v1.0.0

Notation CLI V1

notation is a CLI reference implementation of the Notary Project Specifications v1.0.0 to sign and verify artifacts with signatures as standard items in the OCI registry ecosystem. After a long journey of development, notation has reached a notable milestone for its first stable release v1.0.0. 🎉🎉🎉

Important

Experimental features are intended for testing and evaluation purposes only and should not be used in production environments. Experimental features can be enabled by setting the environment variable NOTATION_EXPERIMENTAL=1.

Release blog posts of previous RC versions can be found at notaryproject.dev.

Key Features

• Sign and verify artifacts as well as list and inspect signatures stored in OCI-compliant registries
  • Support JWS and COSE signature formats
  • Compliant with image-spec v1.0.2
  • Compliant with distribution-spec v1.0.1
  • Compatible with image-spec v1.1.0-rc4
  • Compatible with distribution-spec v1.1.0-rc3 (limited to referrers tag schema)
• Support signing and verification plugins
  • Support signing using Key Management System (KMS)
• Support signing and verification with user-defined metadata
• Support authentation to registries using docker credential stores
• Verify artifact using trust policy and trust store with fine-tuned configurations
• Support certificate revocation via OCSP

Experimental Features

• Compliant with distribution-spec v1.1.0-rc1
• Sign and verify artifacts as well as list signatures stored in OCI image layout

Security Audit

• Security audit report in 2023
• Fuzz testing audit in 2023

What's Changed Since RC.7

Bug Fixes

• Fix #696: desktop.exe credential store is not supported in WSL
• Fix #697: notation login fails to detect existing credentials for docker.io

Other Changes

• Minor security improvements (#746)
• Better code quality with more E2E tests cases
• Better debug tracing
• Dependency updates

Detailed Commits

• fix(test): E2E test cases for OCI layout by @JeyJeyGao in #692
• build(deps): Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by @dependabot in #702
• fix: fix the issue with getting credentials for docker.io by @Wwwsylvia in #703
• build(deps): Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 in /test/e2e/plugin by @dependabot in #710
• fix: Updating documentation with AWS Plugin support by @priteshbandi in #711
• fix: login and logout will leverage docker config and os default store by @Wwwsylvia in #712
• chore: update issue templates by @yizha1 in #594
• bump: bump oras-credentials-go v0.2.0 by @wangxiaoxuan273 in #717
• build(deps): Bump golang.org/x/term from 0.8.0 to 0.9.0 by @dependabot in #716
• fix(e2e): update testdata OCI layout images by @JeyJeyGao in #727
• build(deps): Bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #724
• [StepSecurity] ci: Harden GitHub Actions for fixing Pinned-Dependencies by @step-security-bot in #731
• [StepSecurity] ci: Harden GitHub Actions for fixing Token-Permissions by @step-security-bot in #730
• build(deps): Bump oras.land/oras-go/v2 from 2.2.0 to 2.2.1 by @dependabot in #735
• chore: add license header to files and github action workflow to check license by @Two-Hearts in #739
• build(deps): Bump golang.org/x/term from 0.9.0 to 0.10.0 by @dependabot in #734
• build(deps): Bump actions/checkout from 3.0.2 to 3.5.3 by @dependabot in #737
• build(deps): Bump actions/add-to-project from 0da8e46333d7b6e01d0e857452a1e99cb47be205 to edc057aef96b993afe5d68104418f68a536264aa by @dependabot in #745
• build(deps): Bump github/codeql-action from 2.20.1 to 2.20.4 by @dependabot in #742
• fix: unset NOTATION_USERNAME and NOTATION_PASSWORD to avoid leaking credentials to plugin by @JeyJeyGao in #746
• feat: add trace for executables by @wangxiaoxuan273 in #744
• build(deps): Bump github.com/notaryproject/notation-core-go from 1.0.0-rc.4 to 1.0.0 by @dependabot in #752
• build(deps): Bump github/codeql-action from 2.20.4 to 2.21.0 by @dependabot in #751
• bump: upgrade notation-go to v1.0.0 by @shizhMSFT in #754
• doc: update README to align with the new brand name by @FeynmanZhou in #750
• bump: tag and release v1.0.0 by @shizhMSFT in #748

New Contributors

• @wangxiaoxuan273 made their first contribution in #717
• @step-security-bot made their first contribution in #731

Full Changelog: v1.0.0-rc.7...v1.0.0

v1.0.0-rc.7

🚀Notation CLI v1.0.0-rc.7 is now available!

