v1.0.0-rc.3

🚀Notation CLI v1.0.0-rc.3 is now available!

Notices

• BREAKING CHANGE: The default type of signature manifest is changed to image manifest. The flag --signature-manifest for notation sign command is experimental for users to store signatures using artifact manifest.

New Features

• notation sign command supports new flags to sign artifacts using on-demand keys
  • Example: notation sign --id <key_id> --plugin <key_vault_plugin> localhost:5000/net-monitor@sha256:xxx

Detailed Commits

• update: changed Sign to use OCI image manifest as default by @patrickzheng200 in #573
• feat(doc): simplify signing experience by @priteshbandi in #553
• doc: add label and notes for experimental features by @yizha1 in #577
• update: added [Experimental] label to the --signature-manifest flag by @patrickzheng200 in #580
• feat: simplify signing experience by @kody-kimberl in #579
• build: bump up version to v1.0.0-rc.3 by @yizha1 in #583

New Contributors

• @kody-kimberl made their first contribution in #579

Full Changelog: v1.0.0-rc.2.dev.20230226...v1.0.0-rc.3

v1.0.0-rc.2.dev.20230226

Notation Weekly Dev Build (2023-02-26T16:03:22Z)

Welcome to this Weekly Dev Build!

Changelog

• e47cf12 fix: fix the CODEOWNERS format issue (#564)

v1.0.0-rc.2

🚀Notation CLI v1.0.0-rc.2 is now available!

New Features

• New command for users to inspect signatures associated with signed artifacts
  • Example: notation inspect localhost:5000/net-monitor@sha256:xxx
• Support storing signatures in the registry using OCI image manifest
  • Example: notation sign --key mykey --signature-manifest image localhost:5000/net-monitor@sha256:xxx
• Support adding user defined metadata to signature payload
  • Example: notation sign --key mykey --user-metadata io.wabbit-networks.buildTime=1672944615 localhost:5000/net-monitor@sha256:xxx

Other Changes

• Introduced E2E testing framework and new E2E test cases
• Add --debug and --verbose flags for more commands
• Improved error messaging
• Bug fixes

Detailed Commits

• fix: add verification failed log by @JeyJeyGao in #469
• update: refactored notation list command by @patrickzheng200 in #481
• build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.5 to 2.0.0-rc.6 by @dependabot in #488
• build(deps): bump goreleaser/goreleaser-action from 3 to 4 by @dependabot in #487
• build(deps): bump dev-drprasad/delete-older-releases from 0.2.0 to 0.2.1 by @dependabot in #480
• build(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 by @dependabot in #486
• cleanup: clean up notation CLI by @patrickzheng200 in #485
• Fix: fixed notation cert command by @patrickzheng200 in #483
• update: added log to notation login and logout commands by @patrickzheng200 in #484
• update: added log to notation key and certificate commands by @patrickzheng200 in #478
• build(deps): Bump ossf/scorecard-action from 2.1.0 to 2.1.2 by @dependabot in #495
• doc: Remove outdated docs by @FeynmanZhou in #501
• test: e2e framework by @JeyJeyGao in #493
• build(deps): Bump actions/upload-artifact from 3.1.1 to 3.1.2 by @dependabot in #504
• doc: update notation sign and verify spec for metadata by @byronchien in #498
• doc: update to support OCI image manifest by @yizha1 in #502
• doc: notation Inspect Command line Spec by @vaninrao10 in #500
• test: e2e quickstart test case by @JeyJeyGao in #494
• build(deps): Bump oras.land/oras-go/v2 from 2.0.0-rc.6 to 2.0.0 by @dependabot in #512
• chore: improve warning message when signing or verifying with tag by @priteshbandi in #497
• test: e2e plugin test cases by @JeyJeyGao in #510
• test: e2e sign/verify/trustpolicy test cases by @JeyJeyGao in #496
• test: add unit test for version & trace packages by @JeyJeyGao in #526
• test: add unit test for ioutil package by @JeyJeyGao in #534
• Use new methods introduced in keys.go by @priteshbandi in #529
• bump: go 1.19 to 1.20 by @mintbomb27 in #538
• fix: add error handling for LoadConfigOnce() by @JeyJeyGao in #520
• feat: add support for signed user metadata in notation sign and verify cmds by @byronchien in #507
• Dont access value of default pointer if it is nil by @priteshbandi in #541
• feat: support OCI image manifest by @patrickzheng200 in #509
• doc: update sign.md for OCI image manifest support by @yizha1 in #540
• feat: add support for json output for notation verify by @byronchien in #527
• chore: update sign command descriptions to align with the spec by @patrickzheng200 in #543
• Revert "feat: add support for json output for notation verify (#527)" by @priteshbandi in #551
• fix!: remove short commands by @priteshbandi in #552
• feat: add implementation for notation inspect by @byronchien in #528
• bump: update notation-go and notation-core-go dependency by @priteshbandi in #557
• Added CODEOWNERS and MAINTAINERS files by @toddysm in #542
• build: upgrade version to v1.0.0-rc.2 by @byronchien in #558

New Contributors

• @byronchien made their first contribution in #498
• @vaninrao10 made their first contribution in #500
• @mintbomb27 made their first contribution in #538

Full Changelog: v1.0.0-rc.1...v1.0.0-rc.2

v1.0.0-rc.1

🚀Notation CLI v1.0.0-rc.1 is now available! A tool to sign, store, and verify artifacts! Try it by following the quick start.

Notices

• BREAKING CHANGE: Notation v1.0.0-rc.1 is not compatible with signatures signed by previous Notation releases.
• BREAKING CHANGE: artifactType in signature manifest is changed to application/vnd.cncf.notary.signature
• BREAKING CHANGE: Only support registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec

Features

• Sign artifacts using signing keys stored securely in remote key stores
• Verify signatures using trust store and trust policy with fine-tuned configurations
• Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
• Support two signature envelope formats - JWS and COSE
• Support use of plugins for signing and verification
• Sign and verify using locally stored test keys/certificates for demonstration usage only
• notation sign and notation verify commands support using --verbose and --debug flags for troubleshooting
• Command sets in this release
  • notation sign: Sign OCI artifacts
    • Example: notation sign --key myKey localhost:5000/net-monitor@sha256:xxx
  • notation verify: Verify OCI artifacts
    • Example: notation verify localhost:5000/net-monitor@sha256:xxx
  • notation certificate: Manage certificates in trust store for verifying
    • Example: notation certificate add --type ca --store wabbit-networks wabbit-networks.crt
  • notation key: Manage keys used for signing
    • Example: notation key add mykey --plugin myKVplugin --id remoteKeyId
  • notation list: List signatures of the signed artifact
    • Example: notation list localhost:5000/net-monitor@sha256:xxx
  • notation login: Log in to a registry
    • Example: notation login registry.example.com -u username -p password
  • notation logout: Log out from a registry
    • Example: notation logout registry.example.com
  • notation plugin: Manage plugins
    • Example: notation plugin ls
  • notation version: Show the notation version information

Changes since last release

• Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
• notation sign and notation verify commands support using --verbose and --debug flags for troubleshooting
• Improved output messages when tags are used to identify the artifacts
• Updated CLI help doc
• Pass expiry to envelope-generator plugin

