Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated the README.md with overview details #32

Merged
merged 25 commits into from
Aug 7, 2023
Merged

Updated the README.md with overview details #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
badad11
Updated the README.md with overview details
toddysm Jun 11, 2023
0ee81ed
Removing a new line
toddysm Jun 11, 2023
fbb2ecd
Removed the PROJECTS document
toddysm Jun 11, 2023
6265b90
Addressed misspellings and other feedback.
toddysm Jun 13, 2023
5718b92
Update README.md
toddysm Jun 27, 2023
79e4a29
Update README.md
toddysm Jun 27, 2023
0829032
Update README.md
toddysm Jul 25, 2023
a8827c9
Update README.md
toddysm Jul 25, 2023
b868305
Update README.md
toddysm Jul 25, 2023
b302678
Addressed feedback from maintainers and CNCF
toddysm Jul 27, 2023
98baf68
Updated text on line 3 as propesed by gokarnm
toddysm Jul 27, 2023
96c665a
Updated line 5 as per TheFoxAtWork recommendation
toddysm Jul 27, 2023
e021fb0
Updated line 13 as per gokarnm suggestion
toddysm Jul 27, 2023
07094ca
Updated line 26 as per TheFoxAtWork suggestion
toddysm Jul 27, 2023
da7234e
Updated line 28 as per TheFoxAtWork suggestion
toddysm Jul 27, 2023
c95f939
Updated line 29 as per TheFoxAtWork suggestion
toddysm Jul 27, 2023
18735fe
Updated line 36 as per yizha1 suggestion
toddysm Jul 27, 2023
4e75197
Addressed more feedback from the community and CNCF
toddysm Jul 27, 2023
b4cf87a
Update README.md based on feedback
toddysm Aug 1, 2023
a94faae
Reversed order of security audits and updated text
toddysm Aug 1, 2023
e4c6704
Added year the Notary Project started.
toddysm Aug 1, 2023
e987d22
Updated paragraph for the signature specification.
toddysm Aug 1, 2023
7443db1
Updated text for the 1notary` repository
toddysm Aug 1, 2023
9a16ee3
Added reference to the kick-off meeting notes.
toddysm Aug 3, 2023
9910cb4
Update README.md based on feedback
toddysm Aug 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 0 additions & 23 deletions PROJECTS
View file
Open in desktop

This file was deleted.

73 changes: 71 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,71 @@
# .github
Organization-wide repository for common governance documents.
# Notary Project Overview

The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. Notation Project specification and tooling provides signing and verification workflows for OCI artifacts, signature portability across OCI compliant registries, and integration with 3rd party key management solutions through a plugin model.

The Notary Project started in 2016 with an implementation for signing images in container registries and ensuring their integrity before deployment. The initial implementation uses [The Update Framework (TUF)](https://github.com/theupdateframework) and requires registries to host additional server infrastructure for managing signing keys and TUF metadata. This server infrastructure tightly integrates with the container registry and keeps track of the images pushed to the registry. There is also a client component in the form of the `notary` command line interface (CLI) that can be used by developers or CI/CD pipelines to sign and push container images and update the metadata. The CLI wraps the communication to the registry as well as to the key and metadata management server component. The most prominent use of this implementation is in Docker Content Trust (DCT). The server and the client implementation can be found in the [notary](https://github.com/notaryproject/notary) repository under the Notary Project organization.

Container images are portable artifacts that can move between registries. Due to the tight integration between the registry, key, and metadata management server component, portability of signatures and therefore images between registries is limited. To overcome the portability challenges by leveraging [Open Containers Initiative (OCI)](https://github.com/opencontainers) standards, and enable future flexibility and standardization, the Notary Project community decided to concentrate on specifications for helping enhance the software supply chains and provide reference implementations (refer to the [kick-off meeting notes](https://github.com/notaryproject/meeting-notes/blob/main/meeting-notes-2019.md) for details).

The first formal specification from the Notary Project is the [signature specification](https://github.com/notaryproject/notaryproject/blob/main/specs/signature-specification.md) that specifies how portable signatures wrapped in [COSE](https://github.com/notaryproject/notaryproject/blob/main/specs/signature-envelope-cose.md) or [JWS](https://github.com/notaryproject/notaryproject/blob/main/specs/signature-envelope-jws.md) envelopes can be produced. The specification defines the [signing and verification workflow](https://github.com/notaryproject/notaryproject/blob/main/specs/signing-and-verification-workflow.md) (aka _Notary Project signing and verification_), the [signing scheme](https://github.com/notaryproject/notaryproject/blob/main/specs/signing-scheme.md), the signature format and how to wrap the signature using COSE or JWS envelopes. A signature, also called a _Notary Project signature_, produced according to the Notary Project signature specification can be copied between OCI registries and validated in connected, occasionally connected, and disconnected environments without the need of additional server insfrastructure. The signature specification concnetrates only on specifying the signature and not how the keys and artifact metadata should be managed and stored. This allows signature portability and enables users to use existing key management systems to produce and consume the signatures. The signature specification is available in the [notaryproject](https://github.com/notaryproject/notaryproject/tree/main/specs) repository under the Notary Project.

The [notaryproject](https://github.com/notaryproject/notaryproject/) repository also contains information about the [requirements and scenarios](https://github.com/notaryproject/notaryproject/tree/main/requirements) that the Notary Project supports or plans to support as well as the [reports from security testing and audits](https://github.com/notaryproject/notaryproject/tree/main/security).

