Skip to content

v1.2.0-tsa-updated

Pre-release
Pre-release
Compare
Choose a tag to compare
@github-actions github-actions released this 18 Apr 06:44
· 64 commits to main since this release
v1.2.0-tsa-updated
7aee992
This commit was signed with the committer’s verified signature.
Two-Hearts Patrick Zheng
GPG key ID: 451D35628F39415F
Learn about vigilant mode.

This is a PoC of Sign and verify with Timestamping.
How to use:

  1. notation cert generate-test testTSA --default will generate a self-signed cert with 10 minutes validity period. This is for quick testing on the Timestamping features: signatures generated without timestamping would fail verification after 10 minutes.

  2. Testing with a free TSA: http://timestamp.digicert.com, create trust policy statement:

    {
    "name": "testTSA",
    "registryScopes": [ "your.registry/your_repo"],
    "signatureVerification": {
        "level": "strict" 
    },
    "timestampVerification": {
        "enable": true,
        "expiryRelaxed": true
    },
    "trustStores": [ "ca:testTSA", "tsa:digicert"],
    "trustedIdentities": [
        "*"
    ]
},

    Create a new trust store at notation\truststore\x509\tsa\digicert and put root certificate DigiCertTSARootSHA384.cer (you can find the file in this release) in it.

  3. Sign (works for both COSE and JWS):

    notation sign --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef...

notation sign --signature-format cose --force-referrers-tag=false --tsa-url http://timestamp.digicert.com your_registry/your_repo@sha256:abcdef...

  4. Verify (works for both COSE and JWS):

    notation verify your_registry/your_repo@sha256:abcdef... -v

    Wait for 10 minutes and verify again, the verification should still pass due to Timestamping.

Assets 9
Loading