Tons of tools are appearing in order to make software supply chain easier for everyone and provide security best practices for enterprises. Notary v2 is the next generation of the original signing project Notary, aiming to provide signing and verification capabilities with usability and security.
Notation is the CLI tool of Notary v2, recently released v0.11.0 alpha.4, which supports creating cryptographic signatures with COSE envelop to container images so that you can make sure that the image someone produced is the same one that you are using, and that it has not been tampered with on the way.
ORAS is a generic OCI registry client for distributing secure supply chain artifacts across clouds and on-prem. Ratify enables Kubernetes clusters to verify artifact security metadata prior to deployment and admit for deployment only those that comply with an admission policy that you create.
In this session, Feynman will demonstrate how to secure your container supply chain with Notation, ORAS, Ratify, and SBOM tool, delivering an end-to-end user experience in container environment.