Skip to content

PoC: Notation Sign/Verify with Timestamping

Pre-release
Pre-release
Compare
Choose a tag to compare
@github-actions github-actions released this 01 Feb 05:54
· 91 commits to main since this release
v1.2.0-tsa
a45c5dc
This commit was signed with the committer’s verified signature.
Two-Hearts Patrick Zheng
GPG key ID: 451D35628F39415F
Learn about vigilant mode.

This is a PoC of Sign and verify with Timestamping.
How to use:

  1. notation cert generate-test testTSA --default will generate a self-signed cert with 10 minutes validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes.
  2. Testing with a free TSA: http://timestamp.digicert.com, create trust policy statement: 
            {
        "name": "testTSA",
        "registryScopes": [ "your.registry/your_repo"],
        "signatureVerification": {
            "level" : "strict" 
        },
        "trustStores": [ "ca:testTSA", "tsa:digicert"],
        "trustedIdentities": [
            "*"
        ]
    },
    Create a new trust store at notation\truststore\x509\tsa\digicert and put root certificate DigiCertTrustedRootG4.cer (you can find the file in this release) in it.
  3. Sign (currently only works for COSE): 
     notation sign --signature-format cose --allow-referrers-api --tsa http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef... -v
  4. Verify (currently only works for COSE): 
    notation verify --allow-referrers-api your_registry/your_repo@sha256:abcdef... -v
    Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.
Assets 9
Loading