Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Release Notes
notaryproject/notation (notaryproject/notation)
### [`v1.0.0`](https://togithub.com/notaryproject/notation/releases/tag/v1.0.0)
[Compare Source](https://togithub.com/notaryproject/notation/compare/v0.7.1-alpha.1-feat-kv-extensibility...v1.0.0)
### Notation CLI V1
`notation` is a CLI reference implementation of the [Notary Project Specifications `v1.0.0`](https://togithub.com/notaryproject/specifications/tree/v1.0.0) to sign and verify artifacts with signatures as standard items in the OCI registry ecosystem. After a long journey of development, `notation` has reached a notable milestone for its first stable release `v1.0.0`. πππ
> \[!IMPORTANT]
> Experimental features are intended for testing and evaluation purposes only and should not be used in production environments. Experimental features can be enabled by setting the environment variable `NOTATION_EXPERIMENTAL=1`.
Release blog posts of previous RC versions can be found at [notaryproject.dev](https://notaryproject.dev/blog/).
#### Key Features
- Sign and verify artifacts as well as list and inspect signatures stored in OCI-compliant registries
- Support [JWS](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/signature-envelope-jws.md) and [COSE](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/signature-envelope-cose.md) signature formats
- Compliant with [`image-spec v1.0.2`](https://togithub.com/opencontainers/image-spec/tree/v1.0.2)
- Compliant with [`distribution-spec v1.0.1`](https://togithub.com/opencontainers/distribution-spec/tree/v1.0.1)
- Compatible with [`image-spec v1.1.0-rc4`](https://togithub.com/opencontainers/image-spec/tree/v1.1.0-rc4)
- Compatible with [`distribution-spec v1.1.0-rc3`](https://togithub.com/opencontainers/distribution-spec/tree/v1.1.0-rc3) (limited to [referrers tag schema](https://togithub.com/opencontainers/distribution-spec/blob/v1.1.0-rc3/spec.md#referrers-tag-schema))
- Support signing and verification [plugins](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/plugin-extensibility.md)
- Support signing using Key Management System (KMS)
- Support signing and verification with user-defined metadata
- Support authentation to registries using [docker credential stores](https://docs.docker.com/engine/reference/commandline/login/#credential-stores)
- Verify artifact using [trust policy and trust store](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md) with fine-tuned configurations
- Support certificate revocation via [OCSP](https://datatracker.ietf.org/doc/html/rfc6960)
#### Experimental Features
- Compliant with [`distribution-spec v1.1.0-rc1`](https://togithub.com/opencontainers/distribution-spec/releases/tag/v1.1.0-rc1)
- Sign and verify artifacts as well as list signatures stored in [OCI image layout](https://togithub.com/opencontainers/image-spec/blob/v1.1.0-rc4/image-layout.md)
#### Security Audit
- [Security audit report in 2023](https://togithub.com/notaryproject/specifications/blob/v1.0.0/security/reports/audit/ADA-notation-security-audit-23.pdf)
- [Fuzz testing audit in 2023](https://togithub.com/notaryproject/specifications/blob/v1.0.0/security/reports/fuzzing/ADA-fuzzing-audit-22-23.pdf)
### What's Changed Since RC.7
#### Bug Fixes
- Fix [#696](https://togithub.com/notaryproject/notation/issues/696): `desktop.exe` credential store is not supported in WSL
- Fix [#697](https://togithub.com/notaryproject/notation/issues/697): `notation login` fails to detect existing credentials for `docker.io`
#### Other Changes
- Minor security improvements ([#746](https://togithub.com/notaryproject/notation/issues/746))
- Better code quality with more E2E tests cases
- Better debug tracing
- Dependency updates
#### Detailed Commits
- fix(test): E2E test cases for OCI layout by [@JeyJeyGao](https://togithub.com/JeyJeyGao) in [https://github.com/notaryproject/notation/pull/692](https://togithub.com/notaryproject/notation/pull/692)
- build(deps): Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/702](https://togithub.com/notaryproject/notation/pull/702)
- fix: fix the issue with getting credentials for `docker.io` by [@Wwwsylvia](https://togithub.com/Wwwsylvia) in [https://github.com/notaryproject/notation/pull/703](https://togithub.com/notaryproject/notation/pull/703)
- build(deps): Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 in /test/e2e/plugin by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/710](https://togithub.com/notaryproject/notation/pull/710)
- fix: Updating documentation with AWS Plugin support by [@priteshbandi](https://togithub.com/priteshbandi) in [https://github.com/notaryproject/notation/pull/711](https://togithub.com/notaryproject/notation/pull/711)
