Releases: notaryproject/notation
v1.1.2
Bug Fixes
- Fixed debug log to show correct notation-go
signingAgent
. - Removed the blob signing related documents as they were not implemented yet.
Other Changes
- Updated dependencies with highlights below
- Update to Golang v1.23
- Update to notation-go v1.1.2
What's Changed since v1.1.1
- bump: bump up and vote notation v1.1.1 by @JeyJeyGao in #963
- fix(docs): remove blob signing docs for
release-1.1
branch by @JeyJeyGao in #1013 - bump: update notation-go v1.1.2 by @JeyJeyGao in #1041
- bump: dependencies for release-1.1 branch by @JeyJeyGao in #1057
Full Changelog: v1.1.1...v1.1.2
v1.3.0-rc.1
Vote PASSED [+4 -0]: #1056
New Features
- Support of CRL revocation check with built-in file cache. See more details here.
Changelog
- 0d9ceac bump: release v1.3.0-rc.1
- 2819637 refactor!: remove blob sign/verify for v1.3.0-rc.1 release (#1045)
- 4c0a3da feat: crl with file cache (#1043)
- c2cff5b build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 in /test/e2e (#1037)
- a109519 build(deps): Bump golang.org/x/net from 0.28.0 to 0.29.0 (#1034)
- 3bb6ef7 build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 in /test/e2e/plugin (#1038)
- 687d29e build(deps): Bump oras.land/oras-go/v2 from 2.4.0 to 2.5.0 in /test/e2e (#1035)
- 1ab2505 build(deps): Bump github/codeql-action from 3.26.6 to 3.26.8 (#1044)
- 8f8f8c9 build(deps): Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.20.2 in /test/e2e (#1036)
- 9283467 build(deps): Bump golang.org/x/term from 0.23.0 to 0.24.0 (#1033)
- 1af69fc chore: updated dependabot.yml to cover test/e2e (#1030)
- e8f37d0 build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 (#1024)
- b620496 build(deps): Bump github/codeql-action from 3.26.0 to 3.26.6 (#1026)
- 780df48 build(deps): Bump actions/upload-artifact from 4.3.6 to 4.4.0 (#1025)
- 83ade99 bump: upgrade golang version to v1.23 (#1019)
- b683029 build(deps): Bump github/codeql-action from 3.25.15 to 3.26.0 (#1010)
- fe327c7 build(deps): Bump actions/upload-artifact from 4.3.4 to 4.3.6 (#1009)
- 3a35b3b build(deps): Bump golang.org/x/net from 0.27.0 to 0.28.0 (#1007)
Full changelog: v1.2.0...v1.3.0-rc.1
v1.2.0
Vote PASSED [+4 -0]: #1022
Notation v1.2.0
Notation v1.2.0 is an implementation of the Notary Project Specifications v1.1.0.
Key features
-
Support OCI image-spec v1.1.0 and distribution-spec v1.1.0
- Introduced new flag
--force-referrers-tag
(default to true) to thenotation sign
command, which allows users opt to the referrers tag schema instead of the referrers API. - The
notation verify / list / inspect
commands always attempt the referrers API first, automatically falling back to the referrers tag schema if the referrers API is not supported by the registry.
- Introduced new flag
-
Support for RFC 3161 compliant Timestamping
- Introduced two new flags
--timestamp-url
and--timestamp-root-cert
innotation sign
command for signing with timestamping, see the notation sign CLI spec for more details. - Support a new trust store type
tsa
innotation certificate
command. - Support RFC 3161 timestamp verification in the
notation verify
command with updated trust policy, see the notation verify CLI spec for more details. - Support RFC 3161 timestamp in
notation inspect
command's output.
- Introduced two new flags
-
Added support for armv7 binary release.
Other changes
- Upgraded to Golang v1.23
Deprecation
- The experimental flag
--allow-referrers-api
is deprecated as notation follows distribution-spec v1.1.0.
What's changed since v1.2.0-rc.1
Full Changelog: v1.2.0-rc.1...v1.2.0
v1.2.0-rc.1
Vote PASSED [+4 -0]: #1017
Changes
- Added support for armv7 binary release.
- Updated
notation inspect
command with RFC 3161 timestamp in the output.
