Notary v2 working group is pleased to announce its first release candidate, RC-1. Refer release definitions here. This release includes updates to the notaryproject/notaryproject repo to provide the community with updated specifications and an updated implementation of Notation client for signing and verifying artifacts.
- Notation Library 1 (notation-core-go-v1.0.0-rc.1) (Updated in this release)
- Notation Library 2 (notation-go-v1.0.0-rc.1) (Updated in this release)
- Notation CLI (notation-v1.0.0-rc.1) (Updated in this release)
- Notary v2 Specs (notaryproject-v1.0.0-rc.1) (Updated in this release)
- Notary v2 specifications
- A cross industry and cross registry specification for signing and verification of any OCI image or registry artifact
- Support for two signature envelope formats - JWS and COSE. Customers can choose the format along with their choice of plugins
- Update on use of plugins for signing and verification. Plugins let vendors and users integrate base Notation client with their choice of Key Vaults, PKI, and Signing services
- Users to build/integrate their own implementation of Notary v2 specifications into their signing and verification workflows
- Update "Notation" (CLI client) implementation to match the latest specifications. With this new version of Notation client, users can
- Sign images with remote key stores that securely store the signing keys
- Verify signatures using Trust stores and Trust policy configuration of Notation client
- Sign images and Verify signatures with locally stored test keys/certificates for demonstration use only
- Setup Trust stores with the new directory-based structure using the notation client "certificate" commands to add/delete/list/show
- Configure Trust Policy as a JSON document, with support for registry scope and signature verification levels to customize the behavior during verification
- Manage signatures in registries compliant to the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
- Updated libraries for Notation
- Both Notation-go and Notation-core-go libraries have been updated
- Users can directly integrate with notation-go for signing and verification APIs. These APIs are made configurable to support verification of pre-fetched signatures one at a time
*This is the first supported release from the Notary v2 community. Refer release definitions here
For detailed notes on each of the individual repositories (NotaryProject, Notation (for reference CLI implementation) and Notation libraries) users can refer to the individual release notes. A summary view is provided in this document.
Notation is a standalone CLI client based on Notary v2 specs. It supports signing, verifying, and storing signatures in registries supporting signatures as references to images.
In this release of Notation command, the following CLI commands are supported.
- sign Sign OCI artifacts
- verify Verify OCI artifacts
- certificate Manage certificates in trust store for verifying
- key Manage keys used for signing
- list List signatures of the signed artifact
- login Login to registry
- logout Log out from the logged in registries
- plugin Manage plugins ( Only notation plugin list commmand is support in this release)
- version Show the notation version information
- help Help about any command
As part of this release, users have to create a trust policy configuration file before verifying arifacts.
To start using Notation Refer: https://notaryproject.dev/docs/quickstart/
Written in the GO language the Library is divided up into two separate repos - Notation-go and Notation-core-go
Refer individual release notes.
This is not an exhaustive list. Users should refer to the Notary v2 roadmap at https://github.com/notaryproject/roadmap#readme for seeing the plan for subsequent releases and refer to individual subprojects (repositories) releases notes for details
- Alternate signature storage schemes which can use OCI Distribution 1.0 based registries ("fallback support") is planned for the next release candidate
- Revocation support via Notation client will come in a future release. Spec update for revocation support is planned for the next release candidate
- CLI specs for managing trust policy is planned for the next release candidate
- This version of Notation client is not compatible with any of the prior releases of Notation client.
- This version of Notation client is meant for registries compliant to the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec