diff --git a/pkgs/tools/security/notation/default.nix b/pkgs/tools/security/notation/default.nix
new file mode 100644
index 00000000000..4c579f3f016
--- /dev/null
+++ b/pkgs/tools/security/notation/default.nix
@@ -0,0 +1,27 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "notation";
+  version = "1.0.0-rc.7";
+
+  src = fetchFromGitHub {
+    owner = "notaryproject";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-EM2QunSL88Am3zgKwgI94jET3xaVfvsa4MCtMZ3ejjU=";
+  };
+
+  vendorHash = "sha256-88PCnIm7nQB8jLzrfVOyDLXWX7RZeT31n1cwvb4Qza0=";
+
+  # This is a Go sub-module and cannot be built directly (e2e tests).
+  excludedPackages = [ "./test" ];
+
+  ldflags = [ "-s" "-w" ];
+
+  meta = with lib; {
+    description = "CLI tool to sign and verify OCI artifacts and container images";
+    homepage = "https://notaryproject.dev/";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ aaronjheng ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index aa04bb84101..9cfb3e21d67 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10754,6 +10754,8 @@ with pkgs;
 
   notary = callPackage ../tools/security/notary { };
 
+  notation = callPackage ../tools/security/notation { };
+
   notify-osd = callPackage ../applications/misc/notify-osd { };
 
   notes-up = callPackage ../applications/office/notes-up { };