Technology · Ebook
The Notary Project: Signing and Verifying Software Artifacts
by Shriira Press
The Notary Project is the CNCF solution for signing and verifying software artifacts — establishing authenticity (who published it) and integrity (it's unaltered), especially for OCI container images in registries, so you only run trusted artifacts. This free book teaches it from the ground up: the supply chain trust problem and what the Notary Project is, supply chain security and cryptographic signing concepts, its architecture (the notation tool, signatures stored in OCI registries, trust stores and policies, open specs), signing artifacts with notation, trust stores and trust policies (configuring who and what to trust), verification (checking signatures against policy and deciding accept/reject), signing identities and keys (certificates, protecting keys with KMS/HSM, rotation and revocation), OCI registries and signatures (the referrers mechanism), integration and enforcement (signing in CI/CD, verifying at Kubernetes admission), and using the Notary Project in practice. Ten focused chapters with clear diagrams that make supply chain trust concrete — publishers sign artifacts with protected keys, signatures live in the registry, and consumers verify against a trust policy enforced at deploy, so only authentic, unaltered, trusted artifacts run.
Contents
- 1Preface
- 2Chapter 1 — What the Notary Project Is
- 3Chapter 2 — Supply Chain Security and Signing
- 4Chapter 3 — Notary Project Architecture
- 5Chapter 4 — Signing Artifacts
- 6Chapter 5 — Trust Stores and Trust Policies
- 7Chapter 6 — Verification
- 8Chapter 7 — Signing Identities and Keys
- 9Chapter 8 — OCI Registries and Signatures
- 10Chapter 9 — Integration and Enforcement
- 11Chapter 10 — The Notary Project in Practice