notation
« Back to VersTracker
Description:
CLI tool to sign and verify OCI artifacts and container images
Type: Formula  |  Latest Version: 1.3.2@0  |  Tracked Since: Dec 26, 2025
Links: Homepage  |  formulae.brew.sh
Category: Security
Tags: security oci signing devops supply-chain
Install: brew install notation
About:
Notation is a CLI tool designed to sign and verify OCI artifacts and container images, ensuring supply chain integrity. It implements the Notary Project specifications, providing a platform-agnostic standard for adding cryptographic signatures to software artifacts. This enables organizations to trust the origin and integrity of their deployments across diverse registries.
Key Features:
  • Platform-agnostic signing for OCI artifacts
  • Support for X.509 certificate chains and Key Management Services (KMS)
  • Pluggable signature format and storage backends
  • Integration with existing CI/CD pipelines
Use Cases:
  • Signing container images in CI to prevent tampering
  • Verifying artifact integrity before deployment in production
  • Enforcing policy-based deployment using signature verification
Alternatives:
  • cosign – Part of the Sigstore project; uses ephemeral keys and transparency logs by default, whereas Notation focuses on the Notary Project standard and long-lived certificate chains.
  • docker trust – Docker's native trust command; relies on TUF and is specific to Docker Hub/Engine, while Notation is OCI-native and vendor-neutral.
Version History
Detected Version Rev Change Commit
Dec 26, 2025 6:35pm 1.3.2 0 VERSION_BUMP e38aa253
Oct 9, 2025 4:49pm 0 VERSION_BUMP fdd0c1b4
Sep 16, 2025 3:53pm 0 VERSION_BUMP 0536fdd5