Releases: Two-Hearts/notation
v1.2.0-preRC1
build(deps): Bump github/codeql-action from 3.25.13 to 3.25.15 (#1001)
v1.2.0-ocspNoTimeout
To use
notation verify {my-image} --debug
v1.2.0-tsa-updated
This is a PoC of Sign and verify with Timestamping.
How to use:
-
notation cert generate-test testTSA --default
will generate a self-signed cert with10 minutes
validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes. -
Testing with a free TSA:
http://timestamp.digicert.com
, create trust policy statement:{ "name": "testTSA", "registryScopes": [ "your.registry/your_repo"], "signatureVerification": { "level": "strict" }, "timestampVerification": { "enable": true, "expiryRelaxed": true }, "trustStores": [ "ca:testTSA", "tsa:digicert"], "trustedIdentities": [ "*" ] },
Create a new trust store at
notation\truststore\x509\tsa\digicert
and put root certificateDigiCertTSARootSHA384.cer
(you can find the file in this release) in it. -
Sign (works for both COSE and JWS):
notation sign --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef... notation sign --signature-format cose --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef...
-
Verify (works for both COSE and JWS):
notation verify your_registry/your_repo@sha256:abcdef... -v
Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.
PoC: Notation Sign/Verify with Timestamping
This is a PoC of Sign and verify with Timestamping.
How to use:
notation cert generate-test testTSA --default
will generate a self-signed cert with10 minutes
validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes.- Testing with a free TSA:
http://timestamp.digicert.com
, create trust policy statement:Create a new trust store at{ "name": "testTSA", "registryScopes": [ "your.registry/your_repo"], "signatureVerification": { "level" : "strict" }, "trustStores": [ "ca:testTSA", "tsa:digicert"], "trustedIdentities": [ "*" ] },
notation\truststore\x509\tsa\digicert
and put root certificateDigiCertTrustedRootG4.cer
(you can find the file in this release) in it. - Sign (currently only works for COSE):
notation sign --signature-format cose --allow-referrers-api --tsa http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef... -v
- Verify (currently only works for COSE):
Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.
notation verify --allow-referrers-api your_registry/your_repo@sha256:abcdef... -v
PoC: Notation Sign/Verify arbitrary file
PoC to sign/verify an arbitrary file using Notation.
Sign
Sign a file in file system
notation sign --file --signature ./mySignature.sig ./myFile
Verify
Verify file and signature in file system
notation verify --file --signature ./mySig1.sig --signature ./mySig2.sig ./myFile
Verify file and signature in remote registry
notation verify --file <myRegistry>/file@sha256:abcdef
PoC on `notation plugin install` from OCI artifact
This is a PoC of notation plugin install
where the plugin is saved as an OCI artifact
in a registry.
Taking notation akv plugin as an example:
- Download the akv plugin from its release.
- Upload the akv plugin executable to your ACR registry:
oras push <your_registry>/<your_repo>:<v1> ./notation-azure-kv
- Install the akv plugin:
notation plugin install --name azure-kv <your_registry>/<your_repo>:<v1>
The plugin should now be installed in the correct location and ready to be used.