Trust the artifacts you run. Cryptographically sign container images and OCI artifacts, then verify them against a trust policy — securing the software supply chain with notation.

Welcome to The Notary Project: Signing and Verifying Software Artifacts.

The Notary Project is the CNCF solution for signing and verifying software artifacts — establishing authenticity (who published it) and integrity (it's unaltered), especially for OCI container images in registries, so you only run trusted artifacts. This free book teaches it from the ground up: the supply chain trust problem and what the Notary Project is, supply chain security and cryptographic signing concepts, its architecture (the notation tool, signatures stored in OCI registries, trust stores and policies, open specs), signing artifacts with notation, trust stores and trust policies (configuring who and what to trust), verification (checking signatures against policy and deciding accept/reject), signing identities and keys (certificates, protecting keys with KMS/HSM, rotation and revocation), OCI registries and signatures (the referrers mechanism), integration and enforcement (signing in CI/CD, verifying at Kubernetes admission), and using the Notary Project in practice. Ten focused chapters with clear diagrams that make supply chain trust concrete — publishers sign artifacts with protected keys, signatures live in the registry, and consumers verify against a trust policy enforced at deploy, so only authentic, unaltered, trusted artifacts run.

This title is part of the ShriIra library and is free to read in full, right here — our small contribution to making world-class knowledge easy to reach.

A note on reading it: open the Contents menu at the top of the reader to jump between chapters, use the Aa menu to set a comfortable text size, theme (light, sepia, or night), and single- or two-page layout. Your place is saved automatically, so you can always pick up where you left off.

We hope it serves you well.

— Shriira Press

Contents

1. Chapter 1 — What the Notary Project Is
2. Chapter 2 — Supply Chain Security and Signing
3. Chapter 3 — Notary Project Architecture
4. Chapter 4 — Signing Artifacts
5. Chapter 5 — Trust Stores and Trust Policies
6. Chapter 6 — Verification
7. Chapter 7 — Signing Identities and Keys
8. Chapter 8 — OCI Registries and Signatures
9. Chapter 9 — Integration and Enforcement
10. Chapter 10 — The Notary Project in Practice