v1.2.0-beta.1

Vote PASSED [+4 -0]: #995

New Features

• Support for RFC 3161 compliant Timestamping
  • Introduce two new flags --timestamp-url and --timestamp-root-cert in notation sign command for signing with timestamping, see the notation sign CLI spec for more details.
  • Support a new trust store type tsa in notation certificate command.
  • Support RFC 3161 timestamp verification in the notation verify command with updated trust policy, see the notation verify CLI spec for more details.

Detailed Commits

• 787665f Merge pull request #995 from Two-Hearts/release
• 00af3ce bump: release v1.2.0-beta.1
• bbeb75d bump: bump up dependencies for v1.2.0-beta.1 (#994)
• e604a4f build(deps): Bump golang.org/x/net from 0.22.0 to 0.23.0 (#993)
• a034721 feat: Timestamp (#978)
• 26c0b36 build(deps): Bump github/codeql-action from 3.25.11 to 3.25.13 (#991)
• d8c77d1 build(deps): Bump actions/setup-go from 5.0.1 to 5.0.2 (#986)
• cab4fef docs: update RELEASE_CHECKLIST.md (#713)
• c6636ca build(deps): Bump github/codeql-action from 3.25.8 to 3.25.11 (#980)
• e9ed3d5 build(deps): Bump actions/add-to-project from 1.0.1 to 1.0.2 (#981)
• 214b0b2 build(deps): Bump golang.org/x/term from 0.21.0 to 0.22.0 (#982)
• 2de7110 build(deps): Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#983)
• acf54be build(deps): Bump codecov/codecov-action from 4.4.1 to 4.5.0 (#972)
• ae6ff01 build(deps): Bump actions/checkout from 4.1.6 to 4.1.7 (#970)
• 944c661 build(deps): Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#969)
• 626002a Merge pull request #967 from JeyJeyGao/vote/v1.2.0-alpha.1

Full Changelog: v1.2.0-alpha.1...v1.2.0-beta.1

v1.2.0-alpha.1

Vote PASSED [+4 -0]: #967

New Features

• Support OCI image-spec v1.1.0 and distribution-spec v1.1.0.
  • Introduce a new flag --force-referrers-tag (default to true) to the notation sign command, which allows users opt to the referrers tag schema instead of the referrers API.
  • The notation verify / list / inspect commands will always attempt the referrers API first, automatically falling back to the referrers tag schema if the referrers API is not supported by the registry.

Deprecation

• The experimental flag --allow-referrers-api is deprecated as notation follows distribution-spec v1.1.0.

Other changes

• Improved documentation
• Improved error messages
• Update dependencies with highlights below
  • Update to Golang 1.22
  • Update to notation-go v1.1.1
  • Update to notation-core-go v1.0.3
  • Update to oras-go v2.5.0

Detailed Commits

• bump: tag and release version v1.1.0 by @Two-Hearts in #876
• build(deps): Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #878
• build(deps): Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #879
• build(deps): Bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #877
• bump: bump up oras-go and image-spec by @Two-Hearts in #881
• build(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #883
• build(deps): Bump codecov/codecov-action from 3.1.5 to 4.0.1 by @dependabot in #884
• build(deps): Bump golang.org/x/term from 0.16.0 to 0.17.0 by @dependabot in #886
• build(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #887
• build(deps): Bump codecov/codecov-action from 4.0.1 to 4.0.2 by @dependabot in #896
• build(deps): Bump github/codeql-action from 3.24.0 to 3.24.5 by @dependabot in #895
• build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in #891
• build(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 by @dependabot in #898
• build(deps): Bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #900
• build(deps): Bump actions/add-to-project from 0.5.0 to 0.6.0 by @dependabot in #901
• docs: spec updates for arbitrary blob signing by @rgnote in #811
• build(deps): Bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #899
• build(deps): Bump golang.org/x/term from 0.17.0 to 0.18.0 by @dependabot in #906
• chore: add GitHub action for stale issues and PRs by @yizha1 in #841
• build(deps): Bump github/codeql-action from 3.24.6 to 3.24.7 by @dependabot in #908
• build(deps): Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #907
• build(deps): Bump actions/stale from 8 to 9 by @dependabot in #915
• build(deps): Bump actions/add-to-project from 0.6.0 to 0.6.1 by @dependabot in #912
• build(deps): Bump github/codeql-action from 3.24.7 to 3.24.9 by @dependabot in #913
• build(deps): Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #914
• build(deps): Bump actions/add-to-project from 0.6.1 to 1.0.0 by @dependabot in #918
• build(deps): Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #917
• Moved org maintainers to emeritus by @toddysm in #919
• fix(ci): update codecov token by @JeyJeyGao in #920
• feat: upgrade to OCI 1.1 by @Two-Hearts in #916
• fix: improve error message for --signature-format flag by @JeyJeyGao in #925
• build(deps): Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #922
• build(deps): Bump golang.org/x/term from 0.18.0 to 0.19.0 by @dependabot in #924
• build(deps): Bump codecov/codecov-action from 4.1.1 to 4.3.0 by @dependabot in #927
• build(deps): Bump actions/add-to-project from 1.0.0 to 1.0.1 by @dependabot in #928
• build(deps): Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/e2e by @dependabot in #929
• build(deps): Bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #936
• build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #939
• build(deps): Bump golang.org/x/term from 0.19.0 to 0.20.0 by @dependabot in #940
• build(deps): Bump codecov/codecov-action from 4.3.0 to 4.4.0 by @dependabot in #944
• build(deps): Bump github/codeql-action from 3.24.10 to 3.25.5 by @dependabot in #945
• build(deps): Bump actions/checkout from 4.1.2 to 4.1.6 by @dependabot in #946
• fix: error message for trust policy by @JeyJeyGao in #933
• doc: add Notation CLI Error Handling and Message Guideline by @FeynmanZhou in #834
• build(deps): Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #951
• build(deps): Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #950
• build(deps): Bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #949
• build(deps): Bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #948
• build(deps): Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #955
• bump: bump up notation-go v1.1.1 and other dependencies by @JeyJeyGao in #952
• build(deps): Bump golang.org/x/term from 0.20.0 to 0.21.0 by @dependabot in #960
• build(deps): Bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #961
• build(deps): Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 by @dependabot in #962
• fix(ci): update goreleaser to use --clean flag by @JeyJeyGao in #964

Full Changelog: v1.1.0...v1.2.0-alpha.1

v1.1.1

Vote PASSED [+4 -0]: #963

Changes

• Improve documentation
• Improve error messages
• Update dependencies with highlights below
  • Update to Golang 1.22
  • Update to notation-go v1.1.1
  • Update to notation-core-go v1.0.3
  • Update to oras-go v2.5.0

Detailed Commits

• bump: tag and release version v1.1.0 by @Two-Hearts in #876
• build(deps): Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #878
• build(deps): Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #879
• build(deps): Bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #877
• bump: bump up oras-go and image-spec by @Two-Hearts in #881
• build(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #883
• build(deps): Bump codecov/codecov-action from 3.1.5 to 4.0.1 by @dependabot in #884
• build(deps): Bump golang.org/x/term from 0.16.0 to 0.17.0 by @dependabot in #886
• build(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #887
• build(deps): Bump codecov/codecov-action from 4.0.1 to 4.0.2 by @dependabot in #896
• build(deps): Bump github/codeql-action from 3.24.0 to 3.24.5 by @dependabot in #895
• build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in #891
• build(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 by @dependabot in #898
• build(deps): Bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #900
• build(deps): Bump actions/add-to-project from 0.5.0 to 0.6.0 by @dependabot in #901
• docs: spec updates for arbitrary blob signing by @rgnote in #811
• build(deps): Bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #899
• build(deps): Bump golang.org/x/term from 0.17.0 to 0.18.0 by @dependabot in #906
• chore: add GitHub action for stale issues and PRs by @yizha1 in #841
• build(deps): Bump github/codeql-action from 3.24.6 to 3.24.7 by @dependabot in #908
• build(deps): Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #907
• build(deps): Bump actions/stale from 8 to 9 by @dependabot in #915
• build(deps): Bump actions/add-to-project from 0.6.0 to 0.6.1 by @dependabot in #912
• build(deps): Bump github/codeql-action from 3.24.7 to 3.24.9 by @dependabot in #913
• build(deps): Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #914
• build(deps): Bump actions/add-to-project from 0.6.1 to 1.0.0 by @dependabot in #918
• build(deps): Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #917
• Moved org maintainers to emeritus by @toddysm in #919
• fix(ci): update codecov token by @JeyJeyGao in #920
• feat: upgrade to OCI 1.1 by @Two-Hearts in #916
• fix: improve error message for --signature-format flag by @JeyJeyGao in #925
• build(deps): Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #922
• build(deps): Bump golang.org/x/term from 0.18.0 to 0.19.0 by @dependabot in #924
• build(deps): Bump codecov/codecov-action from 4.1.1 to 4.3.0 by @dependabot in #927
• build(deps): Bump actions/add-to-project from 1.0.0 to 1.0.1 by @dependabot in #928
• build(deps): Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/e2e by @dependabot in #929
• build(deps): Bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #936
• build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #939
• build(deps): Bump golang.org/x/term from 0.19.0 to 0.20.0 by @dependabot in #940
• build(deps): Bump codecov/codecov-action from 4.3.0 to 4.4.0 by @dependabot in #944
• build(deps): Bump github/codeql-action from 3.24.10 to 3.25.5 by @dependabot in #945
• build(deps): Bump actions/checkout from 4.1.2 to 4.1.6 by @dependabot in #946
• fix: error message for trust policy by @JeyJeyGao in #933
• doc: add Notation CLI Error Handling and Message Guideline by @FeynmanZhou in #834
• build(deps): Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #951
• build(deps): Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #950
• build(deps): Bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #949
• build(deps): Bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #948
• build(deps): Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #955
• bump: bump up notation-go v1.1.1 and other dependencies by @JeyJeyGao in #952
• revert: "feat: upgrade to OCI 1.1 (#916)" by @JeyJeyGao in #958
• build(deps): Bump golang.org/x/term from 0.20.0 to 0.21.0 by @JeyJeyGao in #966

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Vote PASSED [+4 -0]: #876

New Features

• Added new command notation plugin install. Users are now able to install a notation plugin directly from a URL or from their file system. Supported plugin installation formats are .zip, .tar.gz, and single plugin executable file.
• Added new command notation plugin uninstall. Users are now able to uninstall a notation plugin by providing the plugin name.
• Added NOTATION_CONFIG and NOTATION_LIBEXEC environment variables. Users are now able to override the default Notation configuration and plugins directory with these two variables.

Other changes

• Improved UX and error messages.
• Improved documentation.
• Updated dependencies
  • Update to Golang 1.21
  • Update to notation-go v1.1.0
  • Update to notation-core-go v1.0.2
  • Update to oras-go v2.3.1

Detailed Commits

• feat: update notation cert list command output by @Two-Hearts in #798
• fix: fix the license check by @Two-Hearts in #826
• bump: bump up to go version 1.21 by @Two-Hearts in #833
• doc: update plugin spec by @FeynmanZhou in #809
• build(deps): Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot in #823
• build(deps): Bump github/codeql-action from 2.22.5 to 2.22.7 by @dependabot in #835
• Correct broken link to quick start guide by @rcrozean in #831
• chore: update tag to digest by @yizha1 in #837
• feat: add notation plugin uninstall command by @Two-Hearts in #842
• chore: update references with the tag version by @yizha1 in #836
• build(deps): Bump golang.org/x/term from 0.13.0 to 0.15.0 by @dependabot in #843
• build(deps): Bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #845
• build(deps): Bump github/codeql-action from 2.22.7 to 2.22.9 by @dependabot in #846
• build(deps): Bump golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #850
• build(deps): Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/e2e/plugin by @dependabot in #849
• build(deps): Bump github/codeql-action from 2.22.9 to 3.22.11 by @dependabot in #847
• build(deps): Bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #848
• feat: notation plugin install command by @Two-Hearts in #827
• feat: add notation config environment variable by @JeyJeyGao in #821
• fix: fix bug in SetHTTPDebugLog by @Two-Hearts in #857
• fix: notation plugin install error messages and tests by @Two-Hearts in #855
• build(deps): Bump github/codeql-action from 3.22.11 to 3.22.12 by @dependabot in #854
• Updated CODEOWNERS and MAINTAINERS files by @toddysm in #862
• build(deps): Bump golang.org/x/term from 0.15.0 to 0.16.0 by @dependabot in #860
• bump: bump up notation-go by @Two-Hearts in #863
• build(deps): Bump actions/cache from 3.3.2 to 3.3.3 by @dependabot in #866
• build(deps): Bump github/codeql-action from 3.22.12 to 3.23.0 by @dependabot in #865
• build(deps): Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #864
• fix: improve error message for plugin by @JeyJeyGao in #870
• build(deps): Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #872
• build(deps): Bump actions/cache from 3.3.3 to 4.0.0 by @dependabot in #873
• build(deps): Bump github/codeql-action from 3.23.0 to 3.23.1 by @dependabot in #874
• bump: bump up notation-go and notation-core-go including e2e tests by @Two-Hearts in #875

New Contributors

• @rcrozean made their first contribution in #831

Full Changelog: v1.0.0...v1.1.0

v1.0.1

Vote PASSED [+4 -0]: #820

Changes

• Improve UX and error messages
• Improve documentation
• Update dependencies
  • Update to notation-go v1.0.1
  • Update to notation-core-go v1.0.1
  • Update to oras-credentials-go v0.3.1 for legacy docker config support (resolves #801)

Detailed Commits

• build(deps): Bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #761
• build(deps): Bump github/codeql-action from 2.21.0 to 2.21.3 by @dependabot in #762
• build(deps): Bump golang.org/x/term from 0.10.0 to 0.11.0 by @dependabot in #758
• build(deps): Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in #763
• chore: fixed workflow go version by @Two-Hearts in #760
• docs: update readme from feedback from #750 by @sajayantony in #757
• chore: quick fix on notation policy command print out by @Two-Hearts in #764
• doc: update release management for 1.0 by @priteshbandi in #714
• build(deps): Bump github/codeql-action from 2.21.3 to 2.21.4 by @dependabot in #766
• build(deps): Bump github/codeql-action from 2.21.4 to 2.21.5 by @dependabot in #774
• build(deps): Bump golang.org/x/term from 0.11.0 to 0.12.0 by @dependabot in #775
• build(deps): Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #780
• build(deps): Bump actions/checkout from 3.5.3 to 4.0.0 by @dependabot in #781
• build(deps): Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 by @dependabot in #782
• build(deps): Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #779
• fix: fix trust policy import by @Two-Hearts in #794
• build(deps): Bump golang.org/x/term from 0.12.0 to 0.13.0 by @dependabot in #795
• build(deps): Bump github/codeql-action from 2.21.5 to 2.22.0 by @dependabot in #797
• build(deps): Bump ossf/scorecard-action from 2.2.0 to 2.3.0 by @dependabot in #796
• build(deps): Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #789
• build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc4 to 1.1.0-rc5 by @dependabot in #786
• build(deps): Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 by @dependabot in #785
• fix: Code scanning issues by @JeyJeyGao in #799
• fix: legacy docker config support by @JeyJeyGao in #803
• build(deps): Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/e2e by @dependabot in #800
• build(deps): Bump oras.land/oras-go/v2 from 2.2.1 to 2.3.0 by @dependabot in #776
• build(deps): Bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #805
• docs: fix broken links by @suzuki-shunsuke in #787
• fix: improve error messages of notation CLI by @Two-Hearts in #810
• bump: update dependencies by @Two-Hearts in #815
• build(deps): Bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #814
• build(deps): Bump github/codeql-action from 2.22.0 to 2.22.5 by @dependabot in #813
• bump: bump up dependencies including E2E tests by @Two-Hearts in #818
• fix: add "release-*" to workflows trigger events by @Two-Hearts in #819

New Contributors

• @suzuki-shunsuke made their first contribution in #787

Full Changelog: v1.0.0...v1.0.1

v1.0.0

Notation CLI V1

notation is a CLI reference implementation of the Notary Project Specifications v1.0.0 to sign and verify artifacts with signatures as standard items in the OCI registry ecosystem. After a long journey of development, notation has reached a notable milestone for its first stable release v1.0.0. 🎉🎉🎉

Important

Experimental features are intended for testing and evaluation purposes only and should not be used in production environments. Experimental features can be enabled by setting the environment variable NOTATION_EXPERIMENTAL=1.

Release blog posts of previous RC versions can be found at notaryproject.dev.

