LLMpediaThe first transparent, open encyclopedia generated by LLMs

Notary (project)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Harbor (software) Hop 4
Expansion Funnel Raw 80 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted80
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Notary (project)
NameNotary
DeveloperThe Docker community and Linux Foundation projects
Released2015
Programming languageGo
Operating systemLinux, Windows, macOS
LicenseApache License

Notary (project) is an open-source initiative for providing a cryptographic trust system for content distribution and software supply chains. It enables publishers and consumers to sign, verify, and distribute metadata about artifacts, integrating with container platforms and registries maintained by organizations such as Docker, CNCF projects, and Linux Foundation initiatives. Notary uses well-known cryptographic primitives and integrates with ecosystem components including Docker Hub, Kubernetes, etcd, and HashiCorp Vault to provide end-to-end authenticity guarantees.

Overview

Notary implements a metadata signing and verification protocol inspired by the The Update Framework (TUF) and designed to address threats observed in distribution systems like Docker Hub and supply chains involving artifacts from GitHub, GitLab, and Bitbucket. The project provides a reference implementation that supports delegated signing, key rotation, and role separation consistent with practices from OpenSSL, GPG, and public-key infrastructures used by Let's Encrypt and CA/B Forum models. Notary's goals intersect with initiatives such as sigstore, The Open Container Initiative, and standards work by IETF and OWASP.

Architecture and Components

Notary's architecture comprises a client, server, and a datastore backing the metadata; core components mirror patterns from TUF and RESTful API ecosystems. The Notary client, implemented in Go, interfaces with registries like Docker Hub and services such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure object stores. The Notary server exposes an API consumed by clients and integrates with storage backends like etcd, Consul, and PostgreSQL. Key management features interoperate with HSM solutions from Thales Group, Yubico, and secret managers such as HashiCorp Vault and AWS KMS. The metadata format borrows from provenance efforts like in-toto and signing systems used by RPM Packaging and Debian package archives.

Security Model and Threat Mitigation

Notary adopts a threat model addressing compromises similar to those studied in incidents involving Heartbleed, Equifax breach, and container-image tampering events. By implementing delegated roles, threshold signing, and key rotation, Notary mitigates risks identified by researchers at MITRE and publications from US-CERT and NCSC UK. The project uses cryptographic primitives standardized by NIST and leverages signing workflows compatible with OpenPGP and X.509 usages from IETF RFCs. Notary defends against replay attacks, rollback attacks, and key compromise through timestamped metadata, secure update channels, and separation of duties mirroring controls from ISO/IEC 27001 and supply-chain guidance from NIST SP 800-161.

Use Cases and Integrations

Notary is used for signing container images in ecosystems built around Docker Engine, Kubernetes, Knative, and Helm charts, and for protecting artifacts distributed via JFrog Artifactory and Harbor. Integrations exist with CI/CD systems such as Jenkins, Travis CI, GitHub Actions, GitLab CI/CD, and CircleCI to automate signing as part of pipelines modeled on practices from Continuous Integration adopters like Google and Facebook. Enterprises employ Notary alongside secret stores like HashiCorp Vault and identity providers such as Okta and Microsoft Azure Active Directory to establish attestation and provenance in workflows influenced by DevOps and SecOps practices.

Development History and Governance

Notary originated from contributors at Docker and received community stewardship aligned with governance models practiced by The Linux Foundation and CNCF projects. Development occurred in public repositories with contribution and review workflows inspired by GitHub and governance documents patterned after successful projects like Kubernetes and Prometheus. Roadmaps referenced security research from Snyk and academic work from institutions such as University of California, Berkeley and Massachusetts Institute of Technology. Project governance included maintainers, a technical steering committee, and community SIGs similar to structures in OpenStack and Apache Software Foundation projects.

Adoption and Impact

Adoption of Notary occurred across cloud providers Amazon Web Services, Google Cloud Platform, Microsoft Azure, and enterprise platform vendors including Red Hat, VMware, and Pivotal Software. Its design influenced successor initiatives such as TUF implementations and modern provenance systems like sigstore and in-toto, and shaped security requirements incorporated into supply-chain policies by NIST, ENISA, and corporate standards at IBM and Intel. Notary's concepts informed container registry features in Docker Hub, Quay.io, and GitLab Container Registry, contributing to increased emphasis on artifact signing, provenance, and secure distribution across the software industry.

Category:Software security Category:Free and open-source software