Notary v2 working group is pleased to announce the third release, Alpha 3. Refer release definitions here. This release includes updates to the notaryproject/notaryproject repo to provide the community with updated specifications and an updated implementation of Notation client for signing and verifying artifacts.
- Notation Library 1 (notation-core-go-v1.0.0-alpha.3) (Added in this release)
- Notation Library 2 (notation-go-v0.10.0-alpha.3) (Updated in this release)
- Notation CLI (notation-v0.10.0-alpha.3) (Updated in this release)
- Notary v2 Specs (notaryproject-1.0.0-draft.3) (Updated in this release)
- Notation client development.
- Signature format (JWS) for signing and verification in RC-1.
- Updates on use of plugins for signing and verification. Plugins let vendors and users integrate base Notation client with their choice of Key Vaults and PKI.
- Update "Notation" (CLI client) implementation to match the latest specifications. With the new client, users can
- Sign images with remote key stores that securely store the signing keys
- Verify signatures using Trust stores configured in Notation clients
- Sign images and Verify signatures with locally stored test keys/certificates for demonstration use only
- Setup Trust stores with the new directory-based structure
- Configure Trust Policy as a JSON document. Support for registry scope and signature verfication levels to customize the behaviour during verification.
- Store signatures in registries compliant to the ORAS Reference spec RC-1
We do not recommend this release for use in production environment. Refer release definitions here. We suggest using it for testing and providing feedback to the Notary v2 working group only
For detailed notes on each of the individual repositories (NotaryProject, Notation (for reference CLI implementation) and Notation libraries) users can refer to the individual release notes. A summary view is provided in this document.
Notation is a standalone CLI client based on Notary v2 specs. It supports signing, verifying, and storing signatures in registries supporitng signatures as references to images.
In this release of Notation command, the following CLI commands are supported.
- notation sign
- notation verify
- notation plugin list
- notation cert generate-test
To start using Notation Refer: https://github.com/notaryproject/notation/blob/main/hello-signing.md
Written in the GO language the Library is divided up into two separate repos - Notation-go and Notation-core-go
Refer individual release notes.
This is not an exhaustive list. Users should refer to the Notary v2 roadmap at https://github.com/notaryproject/roadmap#readme for seeing the plan for subsequent releases and refer to individual subprojects (repositories) releases notes for details
- The current signature format JWS is the proposed format for RC-1 release. Notary v2 community plans to support additional signature formats ( such as COSE)
- Revocation support via Notation client will come in a future release
- Alternate signature storage schemes which can use OCI Distribution 1.0 based registries is under investigation for a future release
This version of Notation client is not compatible with any of the prior releases.