Key Features

• Sign and verify artifacts as well as list and inspect signatures stored in OCI-compliant registries
  • Support JWS and COSE signature formats
  • Compliant with image-spec v1.0.2
  • Compliant with distribution-spec v1.0.1
  • Compatible with image-spec v1.1.0-rc4
  • Compatible with distribution-spec v1.1.0-rc3 (limited to referrers tag schema)
• Support signing and verification plugins
  • Support signing using Key Management System (KMS)
• Support signing and verification with user-defined metadata
• Support authentation to registries using docker credential stores
• Verify artifact using trust policy and trust store with fine-tuned configurations
• Support certificate revocation via OCSP

Experimental Features

• Compliant with distribution-spec v1.1.0-rc1
• Sign and verify artifacts as well as list signatures stored in OCI image layout

Security Audit

• Security audit report in 2023
• Fuzz testing audit in 2023

What's Changed Since RC.7

Bug Fixes

• Fix #696: desktop.exe credential store is not supported in WSL
• Fix #697: notation login fails to detect existing credentials for docker.io

Other Changes

• Minor security improvements (#746)
• Better code quality with more E2E tests cases
• Better debug tracing
• Dependency updates

Detailed Commits

• fix(test): E2E test cases for OCI layout by @JeyJeyGao in #692
• build(deps): Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by @dependabot in #702
• fix: fix the issue with getting credentials for docker.io by @Wwwsylvia in #703
• build(deps): Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 in /test/e2e/plugin by @dependabot in #710
• fix: Updating documentation with AWS Plugin support by @priteshbandi in #711
• fix: login and logout will leverage docker config and os default store by @Wwwsylvia in #712
• chore: update issue templates by @yizha1 in #594
• bump: bump oras-credentials-go v0.2.0 by @wangxiaoxuan273 in #717
• build(deps): Bump golang.org/x/term from 0.8.0 to 0.9.0 by @dependabot in #716
• fix(e2e): update testdata OCI layout images by @JeyJeyGao in #727
• build(deps): Bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #724
• [StepSecurity] ci: Harden GitHub Actions for fixing Pinned-Dependencies by @step-security-bot in #731
• [StepSecurity] ci: Harden GitHub Actions for fixing Token-Permissions by @step-security-bot in #730
• build(deps): Bump oras.land/oras-go/v2 from 2.2.0 to 2.2.1 by @dependabot in #735
• chore: add license header to files and github action workflow to check license by @Two-Hearts in #739
• build(deps): Bump golang.org/x/term from 0.9.0 to 0.10.0 by @dependabot in #734
• build(deps): Bump actions/checkout from 3.0.2 to 3.5.3 by @dependabot in #737
• build(deps): Bump actions/add-to-project from 0da8e46333d7b6e01d0e857452a1e99cb47be205 to edc057aef96b993afe5d68104418f68a536264aa by @dependabot in #745
• build(deps): Bump github/codeql-action from 2.20.1 to 2.20.4 by @dependabot in #742
• fix: unset NOTATION_USERNAME and NOTATION_PASSWORD to avoid leaking credentials to plugin by @JeyJeyGao in #746
• feat: add trace for executables by @wangxiaoxuan273 in #744
• build(deps): Bump github.com/notaryproject/notation-core-go from 1.0.0-rc.4 to 1.0.0 by @dependabot in #752
• build(deps): Bump github/codeql-action from 2.20.4 to 2.21.0 by @dependabot in #751
• bump: upgrade notation-go to v1.0.0 by @shizhMSFT in #754
• doc: update README to align with the new brand name by @FeynmanZhou in #750
• bump: tag and release v1.0.0 by @shizhMSFT in #748

New Contributors

• @wangxiaoxuan273 made their first contribution in #717
• @step-security-bot made their first contribution in #731

Full Changelog: v1.0.0-rc.7...v1.0.0

v1.0.0-rc.7

🚀Notation CLI v1.0.0-rc.7 is now available!

Note: This release is identical to v1.0.0-rc.6 except that it contain's a e2e test bug fix.

What's Changed

• ebfb9ef build: bump version to rc.7 (#691)
• e3f96ed fix: fixed e2e test after dependency bump up (#690)

Full Changelog: v1.0.0-rc.6...v1.0.0-rc.7

v1.0.0-rc.6

🚀Notation CLI v1.0.0-rc.6 is now available!