What's Changed
- build: add support for armv7 binary release by @lmussier in #956
- chore: move tsa url print out behind -v flag by @Two-Hearts in #996
- feat: update inspect command with timestamping by @Two-Hearts in #998
- build(deps): Bump golang.org/x/net from 0.23.0 to 0.27.0 by @dependabot in #999
- build(deps): Bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @dependabot in #1000
- build(deps): Bump github/codeql-action from 3.25.13 to 3.25.15 by @dependabot in #1001
- refactor: update verifier by @Two-Hearts in #1002
- refactor!: remove blob sign/verify related contents by @Two-Hearts in #1011
- bump: bump up dependencies for release-1.2 by @Two-Hearts in #1014
New Contributors
Full Changelog: v1.2.0-beta.1...v1.2.0-rc.1
v1.2.0-beta.1
Vote PASSED [+4 -0]: #995
New Features
- Support for RFC 3161 compliant Timestamping
- Introduce two new flags
--timestamp-url
and--timestamp-root-cert
innotation sign
command for signing with timestamping, see the notation sign CLI spec for more details. - Support a new trust store type
tsa
innotation certificate
command. - Support RFC 3161 timestamp verification in the
notation verify
command with updated trust policy, see the notation verify CLI spec for more details.
- Introduce two new flags
Detailed Commits
- 787665f Merge pull request #995 from Two-Hearts/release
- 00af3ce bump: release v1.2.0-beta.1
- bbeb75d bump: bump up dependencies for v1.2.0-beta.1 (#994)
- e604a4f build(deps): Bump golang.org/x/net from 0.22.0 to 0.23.0 (#993)
- a034721 feat: Timestamp (#978)
- 26c0b36 build(deps): Bump github/codeql-action from 3.25.11 to 3.25.13 (#991)
- d8c77d1 build(deps): Bump actions/setup-go from 5.0.1 to 5.0.2 (#986)
- cab4fef docs: update RELEASE_CHECKLIST.md (#713)
- c6636ca build(deps): Bump github/codeql-action from 3.25.8 to 3.25.11 (#980)
- e9ed3d5 build(deps): Bump actions/add-to-project from 1.0.1 to 1.0.2 (#981)
- 214b0b2 build(deps): Bump golang.org/x/term from 0.21.0 to 0.22.0 (#982)
- 2de7110 build(deps): Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#983)
- acf54be build(deps): Bump codecov/codecov-action from 4.4.1 to 4.5.0 (#972)
- ae6ff01 build(deps): Bump actions/checkout from 4.1.6 to 4.1.7 (#970)
- 944c661 build(deps): Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#969)
- 626002a Merge pull request #967 from JeyJeyGao/vote/v1.2.0-alpha.1
Full Changelog: v1.2.0-alpha.1...v1.2.0-beta.1
v1.2.0-alpha.1
Vote PASSED [+4 -0]: #967
New Features
- Support OCI image-spec v1.1.0 and distribution-spec v1.1.0.
- Introduce a new flag
--force-referrers-tag
(default totrue
) to thenotation sign
command, which allows users opt to the referrers tag schema instead of the referrers API. - The
notation verify / list / inspect
commands will always attempt the referrers API first, automatically falling back to the referrers tag schema if the referrers API is not supported by the registry.
- Introduce a new flag
Deprecation
- The experimental flag
--allow-referrers-api
is deprecated asnotation
follows distribution-spec v1.1.0.