Detailed Commits

• Update quick start in readme file by @yizha1 in #428
• Bump ossf/scorecard-action from 2.0.4 to 2.0.6 by @dependabot in #411
• Bump actions/upload-artifact from 3.1.0 to 3.1.1 by @dependabot in #412
• Improve error message when default signing key is not set by @priteshbandi in #432
• Removed unreferenced images by @sajayantony in #433
• Feature/issue templates by @toddysm in #435
• Fixed issue with missing text for questions by @toddysm in #442
• Use minimum(user only) file permissions by @priteshbandi in #453
• update: update notation CLI with notation-go refactoring by @patrickzheng200 in #445
• update: updated plugin list command by @patrickzheng200 in #461
• doc: update CLI help doc for notation sign and verify in RC.1 by @FeynmanZhou in #454
• Pass expiry to envelope-generator plugin by @priteshbandi in #458
• spec: update cli sign spec for tag to digest translation by @yizha1 in #439
• spec: update cli verify spec for UX improvement by @yizha1 in #440
• feat: delete old dev release by @JeyJeyGao in #449
• update: updated CLI outputs of sign/verification by @patrickzheng200 in #450
• update: cleaned up dead code in CLI by @patrickzheng200 in #464
• feat: add --debug & --verbose flags & http request/response debug log by @JeyJeyGao in #457
• doc: add CLI help doc to notation key, cert, and notation plugin in RC.1 by @FeynmanZhou in #394
• feat: remove notation certificate/key rm alias by @JeyJeyGao in #467
• build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 by @dependabot in #465
• update: check if verification is skipped by trust policy by @patrickzheng200 in #468
• Build: bump up versions for rc.1 release by @yizha1 in #472

New Contributors

• @toddysm made their first contribution in #435

Full Changelog: v0.12.0-beta.1...v1.0.0-rc.1

v0.12.0-beta.1

Features

• Verify using trust store and trust policy
• Manage trust store using CLI command notation certificate
• Implement notation CLI command per CLI spec
• Support configuration of signature format

Other changes

• Clean up unused features and deprecated code

Changelog

• 965a0b7 Updates for v0.12.0-beta.1 release (#427)
• 24576db doc: remove reference to nv2 (#421)
• 2fef168 build(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#425)
• f0e77eb feat: Added notation certificate command for trust store (#405)
• 8d1d4dc feat: add signatureFormat config field (#400)
• fcba9f1 feat: implement list command UX (#414)
• a08dc9e update: updated notation sign command based on spec (#417)
• 2992190 update: updated notation key command based on spec (#416)
• a41b377 feat: implement login/logout UX (#413)
• 469069e update: updated notation verify command based on spec (#418)
• a219ad5 feat: implement version command (#419)
• 4d8da74 Fix demo docker pull step (#420)
• eb87bc3 Change oras-project/registry tag (#397)
• f947da5 feat: implement plugin UX (#415)
• f747031 Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 (#401)
• 4803a8b spec: update notation cli md file as index for sub-commands (#374)
• 193a533 spec: add CLI notation certificate and key specs (#361)
• 01015b0 update: clean up notation CLI (#404)
• ab20527 spec: add CLI specs for notation list/login/logout/plugin (#362)
• 07bba5f spec: add spec for notation version command (#376)
• ecb0708 spec: add spec for notation verify command (#371)
• 20b9fa2 feat: use new verify workflow (#373)
• eb7e4f4 update release process (#396)
• 080c6bb doc: update doc after new release (#395)

v0.11.0-alpha.4

New Features

• Support COSE signature envelope
• Relax the certificate chain requirement to allow signing with self-signed certificates
• Add CLI spec for notation sign
• Add examples in CLI help doc for notation sign and verify commands

Bug fixes

• Fix #313: deprecated the expiry flag of notation cert generate-test
• Fix #332: fix broken links and refine wording in README.md

Other changes

• Add weekly build for CI
• Update to go 1.19
• Update to oras-go 2.0.0-rc.3
• Improve readability of documents and specs

Detail commits

• ci: add weekly release by @JeyJeyGao in #282
• Update download link and refactor the documentation directory by @FeynmanZhou in #308
• fix: deprecated the expiry flag of notation cert generate-test by @patrickzheng200 in #313
• doc: improve readability of directory spec by @shizhMSFT in #311
• feat: update to go 1.19 by @JeyJeyGao in #327
• Bump oras.land/oras-go/v2 from 2.0.0-rc.2 to 2.0.0-rc.3 by @dependabot in #334
• fix broken links and refine wording in README.md by @FeynmanZhou in #332
• Bump github.com/docker/docker-credential-helpers from 0.6.4 to 0.7.0 by @dependabot in #358
• feat:updating go.mod dependencies for alpha4 by @chloeyin in #357
• add workflow dispatch for dev build by @dtzar in #363
• Add notation sign CLI spec by @yizha1 in #341
• docs: add a note for dependencies in go.mod file. by @yizha1 in #309
• add goreport badge by @dtzar in #367
• add openssf scorecard by @dtzar in #368
• feat: support cose by @chloeyin in #365
• update: updated cert_gen to generate self-signed certificate by @patrickzheng200 in #380
• Bump version and dependencies for notation alpha.4 release by @yizha1 in #378
• doc: add examples in CLI help doc for notation sign and verify by @FeynmanZhou in #384

