notaryproject/notation v1.0.0-rc.1

on GitHub

🚀Notation CLI v1.0.0-rc.1 is now available! A tool to sign, store, and verify artifacts! Try it by following the quick start.

Notices

• BREAKING CHANGE: Notation v1.0.0-rc.1 is not compatible with signatures signed by previous Notation releases.
• BREAKING CHANGE: artifactType in signature manifest is changed to application/vnd.cncf.notary.signature
• BREAKING CHANGE: Only support registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec

Features

• Sign artifacts using signing keys stored securely in remote key stores
• Verify signatures using trust store and trust policy with fine-tuned configurations
• Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
• Support two signature envelope formats - JWS and COSE
• Support use of plugins for signing and verification
• Sign and verify using locally stored test keys/certificates for demonstration usage only
• notation sign and notation verify commands support using --verbose and --debug flags for troubleshooting
• Command sets in this release
  • notation sign: Sign OCI artifacts
    • Example: notation sign --key myKey localhost:5000/net-monitor@sha256:xxx
  • notation verify: Verify OCI artifacts
    • Example: notation verify localhost:5000/net-monitor@sha256:xxx
  • notation certificate: Manage certificates in trust store for verifying
    • Example: notation certificate add --type ca --store wabbit-networks wabbit-networks.crt
  • notation key: Manage keys used for signing
    • Example: notation key add mykey --plugin myKVplugin --id remoteKeyId
  • notation list: List signatures of the signed artifact
    • Example: notation list localhost:5000/net-monitor@sha256:xxx
  • notation login: Log in to a registry
    • Example: notation login registry.example.com -u username -p password
  • notation logout: Log out from a registry
    • Example: notation logout registry.example.com
  • notation plugin: Manage plugins
    • Example: notation plugin ls
  • notation version: Show the notation version information

Changes since last release

• Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
• notation sign and notation verify commands support using --verbose and --debug flags for troubleshooting
• Improved output messages when tags are used to identify the artifacts
• Updated CLI help doc
• Pass expiry to envelope-generator plugin

Detailed Commits

• Update quick start in readme file by @yizha1 in #428
• Bump ossf/scorecard-action from 2.0.4 to 2.0.6 by @dependabot in #411
• Bump actions/upload-artifact from 3.1.0 to 3.1.1 by @dependabot in #412
• Improve error message when default signing key is not set by @priteshbandi in #432
• Removed unreferenced images by @sajayantony in #433
• Feature/issue templates by @toddysm in #435
• Fixed issue with missing text for questions by @toddysm in #442
• Use minimum(user only) file permissions by @priteshbandi in #453
• update: update notation CLI with notation-go refactoring by @patrickzheng200 in #445
• update: updated plugin list command by @patrickzheng200 in #461
• doc: update CLI help doc for notation sign and verify in RC.1 by @FeynmanZhou in #454
• Pass expiry to envelope-generator plugin by @priteshbandi in #458
• spec: update cli sign spec for tag to digest translation by @yizha1 in #439
• spec: update cli verify spec for UX improvement by @yizha1 in #440
• feat: delete old dev release by @JeyJeyGao in #449
• update: updated CLI outputs of sign/verification by @patrickzheng200 in #450
• update: cleaned up dead code in CLI by @patrickzheng200 in #464
• feat: add --debug & --verbose flags & http request/response debug log by @JeyJeyGao in #457
• doc: add CLI help doc to notation key, cert, and notation plugin in RC.1 by @FeynmanZhou in #394
• feat: remove notation certificate/key rm alias by @JeyJeyGao in #467
• build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 by @dependabot in #465
• update: check if verification is skipped by trust policy by @patrickzheng200 in #468
• Build: bump up versions for rc.1 release by @yizha1 in #472

New Contributors

• @toddysm made their first contribution in #435

Full Changelog: v0.12.0-beta.1...v1.0.0-rc.1