macOS
brew install notationlocal Homebrew formula metadata
brew
CLI tool to sign and verify OCI artifacts and container images. Version 1.3.2 via Homebrew; verified from local package data.
install
brew install notationlocal Homebrew formula metadata
nix profile install nixpkgs#notationnixpkgs package indexes · pkgs/by-name/no/notation/package.nix · source: api.github.com
winget install --id NotaryProject.Notation -eWindows Package Manager source index · NotaryProject.Notation · source: cdn.winget.microsoft.com
overview
CLI tool to sign and verify OCI artifacts and container images
history
Notation is the Notary Project command-line implementation for signing and verifying OCI artifacts and container images. Its role is narrower than a general packaging or registry client: it exists to put signatures into the OCI registry ecosystem and to enforce trust policy when artifacts are pulled or promoted.
The public tag history for notaryproject/notation starts with v0.7.0-alpha.1 on 2021-10-20, followed by a long alpha and release-candidate line before the first stable v1.0.0 release on 2023-08-15. The v1.0.0 release notes describe it as the CLI reference implementation of the Notary Project Specifications v1.0.0 and call out signing, verification, signature inspection, registry authentication through Docker credential stores, plugin support, trust policy, trust stores, and certificate revocation support.
The project sits inside the broader Notary Project, which is a CNCF Incubating project. That matters for adoption because Notation is not just a standalone CLI: it is tied to a standards-oriented supply-chain security effort around OCI registries and signatures.
Adoption is strongest in container supply-chain security workflows rather than general developer CLI usage. The README points users at quickstarts for signing and validating container images and at cloud-provider integrations such as Azure Key Vault and AWS Signer. Homebrew analytics are modest, with 256 installs over the 365-day window reported by the formula JSON, which fits a specialized security tool rather than a broad daily shell utility.
Package nerds use notation where signatures need to be attached to images or other OCI artifacts and then verified by policy. The practical loop is: authenticate to a registry, sign an artifact, inspect or list signatures, configure trust stores and trust policy, and verify before promotion or deployment. Plugin support is important because signing keys often live in KMS systems rather than local files.
Notation is significant because it is one of the concrete tools package and registry people reach for when discussing OCI-native signatures. Its value is less about command-line ergonomics and more about being the executable face of the Notary Project specifications.
security posture
broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
~/.config/notation/config.json~/Library/Application Support/notation/config.json~/AppData/Roaming/notation/config.jsonCredential-bearing paths to review before unattended agent runs.
~/.config/notation/config.json~/.config/notation/signingkeys.json~/.docker/config.json~/Library/Application Support/notation/config.json~/Library/Application Support/notation/signingkeys.json~/.docker/config.json~/AppData/Roaming/notation/config.json~/AppData/Roaming/notation/signingkeys.jsonexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
notation | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/notaryproject/notation
install metadata
| Package key | brew:notation |
|---|---|
| Version | 1.3.2 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/notation |
| Homepage | https://notaryproject.dev/ |
| Repository | https://github.com/notaryproject/notation |
| Upstream docs | https://github.com/notaryproject/notation#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/notaryproject/notation/archive/refs/tags/v1.3.2.tar.gz |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | notation |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
notation
nix profile install nixpkgs#notationNotaryProject.Notation
winget install --id NotaryProject.Notation -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.