- fix: `login` and `logout` will leverage docker config and os default store by [@Wwwsylvia](https://togithub.com/Wwwsylvia) in [https://github.com/notaryproject/notation/pull/712](https://togithub.com/notaryproject/notation/pull/712)
- chore: update issue templates by [@yizha1](https://togithub.com/yizha1) in [https://github.com/notaryproject/notation/pull/594](https://togithub.com/notaryproject/notation/pull/594)
- bump: bump oras-credentials-go `v0.2.0` by [@wangxiaoxuan273](https://togithub.com/wangxiaoxuan273) in [https://github.com/notaryproject/notation/pull/717](https://togithub.com/notaryproject/notation/pull/717)
- build(deps): Bump golang.org/x/term from 0.8.0 to 0.9.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/716](https://togithub.com/notaryproject/notation/pull/716)
- fix(e2e): update testdata OCI layout images by [@JeyJeyGao](https://togithub.com/JeyJeyGao) in [https://github.com/notaryproject/notation/pull/727](https://togithub.com/notaryproject/notation/pull/727)
- build(deps): Bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/724](https://togithub.com/notaryproject/notation/pull/724)
- \[StepSecurity] ci: Harden GitHub Actions for fixing Pinned-Dependencies by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/notaryproject/notation/pull/731](https://togithub.com/notaryproject/notation/pull/731)
- \[StepSecurity] ci: Harden GitHub Actions for fixing Token-Permissions by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/notaryproject/notation/pull/730](https://togithub.com/notaryproject/notation/pull/730)
- build(deps): Bump oras.land/oras-go/v2 from 2.2.0 to 2.2.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/735](https://togithub.com/notaryproject/notation/pull/735)
- chore: add license header to files and github action workflow to check license by [@Two-Hearts](https://togithub.com/Two-Hearts) in [https://github.com/notaryproject/notation/pull/739](https://togithub.com/notaryproject/notation/pull/739)
- build(deps): Bump golang.org/x/term from 0.9.0 to 0.10.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/734](https://togithub.com/notaryproject/notation/pull/734)
- build(deps): Bump actions/checkout from 3.0.2 to 3.5.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/737](https://togithub.com/notaryproject/notation/pull/737)
- build(deps): Bump actions/add-to-project from [`0da8e46`](https://togithub.com/notaryproject/notation/commit/0da8e46333d7b6e01d0e857452a1e99cb47be205) to [`edc057a`](https://togithub.com/notaryproject/notation/commit/edc057aef96b993afe5d68104418f68a536264aa) by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/745](https://togithub.com/notaryproject/notation/pull/745)
- build(deps): Bump github/codeql-action from 2.20.1 to 2.20.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/742](https://togithub.com/notaryproject/notation/pull/742)
- fix: unset NOTATION_USERNAME and NOTATION_PASSWORD to avoid leaking credentials to plugin by [@JeyJeyGao](https://togithub.com/JeyJeyGao) in [https://github.com/notaryproject/notation/pull/746](https://togithub.com/notaryproject/notation/pull/746)
- feat: add trace for executables by [@wangxiaoxuan273](https://togithub.com/wangxiaoxuan273) in [https://github.com/notaryproject/notation/pull/744](https://togithub.com/notaryproject/notation/pull/744)
- build(deps): Bump github.com/notaryproject/notation-core-go from 1.0.0-rc.4 to 1.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/752](https://togithub.com/notaryproject/notation/pull/752)
- build(deps): Bump github/codeql-action from 2.20.4 to 2.21.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/751](https://togithub.com/notaryproject/notation/pull/751)
- bump: upgrade notation-go to v1.0.0 by [@shizhMSFT](https://togithub.com/shizhMSFT) in [https://github.com/notaryproject/notation/pull/754](https://togithub.com/notaryproject/notation/pull/754)
- doc: update README to align with the new brand name by [@FeynmanZhou](https://togithub.com/FeynmanZhou) in [https://github.com/notaryproject/notation/pull/750](https://togithub.com/notaryproject/notation/pull/750)
- bump: tag and release v1.0.0 by [@shizhMSFT](https://togithub.com/shizhMSFT) in [https://github.com/notaryproject/notation/pull/748](https://togithub.com/notaryproject/notation/pull/748)
#### New Contributors
- [@wangxiaoxuan273](https://togithub.com/wangxiaoxuan273) made their first contribution in [https://github.com/notaryproject/notation/pull/717](https://togithub.com/notaryproject/notation/pull/717)
- [@step-security-bot](https://togithub.com/step-security-bot) made their first contribution in [https://github.com/notaryproject/notation/pull/731](https://togithub.com/notaryproject/notation/pull/731)
**Full Changelog**: https://github.com/notaryproject/notation/compare/v1.0.0-rc.7...v1.0.0
Configuration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
0.7.1-alpha.1
->1.0.0
β Dependency Lookup Warnings β
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Release Notes
notaryproject/notation (notaryproject/notation)
### [`v1.0.0`](https://togithub.com/notaryproject/notation/releases/tag/v1.0.0) [Compare Source](https://togithub.com/notaryproject/notation/compare/v0.7.1-alpha.1-feat-kv-extensibility...v1.0.0) ### Notation CLI V1 `notation` is a CLI reference implementation of the [Notary Project Specifications `v1.0.0`](https://togithub.com/notaryproject/specifications/tree/v1.0.0) to sign and verify artifacts with signatures as standard items in the OCI registry ecosystem. After a long journey of development, `notation` has reached a notable milestone for its first stable release `v1.0.0`. πππ > \[!IMPORTANT] > Experimental features are intended for testing and evaluation purposes only and should not be used in production environments. Experimental features can be enabled by setting the environment variable `NOTATION_EXPERIMENTAL=1`. Release blog posts of previous RC versions can be found at [notaryproject.dev](https://notaryproject.dev/blog/). #### Key Features - Sign and verify artifacts as well as list and inspect signatures stored in OCI-compliant registries - Support [JWS](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/signature-envelope-jws.md) and [COSE](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/signature-envelope-cose.md) signature formats - Compliant with [`image-spec v1.0.2`](https://togithub.com/opencontainers/image-spec/tree/v1.0.2) - Compliant with [`distribution-spec v1.0.1`](https://togithub.com/opencontainers/distribution-spec/tree/v1.0.1) - Compatible with [`image-spec v1.1.0-rc4`](https://togithub.com/opencontainers/image-spec/tree/v1.1.0-rc4) - Compatible with [`distribution-spec v1.1.0-rc3`](https://togithub.com/opencontainers/distribution-spec/tree/v1.1.0-rc3) (limited to [referrers tag schema](https://togithub.com/opencontainers/distribution-spec/blob/v1.1.0-rc3/spec.md#referrers-tag-schema)) - Support signing and verification [plugins](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/plugin-extensibility.md) - Support signing using Key Management System (KMS) - Support signing and verification with user-defined metadata - Support authentation to registries using [docker credential stores](https://docs.docker.com/engine/reference/commandline/login/#credential-stores) - Verify artifact using [trust policy and trust store](https://togithub.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md) with fine-tuned configurations - Support certificate revocation via [OCSP](https://datatracker.ietf.org/doc/html/rfc6960) #### Experimental Features - Compliant with [`distribution-spec v1.1.0-rc1`](https://togithub.com/opencontainers/distribution-spec/releases/tag/v1.1.0-rc1) - Sign and verify artifacts as well as list signatures stored in [OCI image layout](https://togithub.com/opencontainers/image-spec/blob/v1.1.0-rc4/image-layout.md) #### Security Audit - [Security audit report in 2023](https://togithub.com/notaryproject/specifications/blob/v1.0.0/security/reports/audit/ADA-notation-security-audit-23.pdf) - [Fuzz testing audit in 2023](https://togithub.com/notaryproject/specifications/blob/v1.0.0/security/reports/fuzzing/ADA-fuzzing-audit-22-23.pdf) ### What's Changed Since RC.7 #### Bug Fixes - Fix [#696](https://togithub.com/notaryproject/notation/issues/696): `desktop.exe` credential store is not supported in WSL - Fix [#697](https://togithub.com/notaryproject/notation/issues/697): `notation login` fails to detect existing credentials for `docker.io` #### Other Changes - Minor security improvements ([#746](https://togithub.com/notaryproject/notation/issues/746)) - Better code quality with more E2E tests cases - Better debug tracing - Dependency updates #### Detailed Commits - fix(test): E2E test cases for OCI layout by [@JeyJeyGao](https://togithub.com/JeyJeyGao) in [https://github.com/notaryproject/notation/pull/692](https://togithub.com/notaryproject/notation/pull/692) - build(deps): Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/702](https://togithub.com/notaryproject/notation/pull/702) - fix: fix the issue with getting credentials for `docker.io` by [@Wwwsylvia](https://togithub.com/Wwwsylvia) in [https://github.com/notaryproject/notation/pull/703](https://togithub.com/notaryproject/notation/pull/703) - build(deps): Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 in /test/e2e/plugin by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/710](https://togithub.com/notaryproject/notation/pull/710) - fix: Updating documentation with AWS Plugin support by [@priteshbandi](https://togithub.com/priteshbandi) in [https://github.com/notaryproject/notation/pull/711](https://togithub.com/notaryproject/notation/pull/711) - fix: `login` and `logout` will leverage docker config and os default store by [@Wwwsylvia](https://togithub.com/Wwwsylvia) in [https://github.com/notaryproject/notation/pull/712](https://togithub.com/notaryproject/notation/pull/712) - chore: update issue templates by [@yizha1](https://togithub.com/yizha1) in [https://github.com/notaryproject/notation/pull/594](https://togithub.com/notaryproject/notation/pull/594) - bump: bump oras-credentials-go `v0.2.0` by [@wangxiaoxuan273](https://togithub.com/wangxiaoxuan273) in [https://github.com/notaryproject/notation/pull/717](https://togithub.com/notaryproject/notation/pull/717) - build(deps): Bump golang.org/x/term from 0.8.0 to 0.9.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/716](https://togithub.com/notaryproject/notation/pull/716) - fix(e2e): update testdata OCI layout images by [@JeyJeyGao](https://togithub.com/JeyJeyGao) in [https://github.com/notaryproject/notation/pull/727](https://togithub.com/notaryproject/notation/pull/727) - build(deps): Bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/724](https://togithub.com/notaryproject/notation/pull/724) - \[StepSecurity] ci: Harden GitHub Actions for fixing Pinned-Dependencies by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/notaryproject/notation/pull/731](https://togithub.com/notaryproject/notation/pull/731) - \[StepSecurity] ci: Harden GitHub Actions for fixing Token-Permissions by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/notaryproject/notation/pull/730](https://togithub.com/notaryproject/notation/pull/730) - build(deps): Bump oras.land/oras-go/v2 from 2.2.0 to 2.2.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/735](https://togithub.com/notaryproject/notation/pull/735) - chore: add license header to files and github action workflow to check license by [@Two-Hearts](https://togithub.com/Two-Hearts) in [https://github.com/notaryproject/notation/pull/739](https://togithub.com/notaryproject/notation/pull/739) - build(deps): Bump golang.org/x/term from 0.9.0 to 0.10.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/734](https://togithub.com/notaryproject/notation/pull/734) - build(deps): Bump actions/checkout from 3.0.2 to 3.5.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/737](https://togithub.com/notaryproject/notation/pull/737) - build(deps): Bump actions/add-to-project from [`0da8e46`](https://togithub.com/notaryproject/notation/commit/0da8e46333d7b6e01d0e857452a1e99cb47be205) to [`edc057a`](https://togithub.com/notaryproject/notation/commit/edc057aef96b993afe5d68104418f68a536264aa) by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/745](https://togithub.com/notaryproject/notation/pull/745) - build(deps): Bump github/codeql-action from 2.20.1 to 2.20.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/742](https://togithub.com/notaryproject/notation/pull/742) - fix: unset NOTATION_USERNAME and NOTATION_PASSWORD to avoid leaking credentials to plugin by [@JeyJeyGao](https://togithub.com/JeyJeyGao) in [https://github.com/notaryproject/notation/pull/746](https://togithub.com/notaryproject/notation/pull/746) - feat: add trace for executables by [@wangxiaoxuan273](https://togithub.com/wangxiaoxuan273) in [https://github.com/notaryproject/notation/pull/744](https://togithub.com/notaryproject/notation/pull/744) - build(deps): Bump github.com/notaryproject/notation-core-go from 1.0.0-rc.4 to 1.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/752](https://togithub.com/notaryproject/notation/pull/752) - build(deps): Bump github/codeql-action from 2.20.4 to 2.21.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/notaryproject/notation/pull/751](https://togithub.com/notaryproject/notation/pull/751) - bump: upgrade notation-go to v1.0.0 by [@shizhMSFT](https://togithub.com/shizhMSFT) in [https://github.com/notaryproject/notation/pull/754](https://togithub.com/notaryproject/notation/pull/754) - doc: update README to align with the new brand name by [@FeynmanZhou](https://togithub.com/FeynmanZhou) in [https://github.com/notaryproject/notation/pull/750](https://togithub.com/notaryproject/notation/pull/750) - bump: tag and release v1.0.0 by [@shizhMSFT](https://togithub.com/shizhMSFT) in [https://github.com/notaryproject/notation/pull/748](https://togithub.com/notaryproject/notation/pull/748) #### New Contributors - [@wangxiaoxuan273](https://togithub.com/wangxiaoxuan273) made their first contribution in [https://github.com/notaryproject/notation/pull/717](https://togithub.com/notaryproject/notation/pull/717) - [@step-security-bot](https://togithub.com/step-security-bot) made their first contribution in [https://github.com/notaryproject/notation/pull/731](https://togithub.com/notaryproject/notation/pull/731) **Full Changelog**: https://github.com/notaryproject/notation/compare/v1.0.0-rc.7...v1.0.0Configuration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.