v1.2.0-tsa-updated
Pre-release
Pre-release
github-actions
released this
18 Apr 06:44
·
64 commits
to main
since this release
This is a PoC of Sign and verify with Timestamping.
How to use:
-
notation cert generate-test testTSA --default
will generate a self-signed cert with10 minutes
validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes. -
Testing with a free TSA:
http://timestamp.digicert.com
, create trust policy statement:{ "name": "testTSA", "registryScopes": [ "your.registry/your_repo"], "signatureVerification": { "level": "strict" }, "timestampVerification": { "enable": true, "expiryRelaxed": true }, "trustStores": [ "ca:testTSA", "tsa:digicert"], "trustedIdentities": [ "*" ] },
Create a new trust store at
notation\truststore\x509\tsa\digicert
and put root certificateDigiCertTSARootSHA384.cer
(you can find the file in this release) in it. -
Sign (works for both COSE and JWS):
notation sign --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef... notation sign --signature-format cose --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef...
-
Verify (works for both COSE and JWS):
notation verify your_registry/your_repo@sha256:abcdef... -v
Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.