History
Origin
The project traces back to Notary, which Docker started in 2015 and later donated to CNCF. That first generation, also shipped as Docker Content Trust (DCT), was built on The Update Framework (TUF) as a separate server and client. It did not implement the current Notary Project specifications (source 3, source 10).
The successor effort, originally called "Notary v2", began in December 2019 as a multi-vendor working group with Docker, Microsoft, Google, and Amazon. It set out to fix concrete limitations of the TUF-based v1: signatures were not portable between registries, only one signature per image was supported, and OCI artifacts other than container images could not be signed (source 10).
Timeline
| Year | Milestone |
|---|---|
| 2015 | Docker starts Notary; later donated to CNCF as Notary v1 / Docker Content Trust (source 10) |
| 2017 | Notary Project accepted into CNCF as Incubating (source 2) |
| 2019 | "Notary v2" multi-vendor working group founded (source 10) |
| 2021 | Alpha of the new design (source 10) |
| 2023 | Major release; the name becomes "Notary Project" and the tool "Notation" (source 5) |
| 2025 | Second security audit completed (source 2) |
How it evolved
The most consequential shift was abandoning the TUF server model for storing signatures as OCI Referrers in the registry itself. This is what makes a signature portable across registries and what allows multiple signatures per artifact (source 10). The "Notary v2" label was retired with the 2023 major release; the umbrella is now "Notary Project" and the CLI is "Notation" (source 5).
The deprecation of Docker Content Trust has pushed adoption of the new design. Azure Container Registry began deprecating DCT on 2025-03-31, with full removal planned for 2028-03-31, and points users to Notary Project signing as the replacement (source 6).
Where it stands now
The latest stable release is v1.3.2 (2025-04-27); the main branch carries v2.0.0-alpha.1 development (internal/version/version.go:18). The module path is github.com/notaryproject/notation/v2. Governance runs through the published Notary Project GOVERNANCE document, the CNCF Slack #notary-project channel, and regular community meetings (source 11, source 1). A second security audit was completed in 2025 (source 2).