Releases: notaryproject/notation-go
Releases · notaryproject/notation-go
v1.0.0-rc.6
What's Changed
- chore: running some chores for notation-go by @Two-Hearts in #311
- build(deps): bump github.com/veraison/go-cose from 1.0.0 to 1.1.0 by @dependabot in #312
- chore: update account info for Patrick Zheng by @yizha1 in #310
- fix: added digest check on verify by @Two-Hearts in #313
- fix: updated error message of errExceededMaxVerificationLimit by @Two-Hearts in #314
- fix: add digest check for Sign by @byronchien in #317
- update: bump up dependencies by @Two-Hearts in #318
- feat: add validations for symlink by @priteshbandi in #316
Full Changelog: v1.0.0-rc.5...v1.0.0-rc.6
Contributors
priteshbandi, byronchien, and 3 other contributors
Assets 2
v1.0.0-rc.5
What's Changed
- build(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 by @dependabot in #304
- build: bump image-spec to v1.1.0-rc.3 and oras-go to v2.1.0 by @shizhMSFT in #306
- update: removed Sign with OCI artifact manifest by @Two-Hearts in #308
- build(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 by @dependabot in #309
New Contributors
- @Two-Hearts made their first contribution in #308
Full Changelog: v1.0.0-rc.4...v1.0.0-rc.5
Contributors
dependabot, shizhMSFT, and Two-Hearts
Assets 2
v1.0.0-rc.4
What's Changed
- Added CODEOWNERS and MAINTAINERS files by @toddysm in #272
- fix: fix the CODEOWNERS format issue by @yizha1 in #280
- update: improve missing trustpolicy error message by @kody-kimberl in #282
- fix: don't add user-metadata to manifest's subject annotations by @priteshbandi in #290
- build(deps): bump oras.land/oras-go/v2 from 2.0.0 to 2.0.2 by @dependabot in #291
- build(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 by @dependabot in #283
- chore: update err msg for policy verification by @qweeah in #294
- chore: updated to go 1.19 by @patrickzheng200 in #297
- build(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 by @dependabot in #299
- feat: add local sign/verification for OCI layout directory by @patrickzheng200 in #288
- fix: added truststore.ValidateCerts by @patrickzheng200 in #285
- feat: adding OCSP revocation checks to Verify by @kody-kimberl in #295
- chore: Updating notation-core-go dependency to rc.3 by @priteshbandi in #302
New Contributors
- @toddysm made their first contribution in #272
- @kody-kimberl made their first contribution in #282
- @qweeah made their first contribution in #294
Full Changelog: v1.0.0-rc.2...v1.0.0-rc.4
Contributors
toddysm, qweeah, and 5 other contributors
Assets 2
v1.0.0-rc.3
What's Changed
- build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.5 to 2.0.0-rc.6 by @dependabot in #234
- update: logs and error messages by @patrickzheng200 in #235
- Fix error message by @priteshbandi in #236
- doc: add examples for sign and verify by @patrickzheng200 in #238
- feat: support OCI image manifest by @patrickzheng200 in #241
- build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.6 to 2.0.0 by @dependabot in #248
- build(deps): bump github.com/veraison/go-cose from 1.0.0-rc.2 to 1.0.0 by @dependabot in #247
- chore: logs and tests clean-up by @patrickzheng200 in #256
- feat: plugin version comparison functionality by @iamjesh in #237
- feat!: add signingkeys.json validation check by @priteshbandi in #246
- Adds more unit test for keys.go by @priteshbandi in #268
- fix: Appends annotations returned by plugin to signature manifest's annotations by @priteshbandi in #262
- Update: added ErrorPushSignatureFailed by @patrickzheng200 in #271
- feat: add support for signed user metadata by @byronchien in #242
- Create config with user only permission by @priteshbandi in #269
- chore: clean up comments format and removed unused code by @patrickzheng200 in #273
- build(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 by @dependabot in #277
- fix: add check for unsupported subject fields by @byronchien in #275
- bump: update notation-core-go dependency by @priteshbandi in #278
New Contributors
- @iamjesh made their first contribution in #237
- @byronchien made their first contribution in #242
Full Changelog: v1.0.0-rc.1...v1.0.0-rc.3
Contributors
priteshbandi, byronchien, and 3 other contributors
Assets 2
v1.0.0-rc.2
Deprecated: Please DONOT use this version, instead use v1.0.0-rc.3. rc.3 contains all changes of rc.2.
