Automic VaultAutomic Vault

brew

Install notation with Homebrew, Nix, winget

CLI tool to sign and verify OCI artifacts and container images. Version 1.3.2 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install notation

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#notation

nixpkgs package indexes · pkgs/by-name/no/notation/package.nix · source: api.github.com

Windows

Windows Package Managerverified · 92%
winget install --id NotaryProject.Notation -e

Windows Package Manager source index · NotaryProject.Notation · source: cdn.winget.microsoft.com

overview

Package summary

CLI tool to sign and verify OCI artifacts and container images

Commands and aliases

  • notation

history

Project history and usage

Notation is the Notary Project command-line implementation for signing and verifying OCI artifacts and container images. Its role is narrower than a general packaging or registry client: it exists to put signatures into the OCI registry ecosystem and to enforce trust policy when artifacts are pulled or promoted.

Project history

The public tag history for notaryproject/notation starts with v0.7.0-alpha.1 on 2021-10-20, followed by a long alpha and release-candidate line before the first stable v1.0.0 release on 2023-08-15. The v1.0.0 release notes describe it as the CLI reference implementation of the Notary Project Specifications v1.0.0 and call out signing, verification, signature inspection, registry authentication through Docker credential stores, plugin support, trust policy, trust stores, and certificate revocation support.

The project sits inside the broader Notary Project, which is a CNCF Incubating project. That matters for adoption because Notation is not just a standalone CLI: it is tied to a standards-oriented supply-chain security effort around OCI registries and signatures.

Adoption history

Adoption is strongest in container supply-chain security workflows rather than general developer CLI usage. The README points users at quickstarts for signing and validating container images and at cloud-provider integrations such as Azure Key Vault and AWS Signer. Homebrew analytics are modest, with 256 installs over the 365-day window reported by the formula JSON, which fits a specialized security tool rather than a broad daily shell utility.

How it is used

Package nerds use notation where signatures need to be attached to images or other OCI artifacts and then verified by policy. The practical loop is: authenticate to a registry, sign an artifact, inspect or list signatures, configure trust stores and trust policy, and verify before promotion or deployment. Plugin support is important because signing keys often live in KMS systems rather than local files.

Why package nerds care

Notation is significant because it is one of the concrete tools package and registry people reach for when discussing OCI-native signatures. Its value is less about command-line ergonomics and more about being the executable face of the Notary Project specifications.

Timeline

  • 2021-10-20: v0.7.0-alpha.1 tag in the public repository.
  • 2023-08-15: v1.0.0 release announced as the first stable Notation CLI V1 release.
  • 2025-04-24: v1.3.2 tag, the stable version packaged by Homebrew in the checked formula metadata.
  • 2025-03-12: v2.0.0-alpha.1 tag appeared, showing active work beyond the 1.x line.

Related projects

  • Notary Project specifications, OCI image/distribution specifications, ORAS, Docker credential stores, Azure Key Vault, AWS Signer.

security posture

Risk level: orange

broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • broad file, network, media, or database tool signal
  • infrastructure mutation or orchestration signal

Signals

  • text:container
  • text:image

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Linux
~/.config/notation/config.json
macOS
~/Library/Application Support/notation/config.json
Windows
~/AppData/Roaming/notation/config.json

Credential files

Credential-bearing paths to review before unattended agent runs.

Linux
~/.config/notation/config.json~/.config/notation/signingkeys.json~/.docker/config.json
macOS
~/Library/Application Support/notation/config.json~/Library/Application Support/notation/signingkeys.json~/.docker/config.json
Windows
~/AppData/Roaming/notation/config.json~/AppData/Roaming/notation/signingkeys.json

executables

Installed executables

CommandKindExposureNote
notationcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.3.2
manager updated
local dataok
upstreamcurrent
latest detectedv1.3.2

https://github.com/notaryproject/notation

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:notation
Version1.3.2
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/notation
Homepagehttps://notaryproject.dev/
Repositoryhttps://github.com/notaryproject/notation
Upstream docshttps://github.com/notaryproject/notation#readme
LicenseApache-2.0
Source archivehttps://github.com/notaryproject/notation/archive/refs/tags/v1.3.2.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namenotation
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

notation

nix profile install nixpkgs#notation
  • normalized package name match
  • Matched by: Notation
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/no/notation/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
winget95%

NotaryProject.Notation

winget install --id NotaryProject.Notation -e
  • normalized package name match
  • Matched by: Notation
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: NotaryProject.Notation from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment