v1.3.1

Vote PASSED [+5 -0]: #1186

Bug Fix

• Updated the notation-go library to v1.3.1. This update removes the timestamp check against signing time during authentic timestamp verification due to potential time skew and the unauthenticated nature of signing time field.

What's changed since v1.3.0

• bb571dd bump: release v1.3.1
• 1557a44 bump: bump up dependencies for release-1.3 branch (#1184)
• 198c822 Merge pull request #1149 from Two-Hearts/release-1.3

Full Changelog: v1.3.0...v1.3.1

v1.3.0

Notation v1.3.0

Notation v1.3.0 is an implementation of Notary Project Specifications v1.1.0.

Key features

• Support of CRL revocation check with built-in file cache. See more details here.

Other changes

-Timestamping enhancements. Enabled timestamping certificate chain revocation check after signing.

What's Changed since v1.3.0-rc.2

• bump: release v1.3.0-rc.2 by @Two-Hearts in #1130
• cherry-pick: cherry pick from main to release-1.3 branch by @Two-Hearts in #1147
• bump: bump up dependencies and workflows by @Two-Hearts in #1148

Full Changelog: v1.3.0-rc.2...v1.3.0

Vote PASSED [+5 -0]: #1149

v1.3.0-rc.2

Vote PASSED [+4 -0]: #1130

Changes

1. Enabled timestamping certificate chain revocation check after signing.
2. Enhanced CRL cache with logs.
3. Bumped up dependencies and other minor fixes.

What's changed since v1.3.0-rc.1

• bump: release v1.3.0-rc.1 by @Two-Hearts in #1056
• fix: cherry pick minor fixes from main to release-1.3 by @Two-Hearts in #1110
• bump: bump up dependencies for release-1.3 branch by @Two-Hearts in #1109
• backport: CRL cache with log and E2E tests from main to release-1.3 by @Two-Hearts in #1117
• fix: fix context and bump up golang.org/x/net for release-1.3 branch by @Two-Hearts in #1120
• backport: timestamping cert chain revocation check during signing from main to release-1.3 branch by @Two-Hearts in #1121

Full Changelog: v1.3.0-rc.1...v1.3.0-rc.2

v1.1.2

Bug Fixes

• Fixed debug log to show correct notation-go signingAgent.
• Removed the blob signing related documents as they were not implemented yet.

Other Changes

• Updated dependencies with highlights below
  • Update to Golang v1.23
  • Update to notation-go v1.1.2

What's Changed since v1.1.1

• bump: bump up and vote notation v1.1.1 by @JeyJeyGao in #963
• fix(docs): remove blob signing docs for release-1.1 branch by @JeyJeyGao in #1013
• bump: update notation-go v1.1.2 by @JeyJeyGao in #1041
• bump: dependencies for release-1.1 branch by @JeyJeyGao in #1057

Full Changelog: v1.1.1...v1.1.2

v1.3.0-rc.1

Vote PASSED [+4 -0]: #1056

New Features

• Support of CRL revocation check with built-in file cache. See more details here.

Changelog

• 0d9ceac bump: release v1.3.0-rc.1
• 2819637 refactor!: remove blob sign/verify for v1.3.0-rc.1 release (#1045)
• 4c0a3da feat: crl with file cache (#1043)
• c2cff5b build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 in /test/e2e (#1037)
• a109519 build(deps): Bump golang.org/x/net from 0.28.0 to 0.29.0 (#1034)
• 3bb6ef7 build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 in /test/e2e/plugin (#1038)
• 687d29e build(deps): Bump oras.land/oras-go/v2 from 2.4.0 to 2.5.0 in /test/e2e (#1035)
• 1ab2505 build(deps): Bump github/codeql-action from 3.26.6 to 3.26.8 (#1044)
• 8f8f8c9 build(deps): Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.20.2 in /test/e2e (#1036)
• 9283467 build(deps): Bump golang.org/x/term from 0.23.0 to 0.24.0 (#1033)
• 1af69fc chore: updated dependabot.yml to cover test/e2e (#1030)
• e8f37d0 build(deps): Bump github.com/notaryproject/notation-core-go from 1.1.0-rc.1 to 1.1.0 (#1024)
• b620496 build(deps): Bump github/codeql-action from 3.26.0 to 3.26.6 (#1026)
• 780df48 build(deps): Bump actions/upload-artifact from 4.3.6 to 4.4.0 (#1025)
• 83ade99 bump: upgrade golang version to v1.23 (#1019)
• b683029 build(deps): Bump github/codeql-action from 3.25.15 to 3.26.0 (#1010)
• fe327c7 build(deps): Bump actions/upload-artifact from 4.3.4 to 4.3.6 (#1009)
• 3a35b3b build(deps): Bump golang.org/x/net from 0.27.0 to 0.28.0 (#1007)

Full changelog: v1.2.0...v1.3.0-rc.1

v1.2.0

Vote PASSED [+4 -0]: #1022

Notation v1.2.0

Notation v1.2.0 is an implementation of the Notary Project Specifications v1.1.0.

Key features

• Support OCI image-spec v1.1.0 and distribution-spec v1.1.0

  • Introduced new flag --force-referrers-tag (default to true) to the notation sign command, which allows users opt to the referrers tag schema instead of the referrers API.
  • The notation verify / list / inspect commands always attempt the referrers API first, automatically falling back to the referrers tag schema if the referrers API is not supported by the registry.

• Support for RFC 3161 compliant Timestamping

  • Introduced two new flags --timestamp-url and --timestamp-root-cert in notation sign command for signing with timestamping, see the notation sign CLI spec for more details.
  • Support a new trust store type tsa in notation certificate command.
  • Support RFC 3161 timestamp verification in the notation verify command with updated trust policy, see the notation verify CLI spec for more details.
  • Support RFC 3161 timestamp in notation inspect command's output.

• Added support for armv7 binary release.

Other changes

• Upgraded to Golang v1.23

Deprecation

• The experimental flag --allow-referrers-api is deprecated as notation follows distribution-spec v1.1.0.

What's changed since v1.2.0-rc.1

• bump: release v1.2.0-rc.1 (#1017)
• bump: bump up for v1.2.0 stable release (#1021)

Full Changelog: v1.2.0-rc.1...v1.2.0

v1.2.0-rc.1

Vote PASSED [+4 -0]: #1017

Changes

1. Added support for armv7 binary release.
2. Updated notation inspect command with RFC 3161 timestamp in the output.

What's Changed

• build: add support for armv7 binary release by @lmussier in #956
• chore: move tsa url print out behind -v flag by @Two-Hearts in #996
• feat: update inspect command with timestamping by @Two-Hearts in #998
• build(deps): Bump golang.org/x/net from 0.23.0 to 0.27.0 by @dependabot in #999
• build(deps): Bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @dependabot in #1000
• build(deps): Bump github/codeql-action from 3.25.13 to 3.25.15 by @dependabot in #1001
• refactor: update verifier by @Two-Hearts in #1002
• refactor!: remove blob sign/verify related contents by @Two-Hearts in #1011
• bump: bump up dependencies for release-1.2 by @Two-Hearts in #1014

New Contributors

• @lmussier made their first contribution in #956

Full Changelog: v1.2.0-beta.1...v1.2.0-rc.1

v1.2.0-beta.1

Vote PASSED [+4 -0]: #995

New Features

• Support for RFC 3161 compliant Timestamping
  • Introduce two new flags --timestamp-url and --timestamp-root-cert in notation sign command for signing with timestamping, see the notation sign CLI spec for more details.
  • Support a new trust store type tsa in notation certificate command.
  • Support RFC 3161 timestamp verification in the notation verify command with updated trust policy, see the notation verify CLI spec for more details.

Detailed Commits

• 787665f Merge pull request #995 from Two-Hearts/release
• 00af3ce bump: release v1.2.0-beta.1
• bbeb75d bump: bump up dependencies for v1.2.0-beta.1 (#994)
• e604a4f build(deps): Bump golang.org/x/net from 0.22.0 to 0.23.0 (#993)
• a034721 feat: Timestamp (#978)
• 26c0b36 build(deps): Bump github/codeql-action from 3.25.11 to 3.25.13 (#991)
• d8c77d1 build(deps): Bump actions/setup-go from 5.0.1 to 5.0.2 (#986)
• cab4fef docs: update RELEASE_CHECKLIST.md (#713)
• c6636ca build(deps): Bump github/codeql-action from 3.25.8 to 3.25.11 (#980)
• e9ed3d5 build(deps): Bump actions/add-to-project from 1.0.1 to 1.0.2 (#981)
• 214b0b2 build(deps): Bump golang.org/x/term from 0.21.0 to 0.22.0 (#982)
• 2de7110 build(deps): Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#983)
• acf54be build(deps): Bump codecov/codecov-action from 4.4.1 to 4.5.0 (#972)
• ae6ff01 build(deps): Bump actions/checkout from 4.1.6 to 4.1.7 (#970)
• 944c661 build(deps): Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#969)
• 626002a Merge pull request #967 from JeyJeyGao/vote/v1.2.0-alpha.1

Full Changelog: v1.2.0-alpha.1...v1.2.0-beta.1

v1.2.0-alpha.1

Vote PASSED [+4 -0]: #967

New Features

• Support OCI image-spec v1.1.0 and distribution-spec v1.1.0.
  • Introduce a new flag --force-referrers-tag (default to true) to the notation sign command, which allows users opt to the referrers tag schema instead of the referrers API.
  • The notation verify / list / inspect commands will always attempt the referrers API first, automatically falling back to the referrers tag schema if the referrers API is not supported by the registry.

Deprecation

• The experimental flag --allow-referrers-api is deprecated as notation follows distribution-spec v1.1.0.

Other changes

• Improved documentation
• Improved error messages
• Update dependencies with highlights below
  • Update to Golang 1.22
  • Update to notation-go v1.1.1
  • Update to notation-core-go v1.0.3
  • Update to oras-go v2.5.0

Detailed Commits

• bump: tag and release version v1.1.0 by @Two-Hearts in #876
• build(deps): Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #878
• build(deps): Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #879
• build(deps): Bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #877
• bump: bump up oras-go and image-spec by @Two-Hearts in #881
• build(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #883
• build(deps): Bump codecov/codecov-action from 3.1.5 to 4.0.1 by @dependabot in #884
• build(deps): Bump golang.org/x/term from 0.16.0 to 0.17.0 by @dependabot in #886
• build(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #887
• build(deps): Bump codecov/codecov-action from 4.0.1 to 4.0.2 by @dependabot in #896
• build(deps): Bump github/codeql-action from 3.24.0 to 3.24.5 by @dependabot in #895
• build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in #891
• build(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 by @dependabot in #898
• build(deps): Bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #900
• build(deps): Bump actions/add-to-project from 0.5.0 to 0.6.0 by @dependabot in #901
• docs: spec updates for arbitrary blob signing by @rgnote in #811
• build(deps): Bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #899
• build(deps): Bump golang.org/x/term from 0.17.0 to 0.18.0 by @dependabot in #906
• chore: add GitHub action for stale issues and PRs by @yizha1 in #841
• build(deps): Bump github/codeql-action from 3.24.6 to 3.24.7 by @dependabot in #908
• build(deps): Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #907
• build(deps): Bump actions/stale from 8 to 9 by @dependabot in #915
• build(deps): Bump actions/add-to-project from 0.6.0 to 0.6.1 by @dependabot in #912
• build(deps): Bump github/codeql-action from 3.24.7 to 3.24.9 by @dependabot in #913
• build(deps): Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #914
• build(deps): Bump actions/add-to-project from 0.6.1 to 1.0.0 by @dependabot in #918
• build(deps): Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #917
• Moved org maintainers to emeritus by @toddysm in #919
• fix(ci): update codecov token by @JeyJeyGao in #920
• feat: upgrade to OCI 1.1 by @Two-Hearts in #916
• fix: improve error message for --signature-format flag by @JeyJeyGao in #925
• build(deps): Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #922
• build(deps): Bump golang.org/x/term from 0.18.0 to 0.19.0 by @dependabot in #924
• build(deps): Bump codecov/codecov-action from 4.1.1 to 4.3.0 by @dependabot in #927
• build(deps): Bump actions/add-to-project from 1.0.0 to 1.0.1 by @dependabot in #928
• build(deps): Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/e2e by @dependabot in #929
• build(deps): Bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #936
• build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #939
• build(deps): Bump golang.org/x/term from 0.19.0 to 0.20.0 by @dependabot in #940
• build(deps): Bump codecov/codecov-action from 4.3.0 to 4.4.0 by @dependabot in #944
• build(deps): Bump github/codeql-action from 3.24.10 to 3.25.5 by @dependabot in #945
• build(deps): Bump actions/checkout from 4.1.2 to 4.1.6 by @dependabot in #946
• fix: error message for trust policy by @JeyJeyGao in #933
• doc: add Notation CLI Error Handling and Message Guideline by @FeynmanZhou in #834
• build(deps): Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #951
• build(deps): Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #950
• build(deps): Bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #949
• build(deps): Bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #948
• build(deps): Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #955
• bump: bump up notation-go v1.1.1 and other dependencies by @JeyJeyGao in #952
• build(deps): Bump golang.org/x/term from 0.20.0 to 0.21.0 by @dependabot in #960
• build(deps): Bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #961
• build(deps): Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 by @dependabot in #962
• fix(ci): update goreleaser to use --clean flag by @JeyJeyGao in #964

Full Changelog: v1.1.0...v1.2.0-alpha.1

v1.1.1

Vote PASSED [+4 -0]: #963

Changes

• Improve documentation
• Improve error messages
• Update dependencies with highlights below
  • Update to Golang 1.22
  • Update to notation-go v1.1.1
  • Update to notation-core-go v1.0.3
  • Update to oras-go v2.5.0

Detailed Commits

• bump: tag and release version v1.1.0 by @Two-Hearts in #876
• build(deps): Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #878
• build(deps): Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #879
• build(deps): Bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #877
• bump: bump up oras-go and image-spec by @Two-Hearts in #881
• build(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #883
• build(deps): Bump codecov/codecov-action from 3.1.5 to 4.0.1 by @dependabot in #884
• build(deps): Bump golang.org/x/term from 0.16.0 to 0.17.0 by @dependabot in #886
• build(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #887
• build(deps): Bump codecov/codecov-action from 4.0.1 to 4.0.2 by @dependabot in #896
• build(deps): Bump github/codeql-action from 3.24.0 to 3.24.5 by @dependabot in #895
• build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in #891
• build(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 by @dependabot in #898
• build(deps): Bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #900
• build(deps): Bump actions/add-to-project from 0.5.0 to 0.6.0 by @dependabot in #901
• docs: spec updates for arbitrary blob signing by @rgnote in #811
• build(deps): Bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #899
• build(deps): Bump golang.org/x/term from 0.17.0 to 0.18.0 by @dependabot in #906
• chore: add GitHub action for stale issues and PRs by @yizha1 in #841
• build(deps): Bump github/codeql-action from 3.24.6 to 3.24.7 by @dependabot in #908
• build(deps): Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #907
• build(deps): Bump actions/stale from 8 to 9 by @dependabot in #915
• build(deps): Bump actions/add-to-project from 0.6.0 to 0.6.1 by @dependabot in #912
• build(deps): Bump github/codeql-action from 3.24.7 to 3.24.9 by @dependabot in #913
• build(deps): Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #914
• build(deps): Bump actions/add-to-project from 0.6.1 to 1.0.0 by @dependabot in #918
• build(deps): Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #917
• Moved org maintainers to emeritus by @toddysm in #919
• fix(ci): update codecov token by @JeyJeyGao in #920
• feat: upgrade to OCI 1.1 by @Two-Hearts in #916
• fix: improve error message for --signature-format flag by @JeyJeyGao in #925
• build(deps): Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #922
• build(deps): Bump golang.org/x/term from 0.18.0 to 0.19.0 by @dependabot in #924
• build(deps): Bump codecov/codecov-action from 4.1.1 to 4.3.0 by @dependabot in #927
• build(deps): Bump actions/add-to-project from 1.0.0 to 1.0.1 by @dependabot in #928
• build(deps): Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/e2e by @dependabot in #929
• build(deps): Bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #936
• build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #939
• build(deps): Bump golang.org/x/term from 0.19.0 to 0.20.0 by @dependabot in #940
• build(deps): Bump codecov/codecov-action from 4.3.0 to 4.4.0 by @dependabot in #944
• build(deps): Bump github/codeql-action from 3.24.10 to 3.25.5 by @dependabot in #945
• build(deps): Bump actions/checkout from 4.1.2 to 4.1.6 by @dependabot in #946
• fix: error message for trust policy by @JeyJeyGao in #933
• doc: add Notation CLI Error Handling and Message Guideline by @FