Notary Project: The Key To Secure Software Supply Chain - Yi Zha & Guillaume Gill
Yi Zha, Guillaume Gill
KubeCon + CloudNativeCon Europe 2025 · Session
The rapid adoption of cloud-native technologies and the increasing reliance on open-source components have amplified the criticality of software supply chain security. This talk, presented by Notary Project maintainer Yi Zha from Microsoft and Guillaume Gill, Technical Lead Architect at OnLogic, delves into how the **Notary Project** addresses fundamental challenges in this domain. As an incubating project within the Cloud Native Computing Foundation (CNCF), Notary Project provides a standard-based framework and tooling to ensure the **authenticity** and **integrity** of cloud-native artifacts. The core problem it solves revolves around two questions: "How can I trust the container images or other artifacts I use?" and "How can I ensure these artifacts haven't been maliciously modified during publishing or distribution?"
AI review
This presentation on the Notary Project provides a robust and practical deep dive into securing the software supply chain for cloud-native environments. Delivered by a project maintainer and a real-world implementer, it clearly outlines how Notary Project, through its standard-based tooling and extensible plugin architecture, offers critical solutions for artifact authenticity and integrity. The discussion of multi-level attestation and the `notation blob` feature demonstrates a mature and highly impactful defensive innovation that every organization serious about supply chain security…