v1.3.2

Vote PASSED [+4 -0]: #1268

Update

• Dependency updates
• Code and documentation enhancements

What's Changed since v1.3.1

• bump: release v1.3.1 by @Two-Hearts in #1186
• CVE-2025-30204: update golang-jwt by @artem-panchenko in #1249
• backport: from main to release-1.3 branch by @Two-Hearts in #1267

New Contributors

• @artem-panchenko made their first contribution in #1249

Full Changelog: v1.3.1...v1.3.2

v2.0.0-alpha.1

Notation v2.0.0-alpha.1

Breaking Changes

In notation v1.x, the notation sign command defaults to storing signatures using the OCI referrers tag schema for maximum compatibility. As of this release, the default behavior has changed to use the OCI referrers API since most of the popular registries are compliant with OCI v1.1. However, users can still opt for the referrers tag schema using --force-referrers-tag true if needed.

New features

1. Added command notation blob with subcommands notation blob sign, notation blob verify, notation blob policy, and notation blob inspect. It enables blob signing and verification with blob trust policy configuration. The blob trust policy configuration is stored in file trustpolicy.blob.json. For more details: https://github.com/notaryproject/notation/blob/v2.0.0-alpha.1/specs/cmd/blob.md
2. Compliant with OCI-1.1 specs, namely distribution-spec v1.1.1 and image-spec v1.1.1. With the new update, notation sign command now stores signatures in the registry as a referrer of the target artifact by default, no extra image index will be created in this case. Removed the previously deprecated flag --allow-referrers-api.
3. Delta CRL support during CRL certificate revocation checks.

Other updates

1. The notation policy import command now stores the OCI trust policy configuration in file trustpolicy.oci.json. On success, the command will delete the old trustpolicy.json file.

What's Changed

• fix: github actions permissions by @JeyJeyGao in #1059
• fix: fix debug log by @Two-Hearts in #1061
• build(deps): Bump github.com/onsi/gomega from 1.34.1 to 1.34.2 in /test/e2e by @dependabot in #1049
• test: add unit tests by @Two-Hearts in #1075
• fix: discard crl cache error by @Two-Hearts in #1076
• build(deps): Bump codecov/codecov-action from 4.5.0 to 4.6.0 by @dependabot in #1054
• build(deps): Bump github.com/notaryproject/notation-go from 1.2.0-beta.1.0.20240926015724-84c2ec076201 to 1.3.0-rc.1 in /test/e2e/plugin by @dependabot in #1051
• build(deps): Bump github.com/spf13/cobra from 1.7.0 to 1.8.1 in /test/e2e/plugin by @dependabot in #1050
• build(deps): Bump golang.org/x/term from 0.24.0 to 0.25.0 by @dependabot in #1055
• build(deps): Bump actions/cache from 4.0.2 to 4.1.2 by @dependabot in #1073
• build(deps): Bump actions/upload-artifact from 4.4.0 to 4.4.3 by @dependabot in #1066
• build(deps): Bump actions/checkout from 4.1.7 to 4.2.2 by @dependabot in #1074
• build(deps): Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 in /test/e2e/plugin by @dependabot in #1077
• feat: crl cache with log by @Two-Hearts in #1078
• build(deps): Bump golang.org/x/term from 0.25.0 to 0.26.0 by @dependabot in #1081
• fix&test: discard error for NewFileCache & E2E test for CRL with cache by @JeyJeyGao in #1079
• build(deps): Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @dependabot in #1086
• build(deps): Bump github/codeql-action from 3.26.8 to 3.27.1 by @dependabot in #1085
• build(deps): Bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 by @dependabot in #1084
• build(deps): Bump golang.org/x/net from 0.29.0 to 0.31.0 by @dependabot in #1082
• build(deps): Bump github.com/onsi/gomega from 1.34.2 to 1.35.1 in /test/e2e by @dependabot in #1087
• build(deps): Bump actions/setup-go from 5.0.2 to 5.1.0 by @dependabot in #1090
• build(deps): Bump github/codeql-action from 3.27.1 to 3.27.5 by @dependabot in #1091
• build(deps): Bump codecov/codecov-action from 4.6.0 to 5.0.7 by @dependabot in #1092
• fix: add timestamping cert chain revocation check during signing by @Two-Hearts in #1094
• build(deps): Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 in /test/e2e by @dependabot in #1093
• build(deps): Bump golang.org/x/term from 0.26.0 to 0.27.0 by @dependabot in #1098
• build(deps): Bump actions/cache from 4.1.2 to 4.2.0 by @dependabot in #1101
• build(deps): Bump codecov/codecov-action from 5.0.7 to 5.1.1 by @dependabot in #1102
• build(deps): Bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in #1103
• build(deps): Bump github.com/notaryproject/tspclient-go from 0.2.1-0.20241030015323-90a141e7525c to 1.0.0-rc.1 by @dependabot in #1100
• build(deps): Bump golang.org/x/net from 0.31.0 to 0.32.0 by @dependabot in #1099
• build(deps): Bump github.com/onsi/gomega from 1.35.1 to 1.36.1 in /test/e2e by @dependabot in #1106
• build(deps): Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in #1105
• fix: context and bump up golang.org/x/net by @JeyJeyGao in #1119
• build(deps): Bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #1122
• docs: spec update regarding blob signature file extensions by @Two-Hearts in #1118
• build(deps): Bump codecov/codecov-action from 5.1.1 to 5.1.2 by @dependabot in #1123
• build(deps): Bump github.com/onsi/gomega from 1.36.1 to 1.36.2 in /test/e2e by @dependabot in #1131
• build(deps): Bump github/codeql-action from 3.27.6 to 3.28.0 by @dependabot in #1124
• feat: blob sign command by @Two-Hearts in #1128
• ci: update runner version to ubuntu-24.04 by @JeyJeyGao in #1140
• build(deps): Bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot in #1112
• build(deps): Bump github.com/notaryproject/tspclient-go from 1.0.0-rc.1 to 1.0.0 by @dependabot in #1143
• build(deps): Bump github/codeql-action from 3.28.0 to 3.28.1 by @dependabot in #1142
• fix: load config error by @JeyJeyGao in #1145
• build(deps): Bump github.com/onsi/ginkgo/v2 from 2.22.1 to 2.22.2 in /test/e2e by @dependabot in #1132
• build(deps): Bump golang.org/x/term from 0.27.0 to 0.28.0 by @dependabot in #1135
• build(deps): Bump actions/upload-artifact from 4.5.0 to 4.6.0 by @dependabot in #1141
• feat: add blob policy import and show commands by @JeyJeyGao in #1126
• bump: bump up dependencies by @Two-Hearts in #1146
• docs: fix inspect command spec by @JeyJeyGao in #1156
• build(deps): Bump github/codeql-action from 3.28.1 to 3.28.8 by @dependabot in #1166
• build(deps): Bump codecov/codecov-action from 5.1.2 to 5.3.1 by @dependabot in #1157
• build(deps): Bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #1159
• build(deps): Bump actions/setup-go from 5.2.0 to 5.3.0 by @dependabot in #1160
• build(deps): Bump github.com/spf13/pflag from 1.0.5 to 1.0.6 by @dependabot in #1162
• refactor: extract inspect rendering logic to be display handlers by @JeyJeyGao in #1150
• refactor: verify display handler by @JeyJeyGao in #1167
• build(deps): Bump golang.org/x/term from 0.28.0 to 0.29.0 by @dependabot in #1169
• build(deps): Bump github/codeql-action from 3.28.8 to 3.28.9 by @dependabot in #1168
• feat: blob verify command by @Two-Hearts in #1137
• test: OCSP E2E by @JeyJeyGao in https://github.com/notary...

v1.3.1

Vote PASSED [+5 -0]: #1186

Bug Fix

• Updated the notation-go library to v1.3.1. This update removes the timestamp check against signing time during authentic timestamp verification due to potential time skew and the unauthenticated nature of signing time field.

What's changed since v1.3.0

• bb571dd bump: release v1.3.1
• 1557a44 bump: bump up dependencies for release-1.3 branch (#1184)
• 198c822 Merge pull request #1149 from Two-Hearts/release-1.3

Full Changelog: v1.3.0...v1.3.1

v1.3.0

Notation v1.3.0

Notation v1.3.0 is an implementation of Notary Project Specifications v1.1.0.

Key features

• Support of CRL revocation check with built-in file cache. See more details here.

Other changes

-Timestamping enhancements. Enabled timestamping certificate chain revocation check after signing.

What's Changed since v1.3.0-rc.2

• bump: release v1.3.0-rc.2 by @Two-Hearts in #1130
• cherry-pick: cherry pick from main to release-1.3 branch by @Two-Hearts in #1147
• bump: bump up dependencies and workflows by @Two-Hearts in #1148

Full Changelog: v1.3.0-rc.2...v1.3.0

Vote PASSED [+5 -0]: #1149

v1.3.0-rc.2

Vote PASSED [+4 -0]: #1130

Changes

1. Enabled timestamping certificate chain revocation check after signing.
2. Enhanced CRL cache with logs.
3. Bumped up dependencies and other minor fixes.

What's changed since v1.3.0-rc.1

• bump: release v1.3.0-rc.1 by @Two-Hearts in #1056
• fix: cherry pick minor fixes from main to release-1.3 by @Two-Hearts in #1110
• bump: bump up dependencies for release-1.3 branch by @Two-Hearts in #1109
• backport: CRL cache with log and E2E tests from main to release-1.3 by @Two-Hearts in #1117
• fix: fix context and bump up golang.org/x/net for release-1.3 branch by @Two-Hearts in #1120
• backport: timestamping cert chain revocation check during signing from main to release-1.3 branch by @Two-Hearts in #1121

Full Changelog: v1.3.0-rc.1...v1.3.0-rc.2

v1.1.2

Bug Fixes

• Fixed debug log to show correct notation-go signingAgent.
• Removed the blob signing related documents as they were not implemented yet.

Other Changes

• Updated dependencies with highlights below
  • Update to Golang v1.23
  • Update to notation-go v1.1.2

What's Changed since v1.1.1

• bump: bump up and vote notation v1.1.1 by @JeyJeyGao in #963
• fix(docs): remove blob signing docs for release-1.1 branch by @JeyJeyGao in #1013
• bump: update notation-go v1.1.2 by @JeyJeyGao in #1041
• bump: dependencies for release-1.1 branch by @JeyJeyGao in #1057

Full Changelog: v1.1.1...v1.1.2

v1.3.0-rc.1

Vote PASSED [+4 -0]: #1056

New Features

• Support of CRL revocation check with built-in file cache. See more details here.

Changelog

• 0d9ceac bump: release v1.3.0-rc.1
• 2819637 refactor!: remove blob sign/verify for v1.3.0-rc.1 release (#1045)
• 4c0a3da feat: crl with file cache (#1043)
• c2cff5b build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 in /test/e2e (#1037)
• a109519 build(deps): Bump golang.org/x/net from 0.28.0 to 0.29.0 (#1034)
• 3bb6ef7 build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 in /test/e2e/plugin (#1038)
• 687d29e build(deps): Bump oras.land/oras-go/v2 from 2.4.0 to 2.5.0 in /test/e2e (#1035)
• 1ab2505 build(deps): Bump github/codeql-action from 3.26.6 to 3.26.8 (#1044)
• 8f8f8c9 build(deps): Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.20.2 in /test/e2e (#1036)
• 9283467 build(deps): Bump golang.org/x/term from 0.23.0 to 0.24.0 (#1033)
• 1af69fc chore: updated dependabot.yml to cover test/e2e (#1030)
• e8f37d0 build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 (#1024)
• b620496 build(deps): Bump github/codeql-action from 3.26.0 to 3.26.6 (#1026)
• 780df48 build(deps): Bump actions/upload-artifact from 4.3.6 to 4.4.0 (#1025)
• 83ade99 bump: upgrade golang version to v1.23 (#1019)
• b683029 build(deps): Bump github/codeql-action from 3.25.15 to 3.26.0 (#1010)
• fe327c7 build(deps): Bump actions/upload-artifact from 4.3.4 to 4.3.6 (#1009)
• 3a35b3b build(deps): Bump golang.org/x/net from 0.27.0 to 0.28.0 (#1007)

Full changelog: v1.2.0...v1.3.0-rc.1

v1.2.0

Vote PASSED [+4 -0]: #1022

Notation v1.2.0

Notation v1.2.0 is an implementation of the Notary Project Specifications v1.1.0.

Key features

• Support OCI image-spec v1.1.0 and distribution-spec v1.1.0

  • Introduced new flag --force-referrers-tag (default to true) to the notation sign command, which allows users opt to the referrers tag schema instead of the referrers API.
  • The notation verify / list / inspect commands always attempt the referrers API first, automatically falling back to the referrers tag schema if the referrers API is not supported by the registry.

• Support for RFC 3161 compliant Timestamping

  • Introduced two new flags --timestamp-url and --timestamp-root-cert in notation sign command for signing with timestamping, see the notation sign CLI spec for more details.
  • Support a new trust store type tsa in notation certificate command.
  • Support RFC 3161 timestamp verification in the notation verify command with updated trust policy, see the notation verify CLI spec for more details.
  • Support RFC 3161 timestamp in notation inspect command's output.

• Added support for armv7 binary release.

Other changes

• Upgraded to Golang v1.23

Deprecation

• The experimental flag --allow-referrers-api is deprecated as notation follows distribution-spec v1.1.0.

What's changed since v1.2.0-rc.1

• bump: release v1.2.0-rc.1 (#1017)
• bump: bump up for v1.2.0 stable release (#1021)

Full Changelog: v1.2.0-rc.1...v1.2.0

v1.2.0-rc.1

Vote PASSED [+4 -0]: #1017

Changes

1. Added support for armv7 binary release.
2. Updated notation inspect command with RFC 3161 timestamp in the output.

What's Changed

• build: add support for armv7 binary release by @lmussier in #956
• chore: move tsa url print out behind -v flag by @Two-Hearts in #996
• feat: update inspect command with timestamping by @Two-Hearts in #998
• build(deps): Bump golang.org/x/net from 0.23.0 to 0.27.0 by @dependabot in #999
• build(deps): Bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @dependabot in #1000
• build(deps): Bump github/codeql-action from 3.25.13 to 3.25.15 by @dependabot in #1001
• refactor: update verifier by @Two-Hearts in #1002
• refactor!: remove blob sign/verify related contents by @Two-Hearts in #1011
• bump: bump up dependencies for release-1.2 by @Two-Hearts in #1014

New Contributors

• @lmussier made their first contribution in #956

Full Changelog: v1.2.0-beta.1...v1.2.0-rc.1

v1.2.0-beta.1

Vote PASSED [+4 -0]: #995

New Features

• Support for RFC 3161 compliant Timestamping
  • Introduce two new flags --timestamp-url and --timestamp-root-cert in notation sign command for signing with timestamping, see the notation sign CLI spec for more details.
  • Support a new trust store type tsa in notation certificate command.
  • Support RFC 3161 timestamp verification in the notation verify command with updated trust policy, see the notation verify CLI spec for more details.

Detailed Commits

• 787665f Merge pull request #995 from Two-Hearts/release
• 00af3ce bump: release v1.2.0-beta.1
• bbeb75d bump: bump up dependencies for v1.2.0-beta.1 (#994)
• e604a4f build(deps): Bump golang.org/x/net from 0.22.0 to 0.23.0 (#993)
• a034721 feat: Timestamp (#978)
• 26c0b36 build(deps): Bump github/codeql-action from 3.25.11 to 3.25.13 (#991)
• d8c77d1 build(deps): Bump actions/setup-go from 5.0.1 to 5.0.2 (#986)
• cab4fef docs: update RELEASE_CHECKLIST.md (#713)
• c6636ca build(deps): Bump github/codeql-action from 3.25.8 to 3.25.11 (#980)
• e9ed3d5 build(deps): Bump actions/add-to-project from 1.0.1 to 1.0.2 (#981)
• 214b0b2 build(deps): Bump golang.org/x/term from 0.21.0 to 0.22.0 (#982)
• 2de7110 build(deps): Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#983)
• acf54be build(deps): Bump codecov/codecov-action from 4.4.1 to 4.5.0 (#972)
• ae6ff01 build(deps): Bump actions/checkout from 4.1.6 to 4.1.7 (#970)
• 944c661 build(deps): Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#969)
• 626002a Merge pull request #967 from JeyJeyGao/vote/v1.2.0-alpha.1

Full Changelog: v1.2.0-alpha.1...v1.2.0-beta.1