ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

NOTARY-V2-OCI

Notary V2 Notation OCI image signing keys-based.

Definition

Notary V2 / Notation features: (1) Signing: notation sign command, uses CA-issued X509 certificates (Azure Key Vault, AWS KMS, Google KMS, HashiCorp Vault, files), produces COSE_Sign1 or JWS signature, attaches OCI Artifact alongside image via OCI Distribution Spec referrers API. (2) Verification: notation verify command, validates signature against trust policy (.trust-policy.json) defining trusted CAs + trusted identities. (3) Trust Policy: JSON config specifying trusted identities (registry-scoped, repository-scoped, global). (4) Signature formats: COSE Sign1 (default), JWS (legacy). (5) Plugins: KMS signing plugins extensible. Comparison Cosign vs Notation: Cosign keyless OIDC (Public Good Sigstore-managed), Notation keys-based (enterprise PKI managed), recent interoperability efforts via OCI Artifact spec convergence. Adoption: Microsoft Azure Container Registry ACR native Notation support, AWS ECR Pull-through Cache, Docker Hub planning Notation. ~5-10% supply chain signing 2024 (vs ~90% Cosign).

Origin

Notary V1 historic Docker Inc 2015 (CNCF Incubating closed 2020) ; Notary V2 Working Group CNCF launched 2020 ; rebrand Notation 2022 ; CNCF Sandbox + Incubating ; primary committers Microsoft Azure, AWS, ByteDance, IBM, etc.

Example in context

Microsoft Azure Container Registry ACR client signs production container image via Notation: notation sign --signature-format cose mcr.microsoft.com/dotnet:8.0, uses Azure Key Vault for key storage, COSE_Sign1 signature attached to OCI Artifact in ACR ; AKS Kubernetes admission controller policy verifies via notation verify before deployment allow.

Last updated: May 16, 2026