Skip to content

Adoption & Ecosystem

Who uses it

These are organizations and services with a citable connection to Notary Project signing. Other names are omitted because the dossier did not establish them.

OrganisationUse caseSource
Microsoft Azure Container Registry / AKSNotary Project signing offered as the replacement for the deprecated Docker Content Trust; Artifact Signing is GAsource 6, source 7
AWS SignerContainer image signing workflow built on Notationsource 8
HarborStores Notary Project signatures alongside artifacts in the registrysource 1
Zot registryStores Notation signatures as OCI artifactssource 1

Adoption signals

Measured from the GitHub API on 2026-06-24:

  • notaryproject/notation: 487 stars, 95 forks, 66 open issues, 40 contributors.
  • notaryproject/specifications: 177 stars.
  • notaryproject/notary (the older TUF-based v1, a separate project and out of scope here): 3286 stars.

The CNCF project page records acceptance as Incubating and a second completed security audit in 2025 (source 2).

Ecosystem

  • Ratify (CNCF Sandbox): enforces verification at Kubernetes admission time.
  • Kyverno: image verification rules.
  • notation-action: GitHub Actions integration.
  • notation-hashicorp-vault: a signing plugin backed by HashiCorp Vault.
  • ORAS (oras.land/oras-go/v2): the registry client notation builds on (cmd/notation/registry.go:100).
  • RFC 3161 timestamping via tspclient-go (cmd/notation/sign.go:214-230).

Alternatives

AlternativeDiffers by
Sigstore / cosignKeyless signing with OIDC identities, Fulcio short-lived certs, and the Rekor transparency log. Notation instead relies on standard X.509 PKI and existing CA trust, with no transparency-log dependency (source 13)
Docker Content Trust (Notary v1)TUF-based, with signatures held in a separate server, no cross-registry portability, and one signature per image. Notation is its successor and stores portable signatures as OCI Referrers (source 10)

Pick Notation when you already run a CA or PKI and want signatures that travel with the artifact across registries. Pick Sigstore/cosign when you want keyless signing with short-lived identities and a public transparency log.