A reference implementation to produce and verify Notary Project signatures in Golang is provided in the [`notation-core-go`](https://github.com/notaryproject/notation-core-go) library. A convenience Golang library that interacts with OCI registries and manages the relation between a signed artifact and signatures is provided in the [`notation-go`](https://github.com/notaryproject/notation-go) library. `notation-go` provides an easy way to implement the signing and verification in Golang. The `notation-go` library is also used by the [`notation` CLI](https://github.com/notaryproject/notation) that can be used by developers and CI/CD pipelines to produce portable signatures and store them together with the signed artifacts in OCI-compliant registries. The `notation` CLI implements Notary Project specifications for signing and verification, and can also be used to verify signatures of artifacts stored in OCI-compliant registries. `notation-core-go` and `notation-go` libraries can be used independently from the CLI to implement the Notary Project signing and verification flows in other projects for securing software supply chains.

You can learn more about the Notary Project on the [notaryproject.dev](https://notaryproject.dev) website.

## Repositories

Here is a list of repositories under the Notary Project organization

| Repository | Description |
| ----- | -----|
| [.github](https://github.com/notaryproject/.github) | This repository contains the Notary Project governance and other common documents that are shared across all repositories under the Notary Project organization. |
| [meeting-notes](https://github.com/notaryproject/meeting-notes) | This repository contains the archived meeting notes. |
| [notary](https://github.com/notaryproject/notary) | This repository contains the source code for the server and the client of the initial TUF-based implementation circa 2016. |
| [notaryproject](https://github.com/notaryproject/notaryproject) | This repository contains the latest Notary Project requirements, scenarios, specifications, and security audits to overcome the challenges from the initial implementation of 2016. |
toddysm marked this conversation as resolved.
Show resolved Hide resolved
| [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) | This repository contains the source code and content for the [Notary Project website](https://notaryproject.dev). |
| [notation](https://github.com/notaryproject/notation) | This repository contains the source code for the convenient CLI implementation of the new Notary Project specifications. |
| [notation-go](https://github.com/notaryproject/notation-go) | This repository contains the source code for the convenient Golang library implementation of the new Notary Project signing and verification flow. |
| [notation-core-go](https://github.com/notaryproject/notation-core-go) | This repository contains the source code for the Golang library implementation of the Notary Project signature (hereafter "Notary Project signature") specification and wrapping (COSE and JWS). |
| [roadmap](https://github.com/notaryproject/roadmap) | This repository is intended for keeping track of development activities in the Notary Project. It may be retired in the future as feature request and milestones are moved to the appropriate repositories. |
| [tuf](https://github.com/notaryproject/tuf) | This repository is intended for prototyping the storage of TUF metadata in OCI-compliant registries. It is not under active development at the moment but there are plans to revive it in the future. |

## Project Status

The Notary Project is in active development. The latest release announcements are published on the [Notary Project blog](https://notaryproject.dev/blog/). The Notary Project community uses the [project board](https://github.com/orgs/notaryproject/projects/10) for project planning and status tracking. You can also use GitHub milestones to track the progress of each repository:

- [The Notary Project specification milestones](https://github.com/notaryproject/notaryproject/milestones)
- [notation CLI milestones](https://github.com/notaryproject/notation/milestones)
- [notation-go library milestones](https://github.com/notaryproject/notation-go/milestones)
- [notation-core-go library milestones](https://github.com/notaryproject/notation-core-go/milestones)
- [notary milestones](https://github.com/notaryproject/notary/milestones)

You can also check the release pages of each repository for the latest release binaries:

- [The Notary Project specification releases](https://github.com/notaryproject/notaryproject/releases)
- [notation CLI releases](https://github.com/notaryproject/notation/releases)
- [notation-go library releases](https://github.com/notaryproject/notation-go/releases)
- [notation-core-go library releases](https://github.com/notaryproject/notation-core-go/releases)
- [notary releases](https://github.com/notaryproject/notary/releases)

## Security

The Notary Project has a continuous fuzz testing implemented for the following repositories: `notary`, `notation-go`, and `notation-core-go`.

In addition, the Notary Project has had several public security audits:

toddysm marked this conversation as resolved.
Show resolved Hide resolved
- [Jul 7, 2023 by ADA Logics](https://github.com/notaryproject/notaryproject/blob/main/security/reports/audit/ADA-notation-security-audit-23.pdf) security audit covering `notation`, `notation-go`, and `notation-core-go` repositories.
- [Mar 21, 2023 by ADA Logics](https://github.com/notaryproject/notaryproject/blob/main/security/reports/fuzzing/ADA-fuzzing-audit-22-23.pdf) fuzz testing audit covering `notary`, `notation-go`, and `notation-core-go` repositories.
- [August 7, 2018 by Cure53](https://github.com/notaryproject/notary/blob/master/docs/resources/cure53_tuf_notary_audit_2018_08_07.pdf)) covering TUF and the `notary` repository.
- [July 31, 2015 by NCC](https://github.com/notaryproject/notary/blob/master/docs/resources/ncc_docker_notary_audit_2015_07_31.pdf) covering `notary` repository.

## Community

You can reach the Notary Project community and developers via the following channels:

- Join the [Notary Project Slack channel](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/) for discussions and to ask questions.
- Follow the [@NotaryProject](https://mobile.twitter.com/NotaryProject) for news about the Notary Project.
- Join the [Notary Project community meetings](https://notaryproject.dev/community/#community-meetings) to stay on top of the latest discussions and development activities.
- Active meeting notes are captured at the [Notary Project meeting notes](https://hackmd.io/_vrqBGAOSUC_VWvFzWruZw?view)
- Archived meeting notes are stored in the [meeting-notes repository](https://github.com/notaryproject/meeting-notes)