Try   HackMD

Script for project updates video at KubeCon EU 2024

Sample video from KubeCon NA 2023: https://youtu.be/VBPPX5X5xxQ?si=w3yWTodArjsKV_JJ

Slide for this script: https://docs.google.com/presentation/d/1zF4bId7ok_zKcXY6RvAcppSjiaSc7k57uhBtBMmUs90/edit?usp=sharing

What is Notary Project and Notation

Notary Project is a set of tools and specifications intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts.

Notary Project specification and tooling provides signing and verification workflows for OCI artifacts, signature portability across OCI compliant registries, and integration with 3rd party key management solutions through an extensible plugin model.

Notary Project released Notation v1.1.0 recently and now it has been adopted by a lot of enterprises and vendors now.

Exciting updates

Let's see what are the new and exciting updates from Notary Project in recent releases.

First and foremost, now we have a new brand named "Notary Project" with the new logo released! The original brand "Notary" will not be used anymore.

Meanwhile, there are some new functionalities available in recent releases:

  • For example, in the latest release Notation v1.1.0, Notation supports plugin lifecycle management and extends plugin ecosystem, now we have four Notation plugins avaialble, AWS Signer, Azure Key Vault, HashiCorp Vault, and Venafi CodeSigning)

  • In addition, Notation supports signing and verifying artifacts on local filesystem. This enables users to sign and verify artifacts in an air-gapped environment.

  • Moveover, Notation has integration with CI/CD systems (GitHub Actions, Azure DevOps). It helps users to automate the signing and verification workflows in their pipelines.

  • Another exciting update is arbitrary blob signing, this will be available in the next release: extends the signing objects from OCI artifacts to any arbitrary files. A typical scenario is that OSS project maintainers will be able to sign their release assets on GitHub by introducing Notation blob signing.

  • Notation also supports timestaping to enables users to trust images that are signed before certificates expire.

  • Last but not least, to enable users to verify and secure image deployment on Kubernetes, we worked with the Ratify and Kyverno teams to provide solutions for verifying images signed by Notation before deploying them to Kubernetes. Users have two different options to build a complete end-to-end image integrity workflow for their environments.

Connect with us!

Access the Notary Project website and GitHub repository for more details.

If you have questions about the Notary Project, reach out to project maintainers in the #notary-project channel of the CNCF Slack workspace. To learn more announcements and live demos around Notary Project, come and join us at Maintainers Track and project booth. We prepared a bunch of Notary Project swags for you! Wish you will have a wonderful KubeCon journey!

Last changed by 
Feynman Zhou
0
172

Read more

Notation error message improve

Show trust policy but the trust policy doesn't exist:

Apr 23, 2024
Join Notary Project at KubeCon + CloudNativeCon Europe 2024!

Sample video from KubeCon NA 2023: https://youtu.be/VBPPX5X5xxQ?si=w3yWTodArjsKV_JJ

Mar 8, 2024
Ratify donation

Application contact emails

Mar 6, 2024
Signing and Verifying of images in Harbor with Notation

To mitigate the risk of pulling and deploying unsafe container images from public registries into our software environments, signing images and verifying image signatures have become standard software supply chain security. Whether you are a software developer or a software consumer, Notation can be used to sign images and also verify that the images bear the expected signatures.

Jan 27, 2024
Read more from Feynman Zhou
Published on HackMD