What's Changed
- build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.5 to 2.0.0-rc.6 by @dependabot in #234
- update: logs and error messages by @patrickzheng200 in #235
- Fix error message by @priteshbandi in #236
- doc: add examples for sign and verify by @patrickzheng200 in #238
- feat: support OCI image manifest by @patrickzheng200 in #241
- build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.6 to 2.0.0 by @dependabot in #248
- build(deps): bump github.com/veraison/go-cose from 1.0.0-rc.2 to 1.0.0 by @dependabot in #247
- chore: logs and tests clean-up by @patrickzheng200 in #256
- feat: plugin version comparison functionality by @iamjesh in #237
- feat!: add signingkeys.json validation check by @priteshbandi in #246
- Adds more unit test for keys.go by @priteshbandi in #268
- fix: Appends annotations returned by plugin to signature manifest's annotations by @priteshbandi in #262
- Update: added ErrorPushSignatureFailed by @patrickzheng200 in #271
- feat: add support for signed user metadata by @byronchien in #242
- Create config with user only permission by @priteshbandi in #269
- chore: clean up comments format and removed unused code by @patrickzheng200 in #273
- build(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 by @dependabot in #277
- fix: add check for unsupported subject fields by @byronchien in #275
- bump: update notation-core-go dependency by @priteshbandi in #278
New Contributors
- @iamjesh made their first contribution in #237
- @byronchien made their first contribution in #242
Full Changelog: v1.0.0-rc.1...v1.0.0-rc.2
Contributors
priteshbandi, byronchien, and 3 other contributors
Assets 2
v1.0.0-rc.1
Notices
- BREAKING CHANGE:
notation-go v1.0.0-rc.1is not compatible with signatures signed by previous Notation releases. - BREAKING CHANGE:
artifactTypein signature manifest is changed toapplication/vnd.cncf.notary.signature - BREAKING CHANGE: Only support registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
New Features
- Store signatures using OCI Artifact Manifest associated with signing artifacts in the registries compliant with the OCI 1.1.0-rc2 image spec and OCI 1.1.0-rc1 distribution spec
- Refactored API to incorporate local verification
- Added logger package to enable logging
Other changes
- New API design
Detailed Commits
- refactor: dir package [1] by @JeyJeyGao in #179
- Remove plugin name and version from ProcessedAttributes response from… by @rgnote in #183
- refactor: config package by @JeyJeyGao in #182
- Fix VerifySignature command json marshaling by @rgnote in #188
- update: Package registry refactoring by @patrickzheng200 in #190
- feat: Added trustpolicy and truststore packages under verification by @patrickzheng200 in #192
- refactor: plugin package by @JeyJeyGao in #184
- fix: dir package userConfigDir typo by @JeyJeyGao in #196
- update: Package notation refactoring by @patrickzheng200 in #191
- refactor: update plugin for notation package by @JeyJeyGao in #199
- update: Package verification refactoring by @patrickzheng200 in #186
- feat: Added log package by @patrickzheng200 in #202
- update: updated verifier design by @patrickzheng200 in #206
- update: Package signature refactoring by @patrickzheng200 in #200
- update: upgraded to oras-go v2.0.0-rc.5 by @patrickzheng200 in #209
- update: replaced strings.Index with strings.Cut by @patrickzheng200 in #211
- Add: added set data structure by @patrickzheng200 in #210
- fix: update plugin to add ContractVersion by @JeyJeyGao in #207
- update: check SignatureMediaType in notation.Verify by @patrickzheng200 in #208
- Use minimum(user only) file permissions by @priteshbandi in #216
- update: bump up dependencies by @patrickzheng200 in #219
- feat: added tag reference log for notation.Sign and notation.Verify by @patrickzheng200 in #223
- Pass expiry to envelope-generator plugin by @priteshbandi in #222
- feat: add required log by @JeyJeyGao in #221
- Add additional header validation for payload by @jondonas in #178
- fix: optimize verification level skip check by @JeyJeyGao in #226
- update: bump up notation-core-go in notation-go by @patrickzheng200 in #227
- Improving debug log for plugin by @priteshbandi in #228
- fix: updated notation artifact type to application/vnd.cncf.notary.signature by @patrickzheng200 in #231
- build: bump up versions for rc.1 release by @yizha1 in #232
Full Changelog: v0.12.0-beta.1...v1.0.0-rc.1
Contributors
rgnote, priteshbandi, and 4 other contributors
Assets 2
v0.12.0-beta.1
What's Changed
- feat: add envelope type config by @JeyJeyGao in #159
- update: clean up main branch by @patrickzheng200 in #172
- update: further clean up on notation-go by @patrickzheng200 in #173
- fix: rename envelopeType to signatureFormat by @JeyJeyGao in #175
- update: bump up notation-core-go by @patrickzheng200 in #177
- updating notation-core-go to v0.2.0-beta.1 by @priteshbandi in #180
