The Cloud Native Computing Foundation’s (CNCF) Notary Project and Notation Project standardization projects for supply chain security have received a major update with version 1.0.0, marking their first full release.
The Notary Projects and its derivative Notation are two development projects for cross-industry standards for software supply chain security. They allow companies and organizations to establish and declare that containers and other cloud-based services are authentic within their environments.
Notary Project offers a number of specifications and tools to provide standards for securing software supply chains. These include signing and verification, transferring (digital) signatures and key/certificate management.
Notation Project is a sub-part of Motary Project and focuses on implementing the Notary specifications.
New functionality
The 1.0.0 release is the first truly full release of the new standards for software supply chain security and offers a number of new features. New features include OCI signing and authentication, plugin support for Notation Project for Azure and AWS, integration with admission controller for Kubernetes and built-in security.
Future developments
In addition to the new release, the developers also hint at future developments. A later release will include the ability to sign and verify arbitrary blogs, integration with GitHub Actions, and a HashiCorp Vault plugin and a lifecycle management plugin.
Furthermore, support for timestamps and the ability to manage trust policies via CLI commands will be added in an upcoming release.
Also read: Istio receives top status from Cloud Native Computing Foundation