Other changes
- Improved documentation
- Improved error messages
- Update dependencies with highlights below
- Update to Golang 1.22
- Update to notation-go v1.1.1
- Update to notation-core-go v1.0.3
- Update to oras-go v2.5.0
Detailed Commits
- bump: tag and release version v1.1.0 by @Two-Hearts in #876
- build(deps): Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #878
- build(deps): Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #879
- build(deps): Bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #877
- bump: bump up oras-go and image-spec by @Two-Hearts in #881
- build(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #883
- build(deps): Bump codecov/codecov-action from 3.1.5 to 4.0.1 by @dependabot in #884
- build(deps): Bump golang.org/x/term from 0.16.0 to 0.17.0 by @dependabot in #886
- build(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #887
- build(deps): Bump codecov/codecov-action from 4.0.1 to 4.0.2 by @dependabot in #896
- build(deps): Bump github/codeql-action from 3.24.0 to 3.24.5 by @dependabot in #895
- build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in #891
- build(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 by @dependabot in #898
- build(deps): Bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #900
- build(deps): Bump actions/add-to-project from 0.5.0 to 0.6.0 by @dependabot in #901
- docs: spec updates for arbitrary blob signing by @rgnote in #811
- build(deps): Bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #899
- build(deps): Bump golang.org/x/term from 0.17.0 to 0.18.0 by @dependabot in #906
- chore: add GitHub action for stale issues and PRs by @yizha1 in #841
- build(deps): Bump github/codeql-action from 3.24.6 to 3.24.7 by @dependabot in #908
- build(deps): Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #907
- build(deps): Bump actions/stale from 8 to 9 by @dependabot in #915
- build(deps): Bump actions/add-to-project from 0.6.0 to 0.6.1 by @dependabot in #912
- build(deps): Bump github/codeql-action from 3.24.7 to 3.24.9 by @dependabot in #913
- build(deps): Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #914
- build(deps): Bump actions/add-to-project from 0.6.1 to 1.0.0 by @dependabot in #918
- build(deps): Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #917
- Moved org maintainers to emeritus by @toddysm in #919
- fix(ci): update codecov token by @JeyJeyGao in #920
- feat: upgrade to OCI 1.1 by @Two-Hearts in #916
- fix: improve error message for --signature-format flag by @JeyJeyGao in #925
- build(deps): Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #922
- build(deps): Bump golang.org/x/term from 0.18.0 to 0.19.0 by @dependabot in #924
- build(deps): Bump codecov/codecov-action from 4.1.1 to 4.3.0 by @dependabot in #927
- build(deps): Bump actions/add-to-project from 1.0.0 to 1.0.1 by @dependabot in #928
- build(deps): Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/e2e by @dependabot in #929
- build(deps): Bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #936
- build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #939
- build(deps): Bump golang.org/x/term from 0.19.0 to 0.20.0 by @dependabot in #940
- build(deps): Bump codecov/codecov-action from 4.3.0 to 4.4.0 by @dependabot in #944
- build(deps): Bump github/codeql-action from 3.24.10 to 3.25.5 by @dependabot in #945
- build(deps): Bump actions/checkout from 4.1.2 to 4.1.6 by @dependabot in #946
- fix: error message for trust policy by @JeyJeyGao in #933
- doc: add Notation CLI Error Handling and Message Guideline by @FeynmanZhou in #834
- build(deps): Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #951
- build(deps): Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #950
- build(deps): Bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #949
- build(deps): Bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #948
- build(deps): Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #955
- bump: bump up notation-go v1.1.1 and other dependencies by @JeyJeyGao in #952
- build(deps): Bump golang.org/x/term from 0.20.0 to 0.21.0 by @dependabot in #960
- build(deps): Bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #961
- build(deps): Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 by @dependabot in #962
- fix(ci): update goreleaser to use --clean flag by @JeyJeyGao in #964
Full Changelog: v1.1.0...v1.2.0-alpha.1
v1.1.1
Vote PASSED [+4 -0]: #963
Changes
- Improve documentation
- Improve error messages
- Update dependencies with highlights below
- Update to Golang 1.22
- Update to notation-go v1.1.1
- Update to notation-core-go v1.0.3
- Update to oras-go v2.5.0
Detailed Commits
- bump: tag and release version v1.1.0 by @Two-Hearts in #876
- build(deps): Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #878
- build(deps): Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #879
- build(deps): Bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #877
- bump: bump up oras-go and image-spec by @Two-Hearts in #881
- build(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #883
- build(deps): Bump codecov/codecov-action from 3.1.5 to 4.0.1 by @dependabot in #884
- build(deps): Bump golang.org/x/term from 0.16.0 to 0.17.0 by @dependabot in #886
- build(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #887
- build(deps): Bump codecov/codecov-action from 4.0.1 to 4.0.2 by @dependabot in #896
- build(deps): Bump github/codeql-action from 3.24.0 to 3.24.5 by @dependabot in #895
- build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in #891
- build(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 by @dependabot in #898
- build(deps): Bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #900
- build(deps): Bump actions/add-to-project from 0.5.0 to 0.6.0 by @dependabot in #901
- docs: spec updates for arbitrary blob signing by @rgnote in #811
- build(deps): Bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #899
- build(deps): Bump golang.org/x/term from 0.17.0 to 0.18.0 by @dependabot in #906
- chore: add GitHub action for stale issues and PRs by @yizha1 in #841
- build(deps): Bump github/codeql-action from 3.24.6 to 3.24.7 by @dependabot in #908
- build(deps): Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #907
- build(deps): Bump actions/stale from 8 to 9 by @dependabot in #915
- build(deps): Bump actions/add-to-project from 0.6.0 to 0.6.1 by @dependabot in #912
- build(deps): Bump github/codeql-action from 3.24.7 to 3.24.9 by @dependabot in #913
- build(deps): Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #914
- build(deps): Bump actions/add-to-project from 0.6.1 to 1.0.0 by @dependabot in #918
- build(deps): Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #917
- Moved org maintainers to emeritus by @toddysm in #919
- fix(ci): update codecov token by @JeyJeyGao in #920
- feat: upgrade to OCI 1.1 by @Two-Hearts in #916
- fix: improve error message for --signature-format flag by @JeyJeyGao in #925
- build(deps): Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #922
- build(deps): Bump golang.org/x/term from 0.18.0 to 0.19.0 by @dependabot in #924
- build(deps): Bump codecov/codecov-action from 4.1.1 to 4.3.0 by @dependabot in #927
- build(deps): Bump actions/add-to-project from 1.0.0 to 1.0.1 by @dependabot in #928
- build(deps): Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/e2e by @dependabot in #929
- build(deps): Bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #936
- build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #939
- build(deps): Bump golang.org/x/term from 0.19.0 to 0.20.0 by @dependabot in #940
- build(deps): Bump codecov/codecov-action from 4.3.0 to 4.4.0 by @dependabot in #944
- build(deps): Bump github/codeql-action from 3.24.10 to 3.25.5 by @dependabot in #945
- build(deps): Bump actions/checkout from 4.1.2 to 4.1.6 by @dependabot in #946
- fix: error message for trust policy by @JeyJeyGao in #933
- doc: add Notation CLI Error Handling and Message Guideline by @FeynmanZhou in #834
- build(deps): Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #951
- build(deps): Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #950
- build(deps): Bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #949
- build(deps): Bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #948
- build(deps): Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #955
- bump: bump up notation-go v1.1.1 and other dependencies by @JeyJeyGao in #952
- revert: "feat: upgrade to OCI 1.1 (#916)" by @JeyJeyGao in #958
- build(deps): Bump golang.org/x/term from 0.20.0 to 0.21.0 by @JeyJeyGao in #966
Full Changelog: v1.1.0...v1.1.1
v1.1.0
Vote PASSED [+4 -0]: #876
New Features
- Added new command
notation plugin install
. Users are now able to install a notation plugin directly from a URL or from their file system. Supported plugin installation formats are.zip
,.tar.gz
, and single plugin executable file. - Added new command
notation plugin uninstall
. Users are now able to uninstall a notation plugin by providing the plugin name. - Added
NOTATION_CONFIG
andNOTATION_LIBEXEC
environment variables. Users are now able to override the default Notation configuration and plugins directory with these two variables.
Other changes
- Improved UX and error messages.
- Improved documentation.
