Notary Project completes its second audit!

Posted on January 21, 2025

CNCF projects highlighted in this post

Community post cross-posted on the OSTIF blog by Helen Woeste, Communications Manager, the Open Source Technology Improvement Fund

OSTIF is proud to share the results of our second security audit of Notary Project. Notary Project is “a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts.” With the help of Quarkslab and the Cloud Native Computing Foundation (CNCF), this project continues to provide users with trusted software supply chain management.

Audit Process:

This audit of Notary Project was specifically scoped around two new cryptographic features. The audit team, Quarkslab, was chosen for their practical cryptography experience to work on this engagement. The audit report presents how Quarkslab installed and performed discovery of Notary Project tooling Notation, reviewed the code structure and quality, and analyzed the timestamping and certificate revocation. The audit team also created multiple figures to help illustrate Notation with examples of overall project functionality, flow of certificate chain verification, and global overview of the CRL verification.

Audit Results:

• 11 findings with Security Impact and Recommended Fixes
  • 1 Medium, 1 Low, 9 Informational
  • 2 CVEs issued for audit findings
    • CVE-2024-56138: notation-go timestamp signature generation lacks certificate revocation check
    • CVE-2024-51491: notation-go process crash during CRL-based revocation check on OS using separate mount point for temp Directory
• Review and Recommendations for 2 new Cryptographic Features
  • Timestamping Support
    • Time-Stamp Protocol Compliance
    • Time Stamp Analysis in Notation
  • Revocation Checking with Certificate Revocation List
    • Certificate Revocation List Compliance
    • CRL Analysis in Notation
• Future Security Work Recommendations

This was Notary Project’s third security audit and second audit in partnership with OSTIF. Practicing mature security practices, the three audits were all undertaken after implementation of new features with security impact. Notary Projects’s efforts to provide secure code to users was observable to the audit team, and is reflected by the reported findings and further recommendations for future security work. OSTIF wishes Notary Project the best on its path towards Graduation through the CNCF Incubating Projects program. 

Thank you to the individuals and groups that made this engagement possible:

• Notary Project maintainers and community, notably: Pritesh Bandi, Junjie Gao, Vani Rao, Shiwei Zhang, Yi Zha, Patrick Zheng, and Feynman Zhou
• Quarkslab: Dahmun Goudarzi, Sébastien Rolland, and Ramtine Tofighi Shirazi
• Cloud Native Computing Foundation

You can read the Audit Report HERE

Read Quarkslab’s blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact amir@ostif.org.