Releases: notaryproject/notation
Releases · notaryproject/notation
v1.0.0-rc.5
🚀Notation CLI v1.0.0-rc.5 is now available!
What's Changed
- chore: update the examples of sign and verify by @patrickzheng200 in #650
- test: skip non-applicable unit tests on Windows by @JeyJeyGao in #651
- fix: Improve output when there is no signature associated by @priteshbandi in #666
- update: align Notation with OCI specs by @Two-Hearts in #663
- fix: update sha1 to sha256 and other chores by @priteshbandi in #665
- build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc2 to 1.1.0-rc.3 by @dependabot in #656
- build(deps): Bump golang.org/x/term from 0.7.0 to 0.8.0 by @dependabot in #658
- build: bump up versions and dependencies by @priteshbandi in #670
New Contributors
- @Two-Hearts made their first contribution in #663
Full Changelog: v1.0.0-rc.4...v1.0.0-rc.5
v1.0.0-rc.4
🚀Notation CLI v1.0.0-rc.4
is now available!
Features
- Support validating certificate revocation with Online Certificate Status Protocol (OCSP)
- Introduce switch
NOTATION_EXPERIMENTAL=1
to enable experimental features - Introduce new CLI command
notation policy
to simplify trust policy configuration - Support OCI distribution referrers API
- Introduce signing, listing and verification with OCI image layout as experimental feature
- Experimental flag
--signature-manifest
fornotation sign
command is now controlled by switchNOTATION_EXPERIMENTAL=1
Other Changes
- Support username and password prompt using
notation login
command - Bug fixes
Detailed Commits
- doc: create CLI spec for managing trust policies (phase 1) by @yizha1 in #568
- build(deps): Bump golang.org/x/net from 0.1.0 to 0.7.0 in /test/e2e by @dependabot in #561
- build(deps): Bump oras.land/oras-go/v2 from 2.0.0 to 2.0.2 by @dependabot in #592
- build(deps): Bump actions/setup-go from 3 to 4 by @dependabot in #591
- feat: use Referrers API per OCI v1.1 spec by @patrickzheng200 in #602
- doc(spec): add subcommands to Notation plugin spec by @duffney in #555
- chore: remove Notary v2 reference in CLI repo by @patrickzheng200 in #603
- feat: add
show
andimport
for trust policy management by @qweeah in #593 - feat: Support username and password prompt in login by @ningziwen in #566
- build(deps): Bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in #612
- feat: introduce experimental feature switch by @qweeah in #613
- fix: added warning for dangling referrers index deletion by @patrickzheng200 in #619
- doc: remove preview mark from policy commands by @qweeah in #629
- build(deps): Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #626
- doc: update spec for feature sign/verify local images by @yizha1 in #601
- fix: fixing cert command by @patrickzheng200 in #627
- feat: add local sign/list/verification for OCI layout directory by @patrickzheng200 in #595
- doc: add an example to CLI help info for notation sign by @FeynmanZhou in #585
- build(deps): Bump golang.org/x/term from 0.5.0 to 0.7.0 by @dependabot in #632
- fix: fixed notation/test/e2e/suite/plugin by @patrickzheng200 in #639
- build: bump up versions and dependencies by @yizha1 in #643
New Contributors
- @qweeah made their first contribution in #593
- @ningziwen made their first contribution in #566
Full Changelog: v1.0.0-rc.3...v1.0.0-rc.4
v1.0.0-rc.3
🚀Notation CLI v1.0.0-rc.3
is now available!
Notices
- BREAKING CHANGE: The default type of signature manifest is changed to image manifest. The flag
--signature-manifest
fornotation sign
command is experimental for users to store signatures using artifact manifest.
New Features
notation sign
command supports new flags to sign artifacts using on-demand keys- Example:
notation sign --id <key_id> --plugin <key_vault_plugin> localhost:5000/net-monitor@sha256:xxx
- Example:
Detailed Commits
- update: changed Sign to use OCI image manifest as default by @patrickzheng200 in #573
- feat(doc): simplify signing experience by @priteshbandi in #553
- doc: add label and notes for experimental features by @yizha1 in #577
- update: added
[Experimental]
label to the--signature-manifest
flag by @patrickzheng200 in #580 - feat: simplify signing experience by @kody-kimberl in #579
- build: bump up version to v1.0.0-rc.3 by @yizha1 in #583
New Contributors
- @kody-kimberl made their first contribution in #579
Full Changelog: v1.0.0-rc.2.dev.20230226...v1.0.0-rc.3
v1.0.0-rc.2.dev.20230226
v1.0.0-rc.2
🚀Notation CLI v1.0.0-rc.2
is now available!
