Notation

Notation is a CLI project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. This should be viewed as similar security to checking git commit signatures, although the signatures are generic and can be used for additional purposes. Notation is an implementation of the [Notary V2 specifications][notaryv2-specs].

Table of Contents

• Notation Quick Start
• Contributing
• Core Documents
• Community
• Release Management
• Support
• Code of Conduct
• License

Notation Quick Start

• Install the Notation CLI from [Notation Releases][notation-releases]

  curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v0.10.0-alpha.3/notation_0.10.0-alpha.3_linux_amd64.tar.gz
  tar xvzf notation.tar.gz -C ~/bin notation
  

• Run a local instance of the [CNCF Distribution Registry][cncf-distribution], with [ORAS Artifacts][artifact-manifest] support.

  docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v1.0.0-rc
  

• Build, Push, Sign, Verify the net-monitor software

  export IMAGE=localhost:5000/net-monitor:v1
  docker build -t $IMAGE https://github.com/wabbit-networks/net-monitor.git#main
  docker push $IMAGE
  notation cert generate-test --default --trust "wabbit-networks-dev"
  notation sign --plain-http $IMAGE
  notation list --plain-http $IMAGE
  notation verify --plain-http $IMAGE
  

Signatures are persisted as [ORAS Artifacts manifests][artifact-manifest].

Documents

• Hello World for Notation: Local signing and verification
• Build, sign, and verify container images using Notary and Azure Key Vault

Community

Development and Contributing

• Build Notation from source code
• Governance for Notation
• Maintainers and reviewers list
• Regular conversations for Notation occur on the Cloud Native Computing Slack notary-v2 channel.

Notary v2 Community Meeting

• Mondays 5-6pm pacific time, 8-9pm US Eastern, 8-9am Shanghai
• Thursdays 9-10am pacific time, 12pm US Eastern, 5pm UK

Join us at Zoom Dial-in link / Passcode: 77777. Please see the CNCF Calendar for community meeting details. Meeting notes are captured on hackmd.io.

Release Management

The Notation release process is defined in RELEASE_MANAGEMENT.md.

Support

Support for the Notation project is defined in supported releases.

Code of Conduct

This project has adopted the CNCF Code of Conduct. See CODE_OF_CONDUCT.md for further details.

License

This project is covered under the Apache 2.0 license. You can read the license here.