Notation is a project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. This should be viewed as similar in security to checking git commit signatures, although the signatures are generic and can be used for additional purposes.
- Install the Notation CLI from Notation Releases
curl -Lo notation.tar.gz https://github.com/shizhMSFT/notation/releases/download/v0.5.2/notation_0.5.2_linux_amd64.tar.gz tar xvzf notation.tar.gz -C ~/bin notation - Build, Push, Sign, Verify the
net-monitorsoftwareexport IMAGE=localhost:5000/net-monitor:v1 docker build -t $IMAGE https://github.com/wabbit-networks/net-monitor.git#main docker push $IMAGE notation cert generate-test --default --trust "wabbit-networks-dev" notation sign $IMAGE notation list $IMAGE notation verify $IMAGE
Prototype 2 - signing and verifying OCI artifacts, using signatures persisted ORAS Artifacts manifests
-
Regular conversations for Notation occur on the Cloud Native Computing Slack channel.
-
Please see the CNCF Calendar for community meeting details.
-
Meeting notes are captured on hackmd.io.
This project has adopted the CNCF Code of Conduct. See CODE_OF_CONDUCT.md for further details.
This project is covered under the Apache 2.0 license. You can read the license here.