v0.6.0
v0.6.0
- The project has been moved from https://github.com/docker/notary to https://github.com/theupdateframework/notary, as it has been accepted into the CNCF. Downstream users should update their go imports.
- Removed support for RSA-key exchange ciphers supported by the server and signer and require TLS >= 1.2 for the server and signer. #1307
libykcs11
can be found in several additional locations on Fedora. #1286- If a certificate is used as a delegation public key, notary no longer warns if the certificate has expired, since notary should be relying on the role expiry instead. #1263
- An error is now returned when importing keys if there were invalid PEM blocks. #1260
- Notary server authentication credentials can now be provided as an environment variable
NOTARY_AUTH
, which should contain a base64-encoded "username:password" value. #1246 - Changefeeds are now supported for RethinkDB as well as SQL servers. #1214
- Notary CLI will now time out after 30 seconds if a username and password are not provided when authenticating to anotary server, fixing an issue where scripts for the notary CLI may hang forever. #1200
- Fixed potential race condition in the signer keystore. #1198
- Notary now no longer provides the option to generate RSA keys for a repository, but externally generated RSA keys can still be imported as keys for a repository. #1191
- Fixed bug where the notary client would
ioutil.ReadAll
responses from the server without limiting the size. #1186 - Default notary CLI log level is now
warn
, and if the-v
option is passed, it is atinfo
. #1179 - Example Postgres config now includes an example of mutual TLS authentication between the server/signer and Postgres. #1160 #1163
- Fixed an error where piping the server authentication credentials via STDIN when scripting the notary CLI did not work. #1155
- If the server and signer configurations forget to specify
parseTime=true
when using MySQL, notary server and signer will automatically add the option. #1150 - Custom metadata can now be provided and read on a target when using the notary client as a library (not yet exposed on the CLI). #1146
notary init
now accepts a--root-cert
and--root-key
flag for use with privately generated certificates and keys. #1144notary key generate
now accepts a--role
flag as well as a--output
flag. This means it can generate new targets or delegation keys, and it can also output keys to a file instead of storing it in the default notary key store. #1134- Newly generated keys are now stored encrypted and encoded in PKCS#8 format. This is not forwards-compatible against notary<0.6.0 and docker<17.12.x. Also please note that docker>=17.12.x is not forwards compatible with notary<0.6.0.. #1130 #1201
- Added support for wildcarded certificate IDs in the trustpinning configuration #1126
- Added support using the client against notary servers which are hosted as subpath under another server (e.g. https://domain.com/notary instead of https://notary.com) #1108
- If no changes were made to the targets file, you are no longer required to sign the target #1104
- Added support for wildcard suffixes for root certificates CNs for root keys, so that a single root certificate would be valid for multiple repositories #1088
- Root key rotations now do not require all previous root keys sign new root metadata. #942.
- New keys are trusted if the root metadata file specifying the new key was signed by the previous root key/threshold
- Root metadata can now be requested by version from the server, allowing clients with older root metadata to validate each new version one by one up to the current metadata
notary key rotate
now accepts a flag specifying which key to rotate to #942- Refactoring of the client to make it easier to use as a library and to inject dependencies:
- References to GUN have now been changed to "imagename". #1081
NewNotaryRepository
can now be provided with a remote store and changelist, as opposed to always constructing its own. #1094- If needed, the notary repository will be initialized first when publishing. #1105
NewNotaryReository
now requires a non-nil cache store. #1185- The "No valid trust data" error is now typed. #1212
TUFClient
was previously mistakenly exported, and is now unexported. #1215- The notary client now has a
Repository
interface type to standardizeclient.NotaryRepository
. #1220 - The constructor functions
NewFileCachedNotaryRepository
andNewNotaryRepository
have been renamed, respectively, toNewFileCachedRepository
andNewRepository
to reduce redundancy. #1226 NewRepository
returns an interface as opposed to the concrete typeNotaryRepository
it previously did.NotaryRepository
is also now an unexported concrete type. #1226- Key import/export logic has been moved from the
utils
package to thetrustmanager
package. #1250
SHA256
cross/notary-Darwin-amd64 a58af6a845160d36c650a6d4441ed76d4ca7776a6676bfc5a54658bb275fad8d
cross/notary-Linux-amd64 f4e421b3bb3c32c39372f7f02fbe80c67580cccd381f9722b1c702b3ab63a1c7
cross/notary-Windows-amd64.exe 9f5e419adbeb19c655f3229ecc5922fe2934b0098d6207089baa679f64949787