- Updated dependencies
- Update to Golang 1.21
- Update to notation-go v1.1.0
- Update to notation-core-go v1.0.2
- Update to oras-go v2.3.1
Detailed Commits
- feat: update notation cert list command output by @Two-Hearts in #798
- fix: fix the license check by @Two-Hearts in #826
- bump: bump up to go version 1.21 by @Two-Hearts in #833
- doc: update plugin spec by @FeynmanZhou in #809
- build(deps): Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot in #823
- build(deps): Bump github/codeql-action from 2.22.5 to 2.22.7 by @dependabot in #835
- Correct broken link to quick start guide by @rcrozean in #831
- chore: update tag to digest by @yizha1 in #837
- feat: add notation plugin uninstall command by @Two-Hearts in #842
- chore: update references with the tag version by @yizha1 in #836
- build(deps): Bump golang.org/x/term from 0.13.0 to 0.15.0 by @dependabot in #843
- build(deps): Bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #845
- build(deps): Bump github/codeql-action from 2.22.7 to 2.22.9 by @dependabot in #846
- build(deps): Bump golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #850
- build(deps): Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/e2e/plugin by @dependabot in #849
- build(deps): Bump github/codeql-action from 2.22.9 to 3.22.11 by @dependabot in #847
- build(deps): Bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #848
- feat: notation plugin install command by @Two-Hearts in #827
- feat: add notation config environment variable by @JeyJeyGao in #821
- fix: fix bug in
SetHTTPDebugLog
by @Two-Hearts in #857 - fix:
notation plugin install
error messages and tests by @Two-Hearts in #855 - build(deps): Bump github/codeql-action from 3.22.11 to 3.22.12 by @dependabot in #854
- Updated CODEOWNERS and MAINTAINERS files by @toddysm in #862
- build(deps): Bump golang.org/x/term from 0.15.0 to 0.16.0 by @dependabot in #860
- bump: bump up notation-go by @Two-Hearts in #863
- build(deps): Bump actions/cache from 3.3.2 to 3.3.3 by @dependabot in #866
- build(deps): Bump github/codeql-action from 3.22.12 to 3.23.0 by @dependabot in #865
- build(deps): Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #864
- fix: improve error message for plugin by @JeyJeyGao in #870
- build(deps): Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #872
- build(deps): Bump actions/cache from 3.3.3 to 4.0.0 by @dependabot in #873
- build(deps): Bump github/codeql-action from 3.23.0 to 3.23.1 by @dependabot in #874
- bump: bump up notation-go and notation-core-go including e2e tests by @Two-Hearts in #875
New Contributors
Full Changelog: v1.0.0...v1.1.0
v1.0.1
Vote PASSED [+4 -0]: #820
Changes
- Improve UX and error messages
- Improve documentation
- Update dependencies
- Update to
notation-go v1.0.1
- Update to
notation-core-go v1.0.1
- Update to
oras-credentials-go v0.3.1
for legacy docker config support (resolves #801)
- Update to
Detailed Commits
- build(deps): Bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #761
- build(deps): Bump github/codeql-action from 2.21.0 to 2.21.3 by @dependabot in #762
- build(deps): Bump golang.org/x/term from 0.10.0 to 0.11.0 by @dependabot in #758
- build(deps): Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in #763
- chore: fixed workflow go version by @Two-Hearts in #760
- docs: update readme from feedback from #750 by @sajayantony in #757
- chore: quick fix on notation policy command print out by @Two-Hearts in #764
- doc: update release management for 1.0 by @priteshbandi in #714
- build(deps): Bump github/codeql-action from 2.21.3 to 2.21.4 by @dependabot in #766
- build(deps): Bump github/codeql-action from 2.21.4 to 2.21.5 by @dependabot in #774
- build(deps): Bump golang.org/x/term from 0.11.0 to 0.12.0 by @dependabot in #775
- build(deps): Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #780
- build(deps): Bump actions/checkout from 3.5.3 to 4.0.0 by @dependabot in #781
- build(deps): Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 by @dependabot in #782
- build(deps): Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #779
- fix: fix trust policy import by @Two-Hearts in #794
- build(deps): Bump golang.org/x/term from 0.12.0 to 0.13.0 by @dependabot in #795
- build(deps): Bump github/codeql-action from 2.21.5 to 2.22.0 by @dependabot in #797
- build(deps): Bump ossf/scorecard-action from 2.2.0 to 2.3.0 by @dependabot in #796
- build(deps): Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #789
- build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc4 to 1.1.0-rc5 by @dependabot in #786
- build(deps): Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 by @dependabot in #785
- fix: Code scanning issues by @JeyJeyGao in #799
- fix: legacy docker config support by @JeyJeyGao in #803
- build(deps): Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/e2e by @dependabot in #800
- build(deps): Bump oras.land/oras-go/v2 from 2.2.1 to 2.3.0 by @dependabot in #776
- build(deps): Bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #805
- docs: fix broken links by @suzuki-shunsuke in #787
- fix: improve error messages of notation CLI by @Two-Hearts in #810
- bump: update dependencies by @Two-Hearts in #815
- build(deps): Bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #814
- build(deps): Bump github/codeql-action from 2.22.0 to 2.22.5 by @dependabot in #813
- bump: bump up dependencies including E2E tests by @Two-Hearts in #818
- fix: add "release-*" to workflows trigger events by @Two-Hearts in #819
New Contributors
- @suzuki-shunsuke made their first contribution in #787
Full Changelog: v1.0.0...v1.0.1
v1.0.0
Notation CLI V1
notation
is a CLI reference implementation of the Notary Project Specifications v1.0.0
to sign and verify artifacts with signatures as standard items in the OCI registry ecosystem. After a long journey of development, notation
has reached a notable milestone for its first stable release v1.0.0
. 🎉🎉🎉
Important
Experimental features are intended for testing and evaluation purposes only and should not be used in production environments. Experimental features can be enabled by setting the environment variable NOTATION_EXPERIMENTAL=1
.