Full Changelog: v0.11.0-alpha.4...v0.12.0-beta.1
Contributors
priteshbandi, JeyJeyGao, and patrickzheng200
Assets 2
v0.11.0-alpha.4
New features
- Plugin integration with verification workflow
- Update go library
- Support COSE envelope
Bug fixes
- fix the certs validation in trust store by @binbin-li in #147
- fix the certs validation in trust store by @priteshbandi in #151
Other changes
- Refactor to support new signature interface
Detail Commits
- Plugin integration with verification workflow by @rgnote in #101
- feat: update to go 1.18 by @JeyJeyGao in #124
- Bump oras.land/oras-go/v2 from 2.0.0-rc.2 to 2.0.0-rc.3 by @dependabot in #135
- fix: fix the certs validation in trust store by @binbin-li in #147
- fix the certs validation in trust store by @priteshbandi in #151
- refactor: refactor pluginSigner to support new signature interface by @chloeyin in #131
- refactor: support cose envelope by @chloeyin in #146
- build: bump dependencies by @yizha1 in #165
New Contributors
Full Changelog: v0.10.0-alpha.3...v0.11.0-alpha.4
Contributors
rgnote, binbin-li, and 5 other contributors
Assets 2
v0.10.0-alpha.3
New Features:
- Implement basic signature verification
- Implement Notation directory structure
- Add config package & optimize directory package
- Add support for trust store parsing
Bug Fixes
- Fix #104: optimizes directory package
- Fix #58: trust store test issue on Windows
- Fix #98: fix hash function name according to the plugin spec
Other Changes:
- Add unit tests
- Add CodeQL security scanning
- Refactor registry interface
Detail Commits
- Add support for trust store parsing by @rgnote in #44
- Add GetApplicableTrustPolicy function by @rgnote in #51
- Verify X509 trusted identities by @rgnote in #54
- Fix trust store tests issue on Windows by @rgnote in #58
- Add CodeQL Security Scanning by @Wwwsylvia in #56
- feat: move pkg/registry from notaryproject/notation by @binbin-li in #63
- Add SignatureVerificationLevel type by @rgnote in #55
- chore: move registry directory under root by @binbin-li in #64
- refactor: refactor registry interface by @binbin-li in #67
- Bump github.com/golang-jwt/jwt/v4 from 4.4.1 to 4.4.2 by @dependabot in #68
- Bump actions/cache from 3.0.2 to 3.0.4 by @dependabot in #53
- Run unit tests in Github workflow by @Wwwsylvia in #60
- add to project template by @dtzar in #66
- Verification helpers by @rgnote in #72
- Refactor to use notation-core-go's SignatureEnvelope by @priteshbandi in #77
- Add command shapes for verify-signature and get-plugin-metadata by @jondonas in #76
- Implementing Notation directory structure by @JeyJeyGao in #73
- feat: Use PackArtifact to push signature manifest by @binbin-li in #87
- Migrate to codecov.io by @junczhuMSFT in #92
- resolving remote signature envelope digest as blob instead of manifest by @patrickzheng200 in #89
- Add more badges to README.md by @shizhMSFT in #94
- feat: add config package & optimize dir package by @JeyJeyGao in #90
- Basic Signature Verification by @rgnote in #79
- Implement custom signature verification level by @rgnote in #84
- Use Notation's PathManager in verification workflow by @rgnote in #100
- hash name fix by @chloeyin in #98
- test: add registry unit test by @binbin-li in #96
- Updates based on signing scheme update in notation-go-core by @priteshbandi in #85
- fix: dir package optimize by @JeyJeyGao in #104
- Bump github.com/go-ldap/ldap/v3 from 3.4.3 to 3.4.4 by @dependabot in #97
- build: bump dependencies by @shizhMSFT in #112
New Contributors
- @Wwwsylvia made their first contribution in #56
- @binbin-li made their first contribution in #63
- @dtzar made their first contribution in #66
- @priteshbandi made their first contribution in #77
- @jondonas made their first contribution in #76
- @JeyJeyGao made their first contribution in #73
- @junczhuMSFT made their first contribution in #92
- @patrickzheng200 made their first contribution in #89
Full Changelog: v0.9.0-alpha.1...v0.10.0-alpha.3
Contributors
dtzar, rgnote, and 10 other contributors
Assets 2
v0.9.0-alpha.1
Documentation 📘
notation-go provides the libraries for notation sign|push|validate capabilities. The notation CLI is implemented based on notation-go. However, notation-go may be used in other CLIs.
What's Changed
- Implement generate-envelope workflow #47 by @qmuntal
- Add more validations to trust-policy parsing #43 by @rgnote
- Implement built-in JWS signer in terms of an in-process plugin #46 by @qmuntal
- Implement generate signature plugin workflow #42 by @qmuntal
- Load and Validate Trust policy documents #39 by @rgnote
- Implement plugin manager #37 by @qmuntal
Dependency updates via dependabot
New Contributors
- Special thank you to @qmuntal with first and then numerous contributions after this as noted above.
Full Changelog: v0.8.0-alpha.1...v0.9.0-alpha.1
Contributors
qmuntal and rgnote