Notary, the CNCF project that provides cross-industry standards for supply chain security, has announced a major release.
This brings both the Notary Project and Notation Project to version 1.0.0. Notation is a sub-project that implements Notary specifications.
Included in this release are an OCI signature specification, OCI COSE signature envelope, OCI JWS signature envelope, OCI signing and verification workflow, signing scheme, Trust Store, and Trust policy, and plugin specification for Notation.
The team also revealed what it’s working on next. These include the ability to sign and verify arbitrary blogs, integration with GitHub Actions, a HashiCorp Vault plugin, plugin lifecycle management, timestamping support, and the ability to manage trust policies using CLI commands.
“As containers and cloud native artifacts become common deployment units, users want to make sure that they are authentic in their environments. The Notary Project is a set of specifications and tools intended to provide cross-industry standards for securing software supply chains through signing and verification, signature portability, and key/certificate management,” the project maintainers wrote in a blog post.