Release blog posts of previous RC versions can be found at notaryproject.dev.
Key Features
- Sign and verify artifacts as well as list and inspect signatures stored in OCI-compliant registries
- Support JWS and COSE signature formats
- Compliant with
image-spec v1.0.2
- Compliant with
distribution-spec v1.0.1
- Compatible with
image-spec v1.1.0-rc4
- Compatible with
distribution-spec v1.1.0-rc3
(limited to referrers tag schema)
- Support signing and verification plugins
- Support signing using Key Management System (KMS)
- Support signing and verification with user-defined metadata
- Support authentation to registries using docker credential stores
- Verify artifact using trust policy and trust store with fine-tuned configurations
- Support certificate revocation via OCSP
Experimental Features
- Compliant with
distribution-spec v1.1.0-rc1
- Sign and verify artifacts as well as list signatures stored in OCI image layout
Security Audit
What's Changed Since RC.7
Bug Fixes
- Fix #696:
desktop.exe
credential store is not supported in WSL - Fix #697:
notation login
fails to detect existing credentials fordocker.io
Other Changes
- Minor security improvements (#746)
- Better code quality with more E2E tests cases
- Better debug tracing
- Dependency updates
Detailed Commits
- fix(test): E2E test cases for OCI layout by @JeyJeyGao in #692
- build(deps): Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by @dependabot in #702
- fix: fix the issue with getting credentials for
docker.io
by @Wwwsylvia in #703 - build(deps): Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 in /test/e2e/plugin by @dependabot in #710
- fix: Updating documentation with AWS Plugin support by @priteshbandi in #711
- fix:
login
andlogout
will leverage docker config and os default store by @Wwwsylvia in #712 - chore: update issue templates by @yizha1 in #594
- bump: bump oras-credentials-go
v0.2.0
by @wangxiaoxuan273 in #717 - build(deps): Bump golang.org/x/term from 0.8.0 to 0.9.0 by @dependabot in #716
- fix(e2e): update testdata OCI layout images by @JeyJeyGao in #727
- build(deps): Bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #724
- [StepSecurity] ci: Harden GitHub Actions for fixing Pinned-Dependencies by @step-security-bot in #731
- [StepSecurity] ci: Harden GitHub Actions for fixing Token-Permissions by @step-security-bot in #730
- build(deps): Bump oras.land/oras-go/v2 from 2.2.0 to 2.2.1 by @dependabot in #735
- chore: add license header to files and github action workflow to check license by @Two-Hearts in #739
- build(deps): Bump golang.org/x/term from 0.9.0 to 0.10.0 by @dependabot in #734
- build(deps): Bump actions/checkout from 3.0.2 to 3.5.3 by @dependabot in #737
- build(deps): Bump actions/add-to-project from 0da8e46333d7b6e01d0e857452a1e99cb47be205 to edc057aef96b993afe5d68104418f68a536264aa by @dependabot in #745
- build(deps): Bump github/codeql-action from 2.20.1 to 2.20.4 by @dependabot in #742
- fix: unset NOTATION_USERNAME and NOTATION_PASSWORD to avoid leaking credentials to plugin by @JeyJeyGao in #746
- feat: add trace for executables by @wangxiaoxuan273 in #744
- build(deps): Bump github.com/notaryproject/notation-core-go from 1.0.0-rc.4 to 1.0.0 by @dependabot in #752
- build(deps): Bump github/codeql-action from 2.20.4 to 2.21.0 by @dependabot in #751
- bump: upgrade notation-go to v1.0.0 by @shizhMSFT in #754
- doc: update README to align with the new brand name by @FeynmanZhou in #750
- bump: tag and release v1.0.0 by @shizhMSFT in #748
New Contributors
- @wangxiaoxuan273 made their first contribution in #717
- @step-security-bot made their first contribution in #731
Full Changelog: v1.0.0-rc.7...v1.0.0