PoC: Notation Sign/Verify with Timestamping
Pre-release
Pre-release
github-actions
released this
01 Feb 05:54
·
91 commits
to main
since this release
This is a PoC of Sign and verify with Timestamping.
How to use:
notation cert generate-test testTSA --default
will generate a self-signed cert with10 minutes
validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes.- Testing with a free TSA:
http://timestamp.digicert.com
, create trust policy statement:Create a new trust store at{ "name": "testTSA", "registryScopes": [ "your.registry/your_repo"], "signatureVerification": { "level" : "strict" }, "trustStores": [ "ca:testTSA", "tsa:digicert"], "trustedIdentities": [ "*" ] },
notation\truststore\x509\tsa\digicert
and put root certificateDigiCertTrustedRootG4.cer
(you can find the file in this release) in it. - Sign (currently only works for COSE):
notation sign --signature-format cose --allow-referrers-api --tsa http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef... -v
- Verify (currently only works for COSE):
Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.
notation verify --allow-referrers-api your_registry/your_repo@sha256:abcdef... -v