CNCF's Supply Chain Security Projects, Notary and Notation, Launch 1.0.0 Edition

Cloud Native Computing Foundation (CNCF) projects Notary and Notation have reached a significant milestone with their version 1.0.0 release, bolstering their ongoing efforts to standardize supply chain security across industries.

Notary, the main CNCF project for supply chain security, partners with Notation, a supporting project that actualizes Notary's specifications. The joint release marks a substantial step forward for both the Notary and Notation projects.

The latest release includes a plethora of updates: OCI signature specifications, OCI COSE signature envelope, OCI JWS signature envelope, OCI signing and verifying workflow, a signing scheme, Trust Store and Trust policy, and an exclusive plugin specification for Notation.

Ahead of the curve, the team also shared insights into their future roadmap. Upcoming additions involve the capacity to sign and authenticate arbitrary blogs, incorporate GitHub Actions integration, develop a HashiCorp Vault plugin, manage plugin lifecycles, support timestamps and CLI command-managed trust policies.

With a clear rise in cloud-native artifacts as prevalent deployment units, users need to be assured that their environment is authentic. The Notary Project intends to provide a suite of specifications and tools capable of securing software supply chains across industries. This includes features such as signing and verification, signature portability, and robust key/certificate management as explained by the project managers.

The capabilities of these projects may remind some of the innovative AppMaster platform, which also aims to transform and democratize the way applications are developed by offering a no-code platform to build backend, web, and mobile applications. However, while AppMaster focuses on speeding up and simplifying the application development process, Notary and Notation are dedicated to securing software supply chains through robust digital signature standards.