Skip to content

Commit

Permalink
Merge branch 'notaryproject:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
toddysm authored Apr 3, 2024
2 parents 5148bbc + f3f7eee commit b9738c5
Show file tree
Hide file tree
Showing 7 changed files with 163 additions and 16 deletions.
69 changes: 69 additions & 0 deletions content/en/blog/2024/announcing-notation-v1-1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
title: Notary Project announces Notation v1.1.0!
author: "Notary Project Release Team"
date: 2024-02-08
draft: false
---

The Notary Project maintainers are proud to announce new releases for its sub-projects, including [Notary Project specifications v1.1.0](https://github.com/notaryproject/specifications/releases/tag/v1.1.0), [notation v1.1.0](https://github.com/notaryproject/notation/releases/tag/v1.1.0), [notation-go v1.1.0](https://github.com/notaryproject/notation-go/releases/tag/v1.1.0), and [notation-core-go v1.0.2](https://github.com/notaryproject/notation-core-go/releases/tag/v1.0.2), [Notation GitHub Actions v1.0.1](https://github.com/notaryproject/notation-action/releases/tag/v1.0.1) which are ready for production use!

Meanwhile, a new library [notation-plugin-framework-go
](https://github.com/notaryproject/notation-plugin-framework-go) released the first release v1.0.0. It contains framework required to create notation plugins as per [Notation Plugin specification](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md).

## Notable Capabilities in this Release

Here are some of the major capabilities and features included in this release.

### Easier plugin management functionalities

Notation has an [extensible design based on a plugin framework](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md). This framework provides plugin interfaces for users and vendors to implement their own integration with key/certificate management solutions or signing services.

In this release, Notation offers Notation plugin management capabilities to simplify the plugin user experience.

- Added new command `notation plugin install`. Users are now able to install a notation plugin directly from a URL or from their file system. Supported plugin installation formats are `.zip`, `.tar.gz`, and single plugin executable file. See an example usage below:

```bash
$ notation plugin install --file <file_path>
```

```bash
$ notation plugin install --sha256sum <digest> --url <HTTPS_URL>
```

- Added new command `notation plugin uninstall`. Users are now able to uninstall a notation plugin by providing the plugin name. See an example usage below:

```bash
notation plugin uninstall <plugin_name>
```

The following plugins have been well tested with Notation plugin commands by Notary Project maintainers:

- [AWS Signer plugin for Notation](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html)
- [Azure Key Vault for Notation](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push)
- [Venafi CodeSign Protect Signing Plugin for Notation](https://github.com/Venafi/notation-venafi-csp)

### Specifications

For plugin vendors who want to package and distribute a Notation plugin, [Notation Plugin specification](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md) defines the plugin conventions to ensure plugins are delivered in a consistent format and compatible with `notation plugin` management commands.

### Get started with Notation v1.1.0

You can follow this [quick start](https://notaryproject.dev/docs/quickstart/) to try Notation v1.1.0 on your terminal.

The default Notation CLI setup action in Notation GitHub Actions has also been updated to v1.1.0. It enables users to install Notation and its plugin, sign and verify OCI artifacts in GitHub Actions workflow with ease.

To get started with Notation v1.1.0 in a CI/CD workflow, you can find the Notation GitHub Actions in the [Marketplace](https://github.com/marketplace/actions/notation-actions).

## What's next

The Notary Project maintainers are considering the following features for future milestones. Feel free to reach out on the [Slack channel](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/) or [GitHub issues](https://github.com/notaryproject/notation/issues) to ask questions, provide feedback, or share ideas.

- Sign and verify arbitrary blobs
- Timestamping support
- Improve error messages and verbose logs

And more!

## Acknowledgements

The Notary Project release team wants to thank the entire Notary Project community for all the activity and engagement that has been vital for helping the project grow and reach this major milestone.
18 changes: 18 additions & 0 deletions content/en/blog/2024/bitnami-using-notation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
title: Bitnami now uses Notation for signing and verifying containers and Helm charts on Docker Hub
author: Beltran Rueda
date: 2024-03-18
draft: false
---

Bitnami-packaged open source software container images and Helm charts [available in DockerHub](https://hub.docker.com/u/bitnami) are now signed by [Notation](https://github.com/notaryproject/notation).

[Bitnami](https://bitnami.com) provides the latest versions of pre-packaged, hardened, ready-to-deploy open source software application packages that enable developers to hit the ground running when building new applications and services on any platform. Bitnami open source software packages are highly popular with developers with over 500 million pulls per month and over 2 billion computer hours per year. This strong developer community of Bitnami has leveraged its robust application catalog to build millions of applications for almost 20 years now.

In December 2023, [we announced](https://tanzu.vmware.com/content/tanzu-application-catalog-resources/tanzu-application-catalog-leverages-notation) that Tanzu Application Catalog, the enterprise edition of Bitnami Application Catalog, started making use of Notation as a tool for signing and verifying open container initiative (OCI) artifacts (e.g. container images, Helm charts, and metadata bundles.

Now, we are happy to have extended our collaboration with Notation and announce the extension of this capability to the community edition of Bitnami-packaged container images and Helm charts in DockerHub as well.

To know more about the benefits that the Bitnami users stand to enjoy with this integration and to learn how to verify the signature of a Bitnami-package, check out [this blog](https://blog.bitnami.com/2024/03/bitnami-packaged-containers-and-helm.html).

If you are interested in learning more about Tanzu Application Catalog, check out their [product webpage](https://tanzu.vmware.com/application-catalog) and [additional resources](https://tanzu.vmware.com/content/vmware-application-catalog-resources/jun-23-boost-developer-productivity-and-operator-confidence-with-secure-open-source-components).
2 changes: 1 addition & 1 deletion content/en/docs/adopters.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ All organizations are sorted alphabetically below.
| Ratify | https://ratify.sh/ | Validating OCI Artifact signatures using Notation library |
| Tanzu Application Catalog | https://tanzu.vmware.com/application-catalog | [Sign and Verify OCI artifacts (e.g. Helm charts, container images, and metadata bundles](https://tanzu.vmware.com/content/vmware-application-catalog-resources/tanzu-application-catalog-leverages-notation) |
| Venafi | https://venafi.com/codesign-protect/ | [Sign and Verify container images using Notation and Venafi CodeSign Protect](https://github.com/Venafi/notation-venafi-csp) |

| Nomad Admission Control Proxy | https://github.com/mxab/nacp | [Uses `notation-go` remote verify to validate images when deploying Nomad Jobs](https://github.com/mxab/nacp?tab=readme-ov-file#notation) |
4 changes: 2 additions & 2 deletions content/en/docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ The following registries are compatible with the Notary Project OCI signature sp
- [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry)
- [ORAS Distribution Registry](https://github.com/oras-project/distribution/pkgs/container/registry/64589674?tag=v1.0.0-rc.4)
- [Zot registry](https://zotregistry.io/)

- [Docker Hub](https://hub.docker.com) (via tag fallback schema)

## JWS signature envelope

Expand Down Expand Up @@ -104,4 +104,4 @@ Below are the frequently asked questions about Notary Project terms. For detaile

**Q: I've heard the term "Notary v2". What does this mean?**

**A:** The term "Notary v2" or "notary v2" was previously used by members of the Notary Project community and others. However, various meanings were ascribed to it, leading to its ambiguous usage with some people referring to it as the entire Notary Project and others as the [Notation CLI](https://github.com/notaryproject/notation). Because of this ambiguity, the term "Notary v2" or "notary v2" is no longer used by the Notary Project community. While the term may still be visible in some articles on the internet, the name "Notary v2" or "notary v2" is only preserved for historical reasons and will not be used by the Notary Project community going forward.
**A:** The term "Notary v2" or "notary v2" was previously used by members of the Notary Project community and others. However, various meanings were ascribed to it, leading to its ambiguous usage with some people referring to it as the entire Notary Project and others as the [Notation CLI](https://github.com/notaryproject/notation). Because of this ambiguity, the term "Notary v2" or "notary v2" is no longer used by the Notary Project community. While the term may still be visible in some articles on the internet, the name "Notary v2" or "notary v2" is only preserved for historical reasons and will not be used by the Notary Project community going forward.
82 changes: 71 additions & 11 deletions content/en/docs/user-guides/how-to/plugin-management.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,22 +11,77 @@ Plugins for `notation` provide functionality and integration with key stores and

## Install a plugin

To install a plugin, download the plugin binary, create a `{plugin-name}` directory in `{NOTATION_LIBEXEC}/plugins/`, and add the plugin binary to that directory. Alternatively, if you are using an application that bundles a plugin and the `notation` binary together, such as [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-prerequisites.html), see the installation instructions from the vendor.
To install a plugin, run the `notation plugin install` command to directly install a plugin either from a URL or from the host file system. This will create a `{plugin-name}` directory in `{NOTATION_LIBEXEC}/plugins/` if the directory does not exist. The supported plugin file formats are `.zip, .tar.gz` and `single plugin executable file`. Alternatively, if you are using an application that bundles a plugin and the `notation` binary together, such as [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-prerequisites.html), see the installation instructions from the vendor.

{{% alert title="Warning" color="warning" %}}
Before creating the `{plugin-name}` directory, confirm you are using a name that follows the [naming structure](#plugin-naming-structure) for plugins. Plugins that do not follow the naming structure will not be recognized by `notation`.
{{% /alert %}}

The following example downloads and installs version 0.6.0 of [notation-azure-kv](https://github.com/Azure/notation-azure-kv) plugin for on macOS with Apple Silicon using the default location for the Notation installation.
## Usage

{{% alert title="Warning" color="warning" %}}
The following example only works for version 0.6.0 of the *notation-azure-kv* plugin on macOS with Apple Silicon using the default location for the Notation installation. You will need to update the filenames, location, and commands for other plugins, versions, and platforms. For more details on the default location of that directory on each platform, see [Notation directory structure for system configuration]({{< ref "/docs/user-guides/how-to/directory-structure.md" >}}).
### Install a plugin from file system:

`notation plugin install --file <file_path>`

### Install a plugin from URL:

`notation plugin install --sha256sum <digest> --url <HTTPS_URL>`

{{% alert title="plugin" color="info" %}}
The following examples show how to install each plugin on a Linux AMD64 machine. To install a plugin on other operating systems and architectures, please get the URL or plugin binary file from plugin vendors' website.
{{% /alert %}}

## Install Notation AWS Signer plugin

To find out more about the AWS Signer plugin, please refer to their official [documentation](https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-prerequisites.html).

### Install from file system

```console
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip

notation plugin install --file notation-aws-signer-plugin.zip
Successfully installed plugin com.amazonaws.signer.notation.plugin, version 1.0.298
```
Upon successful execution, the plugin is copied to Notation's plugin directory.

## Install Notation Azure Key Vault Plugin (v1.0.2)

To find out more about the Azure Key Vault Plugin, please refer to this [GitHub repository](https://github.com/Azure/notation-azure-kv).

### Install from URL:

```console
notation plugin install --url https://github.com/Azure/notation-azure-kv/releases/download/v1.0.2/notation-azure-kv_1.0.2_linux_amd64.tar.gz --sha256sum f2b2e131a435b6a9742c202237b9aceda81859e6d4bd6242c2568ba556cee20e

Downloading plugin from https://github.com/Azure/notation-azure-kv/releases/download/v1.0.2/notation-azure-kv_1.0.2_linux_amd64.tar.gz
Download completed
Successfully installed plugin azure-kv, version 1.0.2
```

### Install from local file:

```console
notation plugin install --file notation-azure-kv_1.0.2_linux_amd64.tar.gz
Successfully installed plugin azure-kv, version 1.0.2
```

## Install Notation Venafi Plugin (v0.3.0)

To find out more about the Venafi Plugin, please refer to this [GitHub repository](https://github.com/Venafi/notation-venafi-csp).

### Install from URL:

```console
curl -Lo notation-azure-kv_0.6.0_darwin_arm64.tar.gz "https://github.com/Azure/notation-azure-kv/releases/download/v0.6.0/notation-azure-kv_0.6.0_darwin_arm64.tar.gz"
mkdir -p ~/Library/Application\ Support/notation/plugins/azure-kv
tar xvzf notation-azure-kv_0.6.0_darwin_arm64.tar.gz -C ~/Library/Application\ Support/notation/plugins/azure-kv notation-azure-kv
notation plugin install --url https://github.com/Venafi/notation-venafi-csp/releases/download/v0.3.0/notation-venafi-csp-linux-amd64.tar.gz --sha256sum 03771794643f18c286b6db3a25a4d0b8e7c401e685b1e95a19f03c9356344f5a
Successfully installed plugin venafi-csp, version 0.3.0-release
```

### Install from local file:

```console
notation plugin install --file notation-venafi-csp-linux-amd64.tar.gz
Successfully installed plugin venafi-csp, version 0.3.0-release
```

To confirm you plugin is installed, run `notation plugin list`. For example:
Expand All @@ -40,14 +95,19 @@ Confirm the plugin is listed in the output. For example:
```console
$ notation plugin list
NAME DESCRIPTION VERSION CAPABILITIES ERROR
azure-kv Sign artifacts with keys in Azure Key Vault 0.6.0 [SIGNATURE_GENERATOR.RAW] <nil>
com.amazonaws.signer.notation.plugin AWS Signer plugin for Notation 1.0.290 [SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK] <nil>
venafi-csp Sign artifacts with keys in Venafi CodeSign Protect 0.2.0-release [SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK] <nil>


azure-kv Sign artifacts with keys in Azure Key Vault 1.0.2 [SIGNATURE_GENERATOR.RAW] <nil>
com.amazonaws.signer.notation.plugin AWS Signer plugin for Notation 1.0.298 [SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK] <nil>
venafi-csp Sign artifacts with keys in Venafi CodeSign Protect 0.3.0-release [SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK] <nil>
```

## Uninstall a plugin
To uninstall a plugin, use `notation plugin uninstall`.

To remove a plugin, delete the entire `{NOTATION_LIBEXEC}/plugins/{plugin-name}/` directory.
```console
notation plugin uninstall <plugin_name>
```

To confirm your plugin is uninstalled, run `notation plugin list`. For example:

Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/user-guides/installation/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: Install the notation CLI
description: Install the notation CLI on Linux, macOS, and Windows
weight: 1
cliVer : 1.0.1
cliVer : 1.1.0
---

## Download and install the CLI for Linux
Expand Down
2 changes: 1 addition & 1 deletion layouts/partials/banner.html
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<section class="news is-medium flex justify-center">
<p class="is-size-3-mobile">
<a href="https://github.com/notaryproject/notation/releases/tag/v1.0.1" class="banner-link">Notation v1.0.1 is available</a>
<a href="https://github.com/notaryproject/notation/releases/tag/v1.1.0" class="banner-link">Notation v1.1.0 is available</a>
<span>
{{ $rocketIcon := resources.Get "icons/rocket-icon.svg" }}
<img
Expand Down

0 comments on commit b9738c5

Please sign in to comment.