Full Changelog: v0.10.0-alpha.3...v0.11.0-alpha.4

v0.10.0-alpha.3

New Features

• Support notation login
• Sign images with remote key stores that securely store the signing keys
• Verify signatures using Trust Store configured in Notation clients
• Sign images and verify signatures with locally stored test keys/certificates for demonstration use only
• Setup Trust Store with the new directory-based structure
• Configure Trust Policy as a JSON document. Support for registry scope and signature verification levels to customize the behavior during verification
• Store signatures in registries compliant with the ORAS Artifacts Specification v1.0.0-RC.2

Bug Fixes

• Fix #189: wrong download URL
• Fix #264: hello-signing workflow with a self-generated certificate chain
• Fix #286: allow empty credentials to store config

Removed

• Remove docker-generate and docker-notation

Other Changes

• Migrate to codecov.io
• Add unit tests
• Add CodeQL security scanning
• Refactor: delete pkg/registry directory

Detail Commits

• Update readme for 0.9.0 release by @dtzar in #187
• bump to go 1.18 by @dtzar in #188
• fix mistaken download URL by @FeynmanZhou in #189
• use notation-core-go crypto utils by @rgnote in #180
• Add issues to project action by @dtzar in #195
• Directory Structure Spec by @shizhMSFT in #175
• Run unit tests in Github workflow by @Wwwsylvia in #199
• Add CodeQL Security Scanning by @Wwwsylvia in #198
• Registry Authentication Spec by @shizhMSFT in #192
• refactor: delete pkg/registry directory by @binbin-li in #207
• Update workflow by @Wwwsylvia in #212
• Bump github.com/urfave/cli/v2 from 2.8.1 to 2.10.3 by @dependabot in #209
• Bump github.com/docker/cli from 20.10.14+incompatible to 20.10.17+incompatible by @dependabot in #200
• Baseline CLI reference for subsequent PRs on changes by @SteveLasker in #171
• Sorting commands for clarity #221 by @SteveLasker in #222
• notation login CLI by @SteveLasker in #223
• feat: bump up notation-go to the latest version by @binbin-li in #248
• Use cobra CLI for docker-generate command by @chloeyin in #250
• [Feature] support notation login by @binbin-li in #218
• test: Add unit tests for notation login by @binbin-li in #256
• use cobra for notation CLI by @chloeyin in #255
• Migrate to codecov.io by @junczhuMSFT in #266
• chore: bump up oras-go and notation-go by @binbin-li in #270
• remove docker-generate and docker-notation code by @chloeyin in #269
• Doc update README for codecov badge by @junczhuMSFT in #271
• Remove credential file from spec by @shizhMSFT in #262
• fixed the hello-signing workflow with self-generated certificate chain by @patrickzheng200 in #264
• Directory Structure Implementation by @JeyJeyGao in #265
• fix: allow empty credentials store config by @JeyJeyGao in #286
• add unit test for Notation CLI by @chloeyin in #274
• doc: add missing username/password options to commands by @binbin-li in #293
• bump up version to v0.10.0-alpha.3 by @yizha1 in #301
• fix: update notation-go by @JeyJeyGao in #294
• Build: Bump dependencies by @yizha1 in #306

New Contributors

• @FeynmanZhou made their first contribution in #189
• @rgnote made their first contribution in #180
• @binbin-li made their first contribution in #207
• @junczhuMSFT made their first contribution in #266
• @patrickzheng200 made their first contribution in #264
• @JeyJeyGao made their first contribution in #265
• @yizha1 made their first contribution in #301