Note: This release is identical to v1.0.0-rc.6 except that it contain's a e2e test bug fix.

What's Changed

• ebfb9ef build: bump version to rc.7 (#691)
• e3f96ed fix: fixed e2e test after dependency bump up (#690)

Full Changelog: v1.0.0-rc.6...v1.0.0-rc.7

v1.0.0-rc.6

🚀Notation CLI v1.0.0-rc.6 is now available!

What's Changed

• doc: add link to README to docs for clarity by @zr-msft in #636
• doc: improve error output in notation key and notation cert by @FeynmanZhou in #606
• test: generate e2e coverage profile by @qweeah in #669
• doc: update building guide by @JeyJeyGao in #563
• fix: fixed global variable verifier by @Two-Hearts in #676
• update: renamed flag --plain-http to --insecure-registry by @Two-Hearts in #674
• chore: update account info for Patrick Zheng by @yizha1 in #672
• build(deps): Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 by @dependabot in #678
• refactor: use oras-credentials-go for credential management by @Wwwsylvia in #654
• chore: updated warning printout logic for Sign with --allow-referrers-api flag by @Two-Hearts in #682
• test: add e2e test cases for flag --insecure-registry by @JeyJeyGao in #679
• update: based on spec, updated messages of notation key command by @Two-Hearts in #684
• fix: added digest check on resolve ref by @Two-Hearts in #689
• build: bump up versions and dependencies by @priteshbandi in #685

Full Changelog: v1.0.0-rc.5...v1.0.0-rc.6

v1.0.0-rc.5

🚀Notation CLI v1.0.0-rc.5 is now available!

What's Changed

• chore: update the examples of sign and verify by @patrickzheng200 in #650
• test: skip non-applicable unit tests on Windows by @JeyJeyGao in #651
• fix: Improve output when there is no signature associated by @priteshbandi in #666
• update: align Notation with OCI specs by @Two-Hearts in #663
• fix: update sha1 to sha256 and other chores by @priteshbandi in #665
• build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc2 to 1.1.0-rc.3 by @dependabot in #656
• build(deps): Bump golang.org/x/term from 0.7.0 to 0.8.0 by @dependabot in #658
• build: bump up versions and dependencies by @priteshbandi in #670

New Contributors

• @Two-Hearts made their first contribution in #663

Full Changelog: v1.0.0-rc.4...v1.0.0-rc.5

v1.0.0-rc.4

🚀Notation CLI v1.0.0-rc.4 is now available!

Features

• Support validating certificate revocation with Online Certificate Status Protocol (OCSP)
• Introduce switch NOTATION_EXPERIMENTAL=1 to enable experimental features
• Introduce new CLI command notation policy to simplify trust policy configuration
• Support OCI distribution referrers API
• Introduce signing, listing and verification with OCI image layout as experimental feature
• Experimental flag --signature-manifest for notation sign command is now controlled by switch NOTATION_EXPERIMENTAL=1

Other Changes

• Support username and password prompt using notation login command
• Bug fixes

Detailed Commits

• doc: create CLI spec for managing trust policies (phase 1) by @yizha1 in #568
• build(deps): Bump golang.org/x/net from 0.1.0 to 0.7.0 in /test/e2e by @dependabot in #561
• build(deps): Bump oras.land/oras-go/v2 from 2.0.0 to 2.0.2 by @dependabot in #592
• build(deps): Bump actions/setup-go from 3 to 4 by @dependabot in #591
• feat: use Referrers API per OCI v1.1 spec by @patrickzheng200 in #602
• doc(spec): add subcommands to Notation plugin spec by @duffney in #555
• chore: remove Notary v2 reference in CLI repo by @patrickzheng200 in #603
• feat: add show and import for trust policy management by @qweeah in #593
• feat: Support username and password prompt in login by @ningziwen in #566
• build(deps): Bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in #612
• feat: introduce experimental feature switch by @qweeah in #613
• fix: added warning for dangling referrers index deletion by @patrickzheng200 in #619
• doc: remove preview mark from policy commands by @qweeah in #629
• build(deps): Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #626
• doc: update spec for feature sign/verify local images by @yizha1 in #601
• fix: fixing cert command by @patrickzheng200 in #627
• feat: add local sign/list/verification for OCI layout directory by @patrickzheng200 in #595
• doc: add an example to CLI help info for notation sign by @FeynmanZhou in #585
• build(deps): Bump golang.org/x/term from 0.5.0 to 0.7.0 by @dependabot in #632
• fix: fixed notation/test/e2e/suite/plugin by @patrickzheng200 in #639
• build: bump up versions and dependencies by @yizha1 in #643

New Contributors

• @qweeah made their first contribution in #593
• @ningziwen made their first contribution in #566

Full Changelog: v1.0.0-rc.3...v1.0.0-rc.4

v1.0.0-rc.3

🚀Notation CLI v1.0.0-rc.3 is now available!

Notices

• BREAKING CHANGE: The default type of signature manifest is changed to image manifest. The flag --signature-manifest for notation sign command is experimental for users to store signatures using artifact manifest.

New Features

• notation sign command supports new flags to sign artifacts using on-demand keys
  • Example: notation sign --id <key_id> --plugin <key_vault_plugin> localhost:5000/net-monitor@sha256:xxx

Detailed Commits

• update: changed Sign to use OCI image manifest as default by @patrickzheng200 in #573
• feat(doc): simplify signing experience by @priteshbandi in #553
• doc: add label and notes for experimental features by @yizha1 in #577
• update: added [Experimental] label to the --signature-manifest flag by @patrickzheng200 in #580
• feat: simplify signing experience by @kody-kimberl in #579
• build: bump up version to v1.0.0-rc.3 by @yizha1 in #583

New Contributors

• @kody-kimberl made their first contribution in #579

Full Changelog: v1.0.0-rc.2.dev.20230226...v1.0.0-rc.3

v1.0.0-rc.2.dev.20230226

Notation Weekly Dev Build (2023-02-26T16:03:22Z)

Welcome to this Weekly Dev Build!

Changelog

• e47cf12 fix: fix the CODEOWNERS format issue (#564)

v1.0.0-rc.2

🚀Notation CLI v1.0.0-rc.2 is now available!

New Features

• New command for users to inspect signatures associated with signed artifacts
  • Example: notation inspect localhost:5000/net-monitor@sha256:xxx
• Support storing signatures in the registry using OCI image manifest
  • Example: notation sign --key mykey --signature-manifest image localhost:5000/net-monitor@sha256:xxx
• Support adding user defined metadata to signature payload
  • Example: notation sign --key mykey --user-metadata io.wabbit-networks.buildTime=1672944615 localhost:5000/net-monitor@sha256:xxx

Other Changes

• Introduced E2E testing framework and new E2E test cases
• Add --debug and --verbose flags for more commands
• Improved error messaging
• Bug fixes

Detailed Commits

• fix: add verification failed log by @JeyJeyGao in #469
• update: refactored notation list command by @patrickzheng200 in #481
• build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.5 to 2.0.0-rc.6 by @dependabot in #488
• build(deps): bump goreleaser/goreleaser-action from 3 to 4 by @dependabot in #487
• build(deps): bump dev-drprasad/delete-older-releases from 0.2.0 to 0.2.1 by @dependabot in #480
• build(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 by @dependabot in #486
• cleanup: clean up notation CLI by @patrickzheng200 in #485
• Fix: fixed notation cert command by @patrickzheng200 in #483
• update: added log to notation login and logout commands by @patrickzheng200 in #484
• update: added log to notation key and certificate commands by @patrickzheng200 in #478
• build(deps): Bump ossf/scorecard-action from 2.1.0 to 2.1.2 by @dependabot in #495
• doc: Remove outdated docs by @FeynmanZhou in #501
• test: e2e framework by @JeyJeyGao in #493
• build(deps): Bump actions/upload-artifact from 3.1.1 to 3.1.2 by @dependabot in #504
• doc: update notation sign and verify spec for metadata by @byronchien in #498
• doc: update to support OCI image manifest by @yizha1 in #502
• doc: notation Inspect Command line Spec by @vaninrao10 in #500
• test: e2e quickstart test case by @JeyJeyGao in #494
• build(deps): Bump oras.land/oras-go/v2 from 2.0.0-rc.6 to 2.0.0 by @dependabot in #512
• chore: improve warning message when signing or verifying with tag by @priteshbandi in #497
• test: e2e plugin test cases by @JeyJeyGao in #510
• test: e2e sign/verify/trustpolicy test cases by @JeyJeyGao in #496
• test: add unit test for version & trace packages by @JeyJeyGao in #526
• test: add unit test for ioutil package by @JeyJeyGao in #534
• Use new methods introduced in keys.go by @priteshbandi in #529
• bump: go 1.19 to 1.20 by @mintbomb27 in #538
• fix: add error handling for LoadConfigOnce() by @JeyJeyGao in #520
• feat: add support for signed user metadata in notation sign and verify cmds by @byronchien in #507
• Dont access value of default pointer if it is nil by @priteshbandi in #541
• feat: support OCI image manifest by @patrickzheng200 in #509
• doc: update sign.md for OCI image manifest support by @yizha1 in #540
• feat: add support for json output for notation verify by @byronchien in #527
• chore: update sign command descriptions to align with the spec by @patrickzheng200 in #543
• Revert "feat: add support for json output for notation verify (#527)" by @priteshbandi in #551
• fix!: remove short commands by @priteshbandi in #552
• feat: add implementation for notation inspect by @byronchien in #528
• bump: update notation-go and notation-core-go dependency by @priteshbandi in #557
• Added CODEOWNERS and MAINTAINERS files by @toddysm in #542
• build: upgrade version to v1.0.0-rc.2 by @byronchien in #558

New Contributors

• @byronchien made their first contribution in #498
• @vaninrao10 made their first contribution in #500
• @mintbomb27 made their first contribution in #538

Full Changelog: v1.0.0-rc.1...v1.0.0-rc.2

v1.0.0-rc.1

🚀Notation CLI v1.0.0-rc.1 is now available! A tool to sign, store, and verify artifacts! Try it by following the quick start.

Notices

• BREAKING CHANGE: Notation v1.0.0-rc.1 is not compatible with signatures signed by previous Notation releases.
• BREAKING CHANGE: artifactType in signature manifest is changed to application/vnd.cncf.notary.signature
• BREAKING CHANGE: Only support registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec

Features

• Sign artifacts using signing keys stored securely in remote key stores
• Verify signatures using trust store and trust policy with fine-tuned configurations
• Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
• Support two signature envelope formats - JWS and COSE
• Support use of plugins for signing and verification
• Sign and verify using locally stored test keys/certificates for demonstration usage only
• notation sign and notation verify commands support using --verbose and --debug flags for troubleshooting
• Command sets in this release
  • notation sign: Sign OCI artifacts
    • Example: notation sign --key myKey localhost:5000/net-monitor@sha256:xxx
  • notation verify: Verify OCI artifacts
    • Example: notation verify localhost:5000/net-monitor@sha256:xxx
  • notation certificate: Manage certificates in trust store for verifying
    • Example: notation certificate add --type ca --store wabbit-networks wabbit-networks.crt
  • notation key: Manage keys used for signing
    • Example: notation key add mykey --plugin myKVplugin --id remoteKeyId
  • notation list: List signatures of the signed artifact
    • Example: notation list localhost:5000/net-monitor@sha256:xxx
  • notation login: Log in to a registry
    • Example: notation login registry.example.com -u username -p password
  • notation logout: Log out from a registry
    • Example: notation logout registry.example.com
  • notation plugin: Manage plugins
    • Example: notation plugin ls
  • notation version: Show the notation version information

Changes since last release

• Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
• notation sign and notation verify commands support using --verbose and --debug flags for troubleshooting
• Improved output messages when tags are used to identify the artifacts
• Updated CLI help doc
• Pass expiry to envelope-generator plugin

Detailed Commits

• Update quick start in readme file by @yizha1 in #428
• Bump ossf/scorecard-action from 2.0.4 to 2.0.6 by @dependabot in #411
• Bump actions/upload-artifact from 3.1.0 to 3.1.1 by @dependabot in #412
• Improve error message when default signing key is not set by @priteshbandi in #432
• Removed unreferenced images by @sajayantony in #433
• Feature/issue templates by @toddysm in #435
• Fixed issue with missing text for questions by @toddysm in #442
• Use minimum(user only) file permissions by @priteshbandi in #453
• update: update notation CLI with notation-go refactoring by @patrickzheng200 in #445
• update: updated plugin list command by @patrickzheng200 in #461
• doc: update CLI help doc for notation sign and verify in RC.1 by @FeynmanZhou in #454
• Pass expiry to envelope-generator plugin by @priteshbandi in #458
• spec: update cli sign spec for tag to digest translation by @yizha1 in #439
• spec: update cli verify spec for UX improvement by @yizha1 in #440
• feat: delete old dev release by @JeyJeyGao in #449
• update: updated CLI outputs of sign/verification by @patrickzheng200 in #450
• update: cleaned up dead code in CLI by @patrickzheng200 in #464
• feat: add --debug & --verbose flags & http request/response debug log by @JeyJeyGao in #457
• doc: add CLI help doc to notation key, cert, and notation plugin in RC.1 by @FeynmanZhou in #394
• feat: remove notation certificate/key rm alias by @JeyJeyGao in #467
• build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 by @dependabot in #465
• update: check if verification is skipped by trust policy by @patrickzheng200 in #468
• Build: bump up versions for rc.1 release by @yizha1 in #472

New Contributors

• @toddysm made their first contribution in #435

Full Changelog: v0.12.0-beta.1...v1.0.0-rc.1

v0.12.0-beta.1

Features

• Verify using trust store and trust policy
• Manage trust store using CLI command notation certificate
• Implement notation CLI command per CLI spec
• Support configuration of signature format

Other changes

• Clean up unused features and deprecated code

Changelog

• 965a0b7 Updates for v0.12.0-beta.1 release (#427)
• 24576db doc: remove reference to nv2 (#421)
• 2fef168 build(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#425)
• f0e77eb feat: Added notation certificate command for trust store (#405)
• 8d1d4dc feat: add signatureFormat config field (#400)
• fcba9f1 feat: implement list command UX (#414)
• a08dc9e update: updated notation sign command based on spec (#417)
• 2992190 update: updated notation key command based on spec (#416)
• a41b377 feat: implement login/logout UX (#413)
• 469069e update: updated notation verify command based on spec (#418)
• a219ad5 feat: implement version command (#419)
• 4d8da74 Fix demo docker pull step (#420)
• eb87bc3 Change oras-project/registry tag (#397)
• f947da5 feat: implement plugin UX (#415)
• f747031 Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 (#401)
• 4803a8b spec: update notation cli md file as index for sub-commands (#374)
• 193a533 spec: add CLI notation certificate and key specs (#361)
• 01015b0 update: clean up notation CLI (#404)
• ab20527 spec: add CLI specs for notation list/login/logout/plugin (#362)
• 07bba5f spec: add spec for notation version command (#376)
• ecb0708 spec: add spec for notation verify command (#371)
• 20b9fa2 feat: use new verify workflow (#373)
• eb7e4f4 update release process (#396)
• 080c6bb doc: update doc after new release (#395)