Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sync changes from main branch to v1.1 branch #406

Closed
wants to merge 11 commits into from
2 changes: 1 addition & 1 deletion CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
# Repo-Level Owners (in alphabetical order). Please note this is only for the notaryproject/notaryproject.dev repo
* @FeynmanZhou @niazfk @iamsamirzon @justincormack @priteshbandi @shizhMSFT @stevelasker @toddysm @vaninrao10 @yizha1 @zr-msft
* @FeynmanZhou @niazfk @iamsamirzon @priteshbandi @shizhMSFT @toddysm @vaninrao10 @yizha1
14 changes: 9 additions & 5 deletions MAINTAINERS
Original file line number Diff line number Diff line change
@@ -1,16 +1,20 @@
# Org-Level Maintainers (in alphabetical order)
# Pattern: [First Name] [Last Name] <[Email Address]> ([GitHub Handle])
Justin Cormack <[email protected]> (@justincormack)
Niaz Khan <[email protected]> (@niazfk)
Pritesh Bandi <[email protected]> (@priteshbandi)
Shiwei Zhang <[email protected]> (@shizhMSFT)
Steve Lasker <[email protected]> (@stevelasker)
Toddy Mladenov <[email protected]> (@toddysm)
Vani Rao <[email protected]> (@vaninrao10)
Yi Zha <[email protected]> (@yizha1)

# Repo-Level Maintainers (in alphabetical order)
# Note: This is for the notaryproject/notaryproject.dev repo
Feynman Zhou <[email protected]> (@FeynmanZhou)
Samir Kakkar <[email protected]> (@iamsamirzon)
Vani Rao <[email protected]> (@vaninrao10)
Yi Zha <[email protected]> (@yizha1)
Zach Rhoads <[email protected]> (@zr-msft)

# Emeritus Org Maintainers (in alphabetical order)
Justin Cormack <[email protected]> (@justincormack)
Steve Lasker <[email protected]> (@stevelasker)

# In memoriam
Zach Rhoads <[email protected]> (@zr-msft)
69 changes: 69 additions & 0 deletions content/en/blog/2024/announcing-notation-v1-1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
title: Notary Project announces Notation v1.1.0!
author: "Notary Project Release Team"
date: 2024-02-08
draft: false
---

The Notary Project maintainers are proud to announce new releases for its sub-projects, including [Notary Project specifications v1.1.0](https://github.com/notaryproject/specifications/releases/tag/v1.1.0), [notation v1.1.0](https://github.com/notaryproject/notation/releases/tag/v1.1.0), [notation-go v1.1.0](https://github.com/notaryproject/notation-go/releases/tag/v1.1.0), and [notation-core-go v1.0.2](https://github.com/notaryproject/notation-core-go/releases/tag/v1.0.2), [Notation GitHub Actions v1.0.1](https://github.com/notaryproject/notation-action/releases/tag/v1.0.1) which are ready for production use!

Meanwhile, a new library [notation-plugin-framework-go
](https://github.com/notaryproject/notation-plugin-framework-go) released the first release v1.0.0. It contains framework required to create notation plugins as per [Notation Plugin specification](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md).

## Notable Capabilities in this Release

Here are some of the major capabilities and features included in this release.

### Easier plugin management functionalities

Notation has an [extensible design based on a plugin framework](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md). This framework provides plugin interfaces for users and vendors to implement their own integration with key/certificate management solutions or signing services.

In this release, Notation offers Notation plugin management capabilities to simplify the plugin user experience.

- Added new command `notation plugin install`. Users are now able to install a notation plugin directly from a URL or from their file system. Supported plugin installation formats are `.zip`, `.tar.gz`, and single plugin executable file. See an example usage below:

```bash
$ notation plugin install --file <file_path>
```

```bash
$ notation plugin install --sha256sum <digest> --url <HTTPS_URL>
```

- Added new command `notation plugin uninstall`. Users are now able to uninstall a notation plugin by providing the plugin name. See an example usage below:

```bash
notation plugin uninstall <plugin_name>
```

The following plugins have been well tested with Notation plugin commands by Notary Project maintainers:

- [AWS Signer plugin for Notation](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html)
- [Azure Key Vault for Notation](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push)
- [Venafi CodeSign Protect Signing Plugin for Notation](https://github.com/Venafi/notation-venafi-csp)

### Specifications

For plugin vendors who want to package and distribute a Notation plugin, [Notation Plugin specification](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md) defines the plugin conventions to ensure plugins are delivered in a consistent format and compatible with `notation plugin` management commands.

### Get started with Notation v1.1.0

You can follow this [quick start](https://notaryproject.dev/docs/quickstart/) to try Notation v1.1.0 on your terminal.

The default Notation CLI setup action in Notation GitHub Actions has also been updated to v1.1.0. It enables users to install Notation and its plugin, sign and verify OCI artifacts in GitHub Actions workflow with ease.

To get started with Notation v1.1.0 in a CI/CD workflow, you can find the Notation GitHub Actions in the [Marketplace](https://github.com/marketplace/actions/notation-actions).

## What's next

The Notary Project maintainers are considering the following features for future milestones. Feel free to reach out on the [Slack channel](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/) or [GitHub issues](https://github.com/notaryproject/notation/issues) to ask questions, provide feedback, or share ideas.

- Sign and verify arbitrary blobs
- Timestamping support
- Improve error messages and verbose logs

And more!

## Acknowledgements

The Notary Project release team wants to thank the entire Notary Project community for all the activity and engagement that has been vital for helping the project grow and reach this major milestone.
18 changes: 18 additions & 0 deletions content/en/blog/2024/bitnami-using-notation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
title: Bitnami now uses Notation for signing and verifying containers and Helm charts on Docker Hub
author: Beltran Rueda
date: 2024-03-18
draft: false
---

Bitnami-packaged open source software container images and Helm charts [available in DockerHub](https://hub.docker.com/u/bitnami) are now signed by [Notation](https://github.com/notaryproject/notation).

[Bitnami](https://bitnami.com) provides the latest versions of pre-packaged, hardened, ready-to-deploy open source software application packages that enable developers to hit the ground running when building new applications and services on any platform. Bitnami open source software packages are highly popular with developers with over 500 million pulls per month and over 2 billion computer hours per year. This strong developer community of Bitnami has leveraged its robust application catalog to build millions of applications for almost 20 years now.

In December 2023, [we announced](https://tanzu.vmware.com/content/tanzu-application-catalog-resources/tanzu-application-catalog-leverages-notation) that Tanzu Application Catalog, the enterprise edition of Bitnami Application Catalog, started making use of Notation as a tool for signing and verifying open container initiative (OCI) artifacts (e.g. container images, Helm charts, and metadata bundles.

Now, we are happy to have extended our collaboration with Notation and announce the extension of this capability to the community edition of Bitnami-packaged container images and Helm charts in DockerHub as well.

To know more about the benefits that the Bitnami users stand to enjoy with this integration and to learn how to verify the signature of a Bitnami-package, check out [this blog](https://blog.bitnami.com/2024/03/bitnami-packaged-containers-and-helm.html).

If you are interested in learning more about Tanzu Application Catalog, check out their [product webpage](https://tanzu.vmware.com/application-catalog) and [additional resources](https://tanzu.vmware.com/content/vmware-application-catalog-resources/jun-23-boost-developer-productivity-and-operator-confidence-with-secure-open-source-components).
3 changes: 2 additions & 1 deletion content/en/docs/adopters.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ All organizations are sorted alphabetically below.
| Organization | Website | Scenario |
| --- | --- | --- |
| Amazon | https://aws.amazon.com/ | [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-prerequisites.html) |
| Bitnami | https://bitnami.com/ | [Sign and verify containers and Helm charts available in Docker Hub](https://blog.bitnami.com/2024/03/bitnami-packaged-containers-and-helm.html) |
| containerd | http://containerd.io/ | [container image sign and verify with notation tool](https://github.com/containerd/nerdctl/blob/main/docs/notation.md) |
| Harbor | https://goharbor.io/ | [Storage and display Notary Project signature](https://goharbor.io/docs/main/working-with-projects/working-with-images/sign-images/#use-notationexperimental-to-sign-artifacts-with-distribution-spec-v11-mode) |
| Kyverno | https://kyverno.io/ | [Support verifying Notary Project signature](https://kyverno.io/docs/writing-policies/verify-images/notary/) |
| Microsoft | https://www.microsoft.com/ | [Build, sign, and verify container images using Notation and Azure Key Vault](https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push?wt.mc_id=azurelearn_inproduct_oss_notaryproject) |
| Ratify | https://ratify.sh/ | Validating OCI Artifact signatures using Notation library |
| Tanzu Application Catalog | https://tanzu.vmware.com/application-catalog | [Sign and Verify OCI artifacts (e.g. Helm charts, container images, and metadata bundles](https://tanzu.vmware.com/content/vmware-application-catalog-resources/tanzu-application-catalog-leverages-notation) |
| Venafi | https://venafi.com/codesign-protect/ | [Sign and Verify container images using Notation and Venafi CodeSign Protect](https://github.com/Venafi/notation-venafi-csp) |

| Nomad Admission Control Proxy | https://github.com/mxab/nacp | [Uses `notation-go` remote verify to validate images when deploying Nomad Jobs](https://github.com/mxab/nacp?tab=readme-ov-file#notation) |
13 changes: 1 addition & 12 deletions content/en/docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,6 @@ type: docs
weight: 7
---

## What registries are compatible with the Notary Project OCI signature specification and its implementation in Notation?

The following registries are compatible with the Notary Project OCI signature specification and its implementation in Notation:

- [Azure Container Registry](https://learn.microsoft.com/azure/container-registry/?wt.mc_id=azurelearn_inproduct_oss_notaryproject)
- [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html)
- [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry)
- [ORAS Distribution Registry](https://github.com/oras-project/distribution/pkgs/container/registry/64589674?tag=v1.0.0-rc.4)
- [Zot registry](https://zotregistry.io/)


## JWS signature envelope

**Q: Why is JWT not used as the signature envelope format?**
Expand Down Expand Up @@ -104,4 +93,4 @@ Below are the frequently asked questions about Notary Project terms. For detaile

**Q: I've heard the term "Notary v2". What does this mean?**

**A:** The term "Notary v2" or "notary v2" was previously used by members of the Notary Project community and others. However, various meanings were ascribed to it, leading to its ambiguous usage with some people referring to it as the entire Notary Project and others as the [Notation CLI](https://github.com/notaryproject/notation). Because of this ambiguity, the term "Notary v2" or "notary v2" is no longer used by the Notary Project community. While the term may still be visible in some articles on the internet, the name "Notary v2" or "notary v2" is only preserved for historical reasons and will not be used by the Notary Project community going forward.
**A:** The term "Notary v2" or "notary v2" was previously used by members of the Notary Project community and others. However, various meanings were ascribed to it, leading to its ambiguous usage with some people referring to it as the entire Notary Project and others as the [Notation CLI](https://github.com/notaryproject/notation). Because of this ambiguity, the term "Notary v2" or "notary v2" is no longer used by the Notary Project community. While the term may still be visible in some articles on the internet, the name "Notary v2" or "notary v2" is only preserved for historical reasons and will not be used by the Notary Project community going forward.
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ docker run -d -p 5001:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true --name regist
If the host port 5001 is already in use, you can use another host port.
{{% /alert %}}

If you want to use Notation with other registries, refer to [which registries are compatible with Notary]({{< ref "/docs/faq#what-registries-are-compatible-with-notary" >}}) for more alternatives. See [Authenticate with OCI-compliant registries]({{< ref "/docs/user-guides/how-to/registry-authentication" >}}) when you log in to another OCI registry.
If you want to use Notation with other registries, refer to [which registries support Notary Project signatures]({{< ref "/docs/registry-support" >}}) for more alternatives. See [Authenticate with OCI-compliant registries]({{< ref "/docs/user-guides/how-to/registry-authentication" >}}) when you log in to another OCI registry.

## Add an image to the OCI-compatible registry

Expand Down
17 changes: 17 additions & 0 deletions content/en/docs/registry-support.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
title: "Registry support"
description: "A list of registries that support Notary Project OCI signatures"
type: docs
weight: 9
---

The following registries, listed in alphabetical order, support Notary Project OCI signatures:

- [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html)
- [Azure Container Registry](https://learn.microsoft.com/azure/container-registry/?wt.mc_id=azurelearn_inproduct_oss_notaryproject)
- [Distribution Distribution](https://github.com/distribution/distribution)
- [Docker Hub](https://hub.docker.com)
- [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry)
- [Harbor](https://goharbor.io/)
- [JFrog Artifactory](https://jfrog.com/artifactory/)
- [Zot registry](https://zotregistry.io/)
Loading
Loading