. It helps users to install Notation and automate the signing and verification workflows in their pipelines.
Sign and verify any arbitrary files
Another exciting update is arbitrary blob signing, this will be available in the next release. It extends the signing objects from OCI artifacts to any arbitrary files. A typical scenario is that open-source project maintainers will be able to sign their release assets on GitHub.
Timestamped signature support
Notation will also support timestaping in the next release to enables users to trust images that are signed before certificates expire. Support of Time-stamping (RFC 3161) extends the trust of signature beyond the validity period of a certificate, thus signers do not need to regularly re-sign images before certificates are expired.
Sign and verify artifacts in an air-gapped environment
In addition, Notation supports signing and verifying artifacts on local filesystem. Users can sign images on local disk before pushing them to the remote registry. This enables users to sign and verify artifacts in an air-gapped environment, which helps improve the security posture.
Integration with admission controller for Kubernetes usage
To enable users to verify and secure image deployment on Kubernetes, the Notary Project maintainers worked with the Ratify and Kyverno teams to provide solutions for verifying images signed by Notation before deploying them to Kubernetes. Users have two different options to build a complete end-to-end image integrity workflow for their environments. For more details, see:
- Sign and verify an image with Notation, Ratify, and OPA Gatekeeper
- Verify CNCF Notary Project signatures with Kyverno
Connect with us at KubeCon!
To learn more announcements and live demos around Notary Project, come and join us at Notary Project Maintainers Track on March 20, 2024 14:30 – 15:05 CET and meet us at the project booth. We prepared a bunch of Notary Project swags for you! Wish you will have a wonderful KubeCon journey!