New Features
- New command for users to inspect signatures associated with signed artifacts
- Example:
notation inspect localhost:5000/net-monitor@sha256:xxx
- Example:
- Support storing signatures in the registry using OCI image manifest
- Example:
notation sign --key mykey --signature-manifest image localhost:5000/net-monitor@sha256:xxx
- Example:
- Support adding user defined metadata to signature payload
- Example:
notation sign --key mykey --user-metadata io.wabbit-networks.buildTime=1672944615 localhost:5000/net-monitor@sha256:xxx
- Example:
Other Changes
- Introduced E2E testing framework and new E2E test cases
- Add
--debug
and--verbose
flags for more commands - Improved error messaging
- Bug fixes
Detailed Commits
- fix: add verification failed log by @JeyJeyGao in #469
- update: refactored notation list command by @patrickzheng200 in #481
- build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.5 to 2.0.0-rc.6 by @dependabot in #488
- build(deps): bump goreleaser/goreleaser-action from 3 to 4 by @dependabot in #487
- build(deps): bump dev-drprasad/delete-older-releases from 0.2.0 to 0.2.1 by @dependabot in #480
- build(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 by @dependabot in #486
- cleanup: clean up notation CLI by @patrickzheng200 in #485
- Fix: fixed notation cert command by @patrickzheng200 in #483
- update: added log to notation login and logout commands by @patrickzheng200 in #484
- update: added log to notation key and certificate commands by @patrickzheng200 in #478
- build(deps): Bump ossf/scorecard-action from 2.1.0 to 2.1.2 by @dependabot in #495
- doc: Remove outdated docs by @FeynmanZhou in #501
- test: e2e framework by @JeyJeyGao in #493
- build(deps): Bump actions/upload-artifact from 3.1.1 to 3.1.2 by @dependabot in #504
- doc: update notation sign and verify spec for metadata by @byronchien in #498
- doc: update to support OCI image manifest by @yizha1 in #502
- doc: notation Inspect Command line Spec by @vaninrao10 in #500
- test: e2e quickstart test case by @JeyJeyGao in #494
- build(deps): Bump oras.land/oras-go/v2 from 2.0.0-rc.6 to 2.0.0 by @dependabot in #512
- chore: improve warning message when signing or verifying with tag by @priteshbandi in #497
- test: e2e plugin test cases by @JeyJeyGao in #510
- test: e2e sign/verify/trustpolicy test cases by @JeyJeyGao in #496
- test: add unit test for version & trace packages by @JeyJeyGao in #526
- test: add unit test for ioutil package by @JeyJeyGao in #534
- Use new methods introduced in keys.go by @priteshbandi in #529
- bump: go 1.19 to 1.20 by @mintbomb27 in #538
- fix: add error handling for LoadConfigOnce() by @JeyJeyGao in #520
- feat: add support for signed user metadata in notation sign and verify cmds by @byronchien in #507
- Dont access value of default pointer if it is nil by @priteshbandi in #541
- feat: support OCI image manifest by @patrickzheng200 in #509
- doc: update sign.md for OCI image manifest support by @yizha1 in #540
- feat: add support for json output for
notation verify
by @byronchien in #527 - chore: update sign command descriptions to align with the spec by @patrickzheng200 in #543
- Revert "feat: add support for json output for
notation verify
(#527)" by @priteshbandi in #551 - fix!: remove short commands by @priteshbandi in #552
- feat: add implementation for
notation inspect
by @byronchien in #528 - bump: update notation-go and notation-core-go dependency by @priteshbandi in #557
- Added CODEOWNERS and MAINTAINERS files by @toddysm in #542
- build: upgrade version to v1.0.0-rc.2 by @byronchien in #558
New Contributors
- @byronchien made their first contribution in #498
- @vaninrao10 made their first contribution in #500
- @mintbomb27 made their first contribution in #538
Full Changelog: v1.0.0-rc.1...v1.0.0-rc.2
v1.0.0-rc.1
🚀Notation CLI v1.0.0-rc.1
is now available! A tool to sign, store, and verify artifacts! Try it by following the quick start.
Notices
- BREAKING CHANGE: Notation
v1.0.0-rc.1
is not compatible with signatures signed by previous Notation releases. - BREAKING CHANGE:
artifactType
in signature manifest is changed toapplication/vnd.cncf.notary.signature
- BREAKING CHANGE: Only support registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
Features
- Sign artifacts using signing keys stored securely in remote key stores
- Verify signatures using trust store and trust policy with fine-tuned configurations
- Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
- Support two signature envelope formats - JWS and COSE
- Support use of plugins for signing and verification
- Sign and verify using locally stored test keys/certificates for demonstration usage only
notation sign
andnotation verify
commands support using--verbose
and--debug
flags for troubleshooting- Command sets in this release
notation sign
: Sign OCI artifacts- Example:
notation sign --key myKey localhost:5000/net-monitor@sha256:xxx
- Example:
notation verify
: Verify OCI artifacts- Example:
notation verify localhost:5000/net-monitor@sha256:xxx
- Example:
notation certificate
: Manage certificates in trust store for verifying- Example:
notation certificate add --type ca --store wabbit-networks wabbit-networks.crt
- Example:
notation key
: Manage keys used for signing- Example:
notation key add mykey --plugin myKVplugin --id remoteKeyId
- Example:
notation list
: List signatures of the signed artifact- Example:
notation list localhost:5000/net-monitor@sha256:xxx
- Example:
notation login
: Log in to a registry- Example:
notation login registry.example.com -u username -p password
- Example:
notation logout
: Log out from a registry- Example:
notation logout registry.example.com
- Example:
notation plugin
: Manage plugins- Example:
notation plugin ls
- Example:
notation version
: Show the notation version information
Changes since last release
- Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
notation sign
andnotation verify
commands support using--verbose
and--debug
flags for troubleshooting- Improved output messages when tags are used to identify the artifacts
- Updated CLI help doc
- Pass expiry to envelope-generator plugin
Detailed Commits
- Update quick start in readme file by @yizha1 in #428
- Bump ossf/scorecard-action from 2.0.4 to 2.0.6 by @dependabot in #411
- Bump actions/upload-artifact from 3.1.0 to 3.1.1 by @dependabot in #412
- Improve error message when default signing key is not set by @priteshbandi in #432
- Removed unreferenced images by @sajayantony in #433
- Feature/issue templates by @toddysm in #435
- Fixed issue with missing text for questions by @toddysm in #442
- Use minimum(user only) file permissions by @priteshbandi in #453
- update: update notation CLI with notation-go refactoring by @patrickzheng200 in #445
- update: updated plugin list command by @patrickzheng200 in #461
- doc: update CLI help doc for notation sign and verify in RC.1 by @FeynmanZhou in #454
- Pass expiry to envelope-generator plugin by @priteshbandi in #458
- spec: update cli sign spec for tag to digest translation by @yizha1 in #439
- spec: update cli verify spec for UX improvement by @yizha1 in #440
- feat: delete old dev release by @JeyJeyGao in #449
- update: updated CLI outputs of sign/verification by @patrickzheng200 in #450
- update: cleaned up dead code in CLI by @patrickzheng200 in #464
- feat: add
--debug
&--verbose
flags & http request/response debug log by @JeyJeyGao in #457 - doc: add CLI help doc to notation key, cert, and notation plugin in RC.1 by @FeynmanZhou in #394
- feat: remove notation certificate/key rm alias by @JeyJeyGao in #467
- build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 by @dependabot in #465
- update: check if verification is skipped by trust policy by @patrickzheng200 in #468
- Build: bump up versions for rc.1 release by @yizha1 in #472
New Contributors
Full Changelog: v0.12.0-beta.1...v1.0.0-rc.1
v0.12.0-beta.1
Features
- Verify using trust store and trust policy
- Manage trust store using CLI command
notation certificate
- Implement notation CLI command per CLI spec
- Support configuration of signature format
Other changes
- Clean up unused features and deprecated code
Changelog
- 965a0b7 Updates for v0.12.0-beta.1 release (#427)
- 24576db doc: remove reference to nv2 (#421)
- 2fef168 build(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#425)
- f0e77eb feat: Added
notation certificate
command for trust store (#405) - 8d1d4dc feat: add signatureFormat config field (#400)
- fcba9f1 feat: implement list command UX (#414)
- a08dc9e update: updated notation sign command based on spec (#417)
- 2992190 update: updated notation key command based on spec (#416)
- a41b377 feat: implement login/logout UX (#413)
- 469069e update: updated notation verify command based on spec (#418)
- a219ad5 feat: implement version command (#419)
- 4d8da74 Fix demo docker pull step (#420)
- eb87bc3 Change oras-project/registry tag (#397)
- f947da5 feat: implement plugin UX (#415)
- f747031 Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 (#401)
- 4803a8b spec: update notation cli md file as index for sub-commands (#374)
- 193a533 spec: add CLI notation certificate and key specs (#361)
- 01015b0 update: clean up notation CLI (#404)
- ab20527 spec: add CLI specs for notation list/login/logout/plugin (#362)
- 07bba5f spec: add spec for notation version command (#376)
- ecb0708 spec: add spec for notation verify command (#371)
- 20b9fa2 feat: use new verify workflow (#373)
- eb7e4f4 update release process (#396)
- 080c6bb doc: update doc after new release (#395)
v0.11.0-alpha.4
New Features
- Support COSE signature envelope
- Relax the certificate chain requirement to allow signing with self-signed certificates
- Add CLI spec for notation sign
- Add examples in CLI help doc for notation sign and verify commands
Bug fixes
- Fix #313: deprecated the expiry flag of notation cert generate-test
- Fix #332: fix broken links and refine wording in README.md
Other changes
- Add weekly build for CI
- Update to
go
1.19
- Update to
oras-go
2.0.0-rc.3
- Improve readability of documents and specs
Detail commits
- ci: add weekly release by @JeyJeyGao in #282
- Update download link and refactor the documentation directory by @FeynmanZhou in #308
- fix: deprecated the expiry flag of notation cert generate-test by @patrickzheng200 in #313
- doc: improve readability of directory spec by @shizhMSFT in #311
- feat: update to go 1.19 by @JeyJeyGao in #327
- Bump oras.land/oras-go/v2 from 2.0.0-rc.2 to 2.0.0-rc.3 by @dependabot in #334
- fix broken links and refine wording in README.md by @FeynmanZhou in #332
- Bump github.com/docker/docker-credential-helpers from 0.6.4 to 0.7.0 by @dependabot in #358
- feat:updating go.mod dependencies for alpha4 by @chloeyin in #357
- add workflow dispatch for dev build by @dtzar in #363
- Add notation sign CLI spec by @yizha1 in #341
- docs: add a note for dependencies in go.mod file. by @yizha1 in #309
- add goreport badge by @dtzar in #367
- add openssf scorecard by @dtzar in #368
- feat: support cose by @chloeyin in #365
- update: updated cert_gen to generate self-signed certificate by @patrickzheng200 in #380
- Bump version and dependencies for notation alpha.4 release by @yizha1 in #378
- doc: add examples in CLI help doc for notation sign and verify by @FeynmanZhou in #384
Full Changelog: v0.10.0-alpha.3...v0.11.0-alpha.4
v0.10.0-alpha.3
New Features
- Support
notation login
- Sign images with remote key stores that securely store the signing keys
- Verify signatures using Trust Store configured in Notation clients
- Sign images and verify signatures with locally stored test keys/certificates for demonstration use only
- Setup Trust Store with the new directory-based structure
- Configure Trust Policy as a JSON document. Support for registry scope and signature verification levels to customize the behavior during verification
- Store signatures in registries compliant with the ORAS Artifacts Specification v1.0.0-RC.2
Bug Fixes
- Fix #189: wrong download URL
- Fix #264: hello-signing workflow with a self-generated certificate chain
- Fix #286: allow empty credentials to store config
Removed
- Remove docker-generate and docker-notation
Other Changes
- Migrate to codecov.io
- Add unit tests
- Add CodeQL security scanning
- Refactor: delete pkg/registry directory
Detail Commits
- Update readme for 0.9.0 release by @dtzar in #187
- bump to go 1.18 by @dtzar in #188
- fix mistaken download URL by @FeynmanZhou in #189
- use notation-core-go crypto utils by @rgnote in #180
- Add issues to project action by @dtzar in #195
- Directory Structure Spec by @shizhMSFT in #175
- Run unit tests in Github workflow by @Wwwsylvia in #199
- Add CodeQL Security Scanning by @Wwwsylvia in #198
- Registry Authentication Spec by @shizhMSFT in #192
- refactor: delete pkg/registry directory by @binbin-li in #207
- Update workflow by @Wwwsylvia in #212
- Bump github.com/urfave/cli/v2 from 2.8.1 to 2.10.3 by @dependabot in #209
- Bump github.com/docker/cli from 20.10.14+incompatible to 20.10.17+incompatible by @dependabot in #200
- Baseline CLI reference for subsequent PRs on changes by @SteveLasker in #171
- Sorting commands for clarity #221 by @SteveLasker in #222
- notation login CLI by @SteveLasker in #223
- feat: bump up notation-go to the latest version by @binbin-li in #248
- Use cobra CLI for docker-generate command by @chloeyin in #250
- [Feature] support notation login by @binbin-li in #218
- test: Add unit tests for notation login by @binbin-li in #256
- use cobra for notation CLI by @chloeyin in #255
- Migrate to codecov.io by @junczhuMSFT in #266
- chore: bump up oras-go and notation-go by @binbin-li in #270
- remove docker-generate and docker-notation code by @chloeyin in #269
- Doc update README for codecov badge by @junczhuMSFT in #271
- Remove credential file from spec by @shizhMSFT in #262
- fixed the hello-signing workflow with self-generated certificate chain by @patrickzheng200 in #264
- Directory Structure Implementation by @JeyJeyGao in #265
- fix: allow empty credentials store config by @JeyJeyGao in #286
- add unit test for Notation CLI by @chloeyin in #274
- doc: add missing username/password options to commands by @binbin-li in #293
- bump up version to v0.10.0-alpha.3 by @yizha1 in #301
- fix: update notation-go by @JeyJeyGao in #294
- Build: Bump dependencies by @yizha1 in #306
New Contributors
- @FeynmanZhou made their first contribution in #189
- @rgnote made their first contribution in #180
- @binbin-li made their first contribution in #207
- @junczhuMSFT made their first contribution in #266
- @patrickzheng200 made their first contribution in #264
- @JeyJeyGao made their first contribution in #265
- @yizha1 made their first contribution in #301
Full Changelog: v0.9.0-alpha.1...v0.10.0-alpha.3
v0.9.0-alpha.1
What's Changed
- Update doc for v0.7.1-alpha.1 by @shizhMSFT in #139
- Move to
oras-go
for registry access by @shizhMSFT in #150 - Contributing guidelines by @marcofranssen in #107
- Bump actions/checkout from 2 to 3 by @dependabot in #152
- Bump actions/cache from 2 to 3 by @dependabot in #155
- Bump github.com/docker/cli from 20.10.8+incompatible to 20.10.14+incompatible by @dependabot in #158
- Bump actions/setup-go from 2 to 3 by @dependabot in #159
- Bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 by @dependabot in #156
- Bump github.com/urfave/cli/v2 from 2.4.0 to 2.4.8 by @dependabot in #165
- Update deps links for notation-go by @dtzar in #164
- Support managing plugin keys by @qmuntal in #168
- Add plugin sign capabaility by @qmuntal in #176
- Fix pluginConfig parsing by @qmuntal in #181
- Bump goreleaser/goreleaser-action from 2 to 3 by @dependabot in #178
- Bump github.com/urfave/cli/v2 from 2.4.8 to 2.8.1 by @dependabot in #184
- Bump to go 1.18 by @dtzar in #188
- Update readme for 0.9.0 release by @dtzar in #187
New Contributors
Full Changelog: v0.7.1-alpha.1...v0.9.0-alpha.1