grafeas VS notation

Grafeas: While Grafeas offers a comprehensive solution for the software development lifecycle, it is not designed for public or open-source software (OSS) image verification. It's better suited for first-party integration, particularly with Google Kubernetes Engine (GKE).

https://github.com/grafeas/grafeas 1.4k stars, updated last week

Yes I have been looking at this notably related to relationships to vulnerabilities and leveraging grafeas. Which uses a resource uri to relate to a container but could equally be an os on a host. As we use azure, aws, google and have on premise I agree makes some sense to do this. My use case is somewhat easier as DNS names make some sense but the base part of resource has to indicate it is on premise and has to name space independent of the cloud so using the core company DNS name in a similar way the cloud providers do. Other than that looking to leverage many of concepts in grafeas.

Notary v2: The evolution to Notary v2 brought improvements in signature portability and integration with third-party key management solutions. However, it does not provide a certificate authority, leaving public key discovery for open-source image verification as an unresolved issue.

Notation

Notation is another command-line too that lets you digitally sign artifacts. And those signatures essentaily become the stamps of approval for the different things in your software supply chain. For example, container images.

Notary is the CNCF project name and is often referenced when referring to the process of signing digital artifacts, but Notation is the command line tool that does the heavy lifting. Run the following commands to install Notation.

It should be interoperable, that's the goal. I proposed some idea for nv2 here: https://github.com/notaryproject/nv2/issues/39 and here: https://github.com/notaryproject/nv2/issues/40 too.