What's Changed

• doc: add link to README to docs for clarity by @zr-msft in #636
• doc: improve error output in notation key and notation cert by @FeynmanZhou in #606
• test: generate e2e coverage profile by @qweeah in #669
• doc: update building guide by @JeyJeyGao in #563
• fix: fixed global variable verifier by @Two-Hearts in #676
• update: renamed flag --plain-http to --insecure-registry by @Two-Hearts in #674
• chore: update account info for Patrick Zheng by @yizha1 in #672
• build(deps): Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 by @dependabot in #678
• refactor: use oras-credentials-go for credential management by @Wwwsylvia in #654
• chore: updated warning printout logic for Sign with --allow-referrers-api flag by @Two-Hearts in #682
• test: add e2e test cases for flag --insecure-registry by @JeyJeyGao in #679
• update: based on spec, updated messages of notation key command by @Two-Hearts in #684
• fix: added digest check on resolve ref by @Two-Hearts in #689
• build: bump up versions and dependencies by @priteshbandi in #685

Full Changelog: v1.0.0-rc.5...v1.0.0-rc.6

v1.0.0-rc.5

🚀Notation CLI v1.0.0-rc.5 is now available!

What's Changed

• chore: update the examples of sign and verify by @patrickzheng200 in #650
• test: skip non-applicable unit tests on Windows by @JeyJeyGao in #651
• fix: Improve output when there is no signature associated by @priteshbandi in #666
• update: align Notation with OCI specs by @Two-Hearts in #663
• fix: update sha1 to sha256 and other chores by @priteshbandi in #665
• build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc2 to 1.1.0-rc.3 by @dependabot in #656
• build(deps): Bump golang.org/x/term from 0.7.0 to 0.8.0 by @dependabot in #658
• build: bump up versions and dependencies by @priteshbandi in #670

New Contributors

• @Two-Hearts made their first contribution in #663

Full Changelog: v1.0.0-rc.4...v1.0.0-rc.5

v1.0.0-rc.4

🚀Notation CLI v1.0.0-rc.4 is now available!

Features

• Support validating certificate revocation with Online Certificate Status Protocol (OCSP)
• Introduce switch NOTATION_EXPERIMENTAL=1 to enable experimental features
• Introduce new CLI command notation policy to simplify trust policy configuration
• Support OCI distribution referrers API
• Introduce signing, listing and verification with OCI image layout as experimental feature
• Experimental flag --signature-manifest for notation sign command is now controlled by switch NOTATION_EXPERIMENTAL=1

Other Changes

• Support username and password prompt using notation login command
• Bug fixes

Detailed Commits

• doc: create CLI spec for managing trust policies (phase 1) by @yizha1 in #568
• build(deps): Bump golang.org/x/net from 0.1.0 to 0.7.0 in /test/e2e by @dependabot in #561
• build(deps): Bump oras.land/oras-go/v2 from 2.0.0 to 2.0.2 by @dependabot in #592
• build(deps): Bump actions/setup-go from 3 to 4 by @dependabot in #591
• feat: use Referrers API per OCI v1.1 spec by @patrickzheng200 in #602
• doc(spec): add subcommands to Notation plugin spec by @duffney in #555
• chore: remove Notary v2 reference in CLI repo by @patrickzheng200 in #603
• feat: add show and import for trust policy management by @qweeah in #593
• feat: Support username and password prompt in login by @ningziwen in #566
• build(deps): Bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in #612
• feat: introduce experimental feature switch by @qweeah in #613
• fix: added warning for dangling referrers index deletion by @patrickzheng200 in #619
• doc: remove preview mark from policy commands by @qweeah in #629
• build(deps): Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #626
• doc: update spec for feature sign/verify local images by @yizha1 in #601
• fix: fixing cert command by @patrickzheng200 in #627
• feat: add local sign/list/verification for OCI layout directory by @patrickzheng200 in #595
• doc: add an example to CLI help info for notation sign by @FeynmanZhou in #585
• build(deps): Bump golang.org/x/term from 0.5.0 to 0.7.0 by @dependabot in #632
• fix: fixed notation/test/e2e/suite/plugin by @patrickzheng200 in #639
• build: bump up versions and dependencies by @yizha1 in #643

New Contributors

• @qweeah made their first contribution in #593
• @ningziwen made their first contribution in #566

Full Changelog: v1.0.0-rc.3...v1.0.0-rc.4