CodeNotary brings trust and integrity to digital asserts. It allows development teams to strongly identify and track their digital assets and artifacts, such as libraries, builds, source code, containers, and dependencies throughout the DevOps process. This way organizations can always guarantee the veracity and integrity of their digital assets to themselves as a team and to others outside the team. By using digital ledger technology, it creates an immutable chain of trust and for the first time enables zero trust to be infused into application development and operation.
CodeNotary allows software publishers to sign their source code and binaries in 1 simple step. Once signed, assets can easily be verified by their customers. Through the CodeNotary dashboard, software publishers can analyze the use of their signed assets: when they were signed, how many times they have been verified, and by whom. Finally, when an asset must be retired from the market because it’s buggy or obsolete, software publishers can quickly recall it by revoking its signature. CodeNotary uses the blockchain to notarize signatures, instead of old fashioned Digital Certificate Authorities.
vChain is the company behind CodeNotary. It’s based in the US. You can read more about vChain at www.vchain.us
In CodeNotary terms, an asset, or software asset, is any type of software application or component, such as a piece of code, a binary, an application, a container or server image, a repository, a script, a patch/fix, etc.
Software assets can have three statuses in CodeNotary:
A software asset signed by its owner is set to ‘Trusted’ status. The same owner can decide to untrust it, meaning that the software should not be used by any customer. The asset will then appear to all CodeNotary users as ‘Untrusted’. Also, if the software becomes obsolete or simply unsupported, its owner can change its status to ‘Unsupported’. Both ‘Untrusted’ and ‘Unsupported’ status push to the customers of that software asset a notification for upgrading. Lastly, any asset that has never been signed using CodeNotary, is categorized as ‘Unknown’.
Asset’s levels are representative of the software publisher’s identification level when the asset was signed. In CodeNotary there are 4 Levels: L1, L2, L3, L4. For more information on the software publishers level, see “What is the software publishers’ level?” section below.