Skip to content

Releases: Two-Hearts/notation

v1.2.0-preRC1

08 Aug 02:00
@github-actions github-actions
v1.2.0-preRC1
ed77da1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0-preRC1 Pre-release
Pre-release 
build(deps): Bump github/codeql-action from 3.25.13 to 3.25.15 (#1001)
Assets 9
Loading

v1.2.0-ocspNoTimeout

24 Jun 06:16
@github-actions github-actions
v1.2.0-ocspNoTimeout
177e77b
This commit was signed with the committer’s verified signature.
Two-Hearts Patrick Zheng
GPG key ID: 451D35628F39415F
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0-ocspNoTimeout Pre-release
Pre-release

To use
notation verify {my-image} --debug

Assets 8
Loading

v1.2.0-tsa-updated

18 Apr 06:44
@github-actions github-actions
v1.2.0-tsa-updated
7aee992
This commit was signed with the committer’s verified signature.
Two-Hearts Patrick Zheng
GPG key ID: 451D35628F39415F
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0-tsa-updated Pre-release
Pre-release

This is a PoC of Sign and verify with Timestamping.
How to use:

  1. notation cert generate-test testTSA --default will generate a self-signed cert with 10 minutes validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes.

  2. Testing with a free TSA: http://timestamp.digicert.com, create trust policy statement:

    {
    "name": "testTSA",
    "registryScopes": [ "your.registry/your_repo"],
    "signatureVerification": {
        "level": "strict" 
    },
    "timestampVerification": {
        "enable": true,
        "expiryRelaxed": true
    },
    "trustStores": [ "ca:testTSA", "tsa:digicert"],
    "trustedIdentities": [
        "*"
    ]
},

    Create a new trust store at notation\truststore\x509\tsa\digicert and put root certificate DigiCertTSARootSHA384.cer (you can find the file in this release) in it.

  3. Sign (works for both COSE and JWS):

    notation sign --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef...

notation sign --signature-format cose --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef...

  4. Verify (works for both COSE and JWS):

    notation verify your_registry/your_repo@sha256:abcdef... -v

    Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.

Assets 9
Loading

PoC: Notation Sign/Verify with Timestamping

01 Feb 05:54
@github-actions github-actions
v1.2.0-tsa
a45c5dc
This commit was signed with the committer’s verified signature.
Two-Hearts Patrick Zheng
GPG key ID: 451D35628F39415F
Learn about vigilant mode.
Compare
Choose a tag to compare
PoC: Notation Sign/Verify with Timestamping Pre-release
Pre-release

This is a PoC of Sign and verify with Timestamping.
How to use:

  1. notation cert generate-test testTSA --default will generate a self-signed cert with 10 minutes validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes.
  2. Testing with a free TSA: http://timestamp.digicert.com, create trust policy statement: 
            {
        "name": "testTSA",
        "registryScopes": [ "your.registry/your_repo"],
        "signatureVerification": {
            "level" : "strict" 
        },
        "trustStores": [ "ca:testTSA", "tsa:digicert"],
        "trustedIdentities": [
            "*"
        ]
    },
    Create a new trust store at notation\truststore\x509\tsa\digicert and put root certificate DigiCertTrustedRootG4.cer (you can find the file in this release) in it.
  3. Sign (currently only works for COSE): 
     notation sign --signature-format cose --allow-referrers-api --tsa http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef... -v
  4. Verify (currently only works for COSE): 
    notation verify --allow-referrers-api your_registry/your_repo@sha256:abcdef... -v
    Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.
Assets 9
Loading

PoC: Notation Sign/Verify arbitrary file

18 Aug 09:52
@github-actions github-actions
v1.0.0-arbitraryFile
95f3ccd
This commit was signed with the committer’s verified signature.
Two-Hearts Patrick Zheng
GPG key ID: 451D35628F39415F
Learn about vigilant mode.
Compare
Choose a tag to compare
PoC: Notation Sign/Verify arbitrary file Pre-release
Pre-release

PoC to sign/verify an arbitrary file using Notation.

Sign

Sign a file in file system
notation sign --file --signature ./mySignature.sig ./myFile

Verify

Verify file and signature in file system
notation verify --file --signature ./mySig1.sig --signature ./mySig2.sig ./myFile

Verify file and signature in remote registry
notation verify --file <myRegistry>/file@sha256:abcdef

Assets 8
Loading

PoC on `notation plugin install` from OCI artifact

01 Jun 05:33
@github-actions github-actions
v1.0.0-rc.7-pluginInstall
f6be5eb
This commit was signed with the committer’s verified signature.
Two-Hearts Patrick Zheng
GPG key ID: 451D35628F39415F
Learn about vigilant mode.
Compare
Choose a tag to compare
PoC on `notation plugin install` from OCI artifact Pre-release
Pre-release

This is a PoC of notation plugin install where the plugin is saved as an OCI artifact in a registry.

Taking notation akv plugin as an example:

  1. Download the akv plugin from its release.
  2. Upload the akv plugin executable to your ACR registry: oras push <your_registry>/<your_repo>:<v1> ./notation-azure-kv
  3. Install the akv plugin: notation plugin install --name azure-kv <your_registry>/<your_repo>:<v1>

The plugin should now be installed in the correct location and ready to be used.

Assets 8
Loading