Skip to content

v0.6.0

Compare
Choose a tag to compare
@cyli cyli released this 01 Mar 00:22
· 285 commits to master since this release

v0.6.0

  • The project has been moved from https://github.com/docker/notary to https://github.com/theupdateframework/notary, as it has been accepted into the CNCF. Downstream users should update their go imports.
  • Removed support for RSA-key exchange ciphers supported by the server and signer and require TLS >= 1.2 for the server and signer. #1307
  • libykcs11 can be found in several additional locations on Fedora. #1286
  • If a certificate is used as a delegation public key, notary no longer warns if the certificate has expired, since notary should be relying on the role expiry instead. #1263
  • An error is now returned when importing keys if there were invalid PEM blocks. #1260
  • Notary server authentication credentials can now be provided as an environment variable NOTARY_AUTH, which should contain a base64-encoded "username:password" value. #1246
  • Changefeeds are now supported for RethinkDB as well as SQL servers. #1214
  • Notary CLI will now time out after 30 seconds if a username and password are not provided when authenticating to anotary server, fixing an issue where scripts for the notary CLI may hang forever. #1200
  • Fixed potential race condition in the signer keystore. #1198
  • Notary now no longer provides the option to generate RSA keys for a repository, but externally generated RSA keys can still be imported as keys for a repository. #1191
  • Fixed bug where the notary client would ioutil.ReadAll responses from the server without limiting the size. #1186
  • Default notary CLI log level is now warn, and if the -v option is passed, it is at info. #1179
  • Example Postgres config now includes an example of mutual TLS authentication between the server/signer and Postgres. #1160 #1163
  • Fixed an error where piping the server authentication credentials via STDIN when scripting the notary CLI did not work. #1155
  • If the server and signer configurations forget to specify parseTime=true when using MySQL, notary server and signer will automatically add the option. #1150
  • Custom metadata can now be provided and read on a target when using the notary client as a library (not yet exposed on the CLI). #1146
  • notary init now accepts a --root-cert and --root-key flag for use with privately generated certificates and keys. #1144
  • notary key generate now accepts a --role flag as well as a --output flag. This means it can generate new targets or delegation keys, and it can also output keys to a file instead of storing it in the default notary key store. #1134
  • Newly generated keys are now stored encrypted and encoded in PKCS#8 format. This is not forwards-compatible against notary<0.6.0 and docker<17.12.x. Also please note that docker>=17.12.x is not forwards compatible with notary<0.6.0.. #1130 #1201
  • Added support for wildcarded certificate IDs in the trustpinning configuration #1126
  • Added support using the client against notary servers which are hosted as subpath under another server (e.g. https://domain.com/notary instead of https://notary.com) #1108
  • If no changes were made to the targets file, you are no longer required to sign the target #1104
  • Added support for wildcard suffixes for root certificates CNs for root keys, so that a single root certificate would be valid for multiple repositories #1088
  • Root key rotations now do not require all previous root keys sign new root metadata. #942.
    • New keys are trusted if the root metadata file specifying the new key was signed by the previous root key/threshold
    • Root metadata can now be requested by version from the server, allowing clients with older root metadata to validate each new version one by one up to the current metadata
  • notary key rotate now accepts a flag specifying which key to rotate to #942
  • Refactoring of the client to make it easier to use as a library and to inject dependencies:
    • References to GUN have now been changed to "imagename". #1081
    • NewNotaryRepository can now be provided with a remote store and changelist, as opposed to always constructing its own. #1094
    • If needed, the notary repository will be initialized first when publishing. #1105
    • NewNotaryReository now requires a non-nil cache store. #1185
    • The "No valid trust data" error is now typed. #1212
    • TUFClient was previously mistakenly exported, and is now unexported. #1215
    • The notary client now has a Repository interface type to standardize client.NotaryRepository. #1220
    • The constructor functions NewFileCachedNotaryRepository and NewNotaryRepository have been renamed, respectively, to NewFileCachedRepository and NewRepository to reduce redundancy. #1226
    • NewRepository returns an interface as opposed to the concrete type NotaryRepository it previously did. NotaryRepository is also now an unexported concrete type. #1226
    • Key import/export logic has been moved from the utils package to the trustmanager package. #1250

SHA256

cross/notary-Darwin-amd64            a58af6a845160d36c650a6d4441ed76d4ca7776a6676bfc5a54658bb275fad8d 
cross/notary-Linux-amd64             f4e421b3bb3c32c39372f7f02fbe80c67580cccd381f9722b1c702b3ab63a1c7
cross/notary-Windows-amd64.exe       9f5e419adbeb19c655f3229ecc5922fe2934b0098d6207089baa679f64949787