Full Changelog: v0.9.0-alpha.1...v0.10.0-alpha.3

v0.9.0-alpha.1

What's Changed

• Update doc for v0.7.1-alpha.1 by @shizhMSFT in #139
• Move to oras-go for registry access by @shizhMSFT in #150
• Contributing guidelines by @marcofranssen in #107
• Bump actions/checkout from 2 to 3 by @dependabot in #152
• Bump actions/cache from 2 to 3 by @dependabot in #155
• Bump github.com/docker/cli from 20.10.8+incompatible to 20.10.14+incompatible by @dependabot in #158
• Bump actions/setup-go from 2 to 3 by @dependabot in #159
• Bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 by @dependabot in #156
• Bump github.com/urfave/cli/v2 from 2.4.0 to 2.4.8 by @dependabot in #165
• Update deps links for notation-go by @dtzar in #164
• Support managing plugin keys by @qmuntal in #168
• Add plugin sign capabaility by @qmuntal in #176
• Fix pluginConfig parsing by @qmuntal in #181
• Bump goreleaser/goreleaser-action from 2 to 3 by @dependabot in #178
• Bump github.com/urfave/cli/v2 from 2.4.8 to 2.8.1 by @dependabot in #184
• Bump to go 1.18 by @dtzar in #188
• Update readme for 0.9.0 release by @dtzar in #187

New Contributors

• @dtzar made their first contribution in #164
• @qmuntal made their first contribution in #168

Full Changelog: v0.7.1-alpha.1...v0.9.0-alpha.1

feat-kv-extensibility

Notation supports remote signing, assuring the private keys used for the signing are kept private.
This release represents the work in progress for the pending Signing plugin interface API Spec #26 under the feat-kv-extensibility branch.

Installation

Each tar.gz file in the asset list contains multiple platform versions of the notation binaries built for a specific commit.

Install notation on Linux or WSL

# Choose a binary
timestamp=20220121081115
commit=17c7607

# Download, extract and install
curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/feat-kv-extensibility/notation-feat-kv-extensibility-$timestamp-$commit.tar.gz
tar xvzf notation.tar.gz
tar xvzf notation_0.0.0-SNAPSHOT-${commit}_linux_amd64.tar.gz -C ~/bin notation

Install notation on Windows (Powershell)

# Choose a binary
$timestamp="20220121081115"
$commit="17c7607"

# Download and extract
curl.exe -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/feat-kv-extensibility/notation-feat-kv-extensibility-$timestamp-$commit.tar.gz
tar.exe xvzf notation.tar.gz
Expand-Archive -Path notation_0.0.0-SNAPSHOT-${commit}_windows_amd64.zip

v0.7.1-alpha.1

Alpha 1 release of Notary v2 notation

Documentation 📘

• Getting started with notation
• Installing notation with linux and wsl2

  curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v0.7.1-alpha.1/notation_0.7.1-alpha.1_linux_amd64.tar.gz
  tar xvzf notation.tar.gz -C ~/bin notation

What's Changed

• Remove prototype-2 links from readme by @sajayantony in #103
• Resolve markdown linter warnings by @marcofranssen in #106
• Alpha.1 release updates by @SteveLasker in #111
• Link fix by @SteveLasker in #113
• Fix location parsing by @shizhMSFT in #115
• Correct auth flow by @shizhMSFT in #118
• No default push on local sign by @shizhMSFT in #122
• Support anonymous access by @shizhMSFT in #126
• Document release checklist by @shizhMSFT in #112
• Improve release pipeline by @shizhMSFT in #135
• Bump github.com/opencontainers/image-spec from 1.0.1 to 1.0.2 by @dependabot in #136
• Bump version to v0.7.1-alpha.1 by @shizhMSFT in #138
• Update artifact spec by @shizhMSFT in #133
• No auto-publish on release by @shizhMSFT in #134

New Contributors

• @sajayantony made their first contribution in #103
• @dependabot made their first contribution in #136

Full Changelog: v0.7.0-alpha.1...v0.7.1-alpha.1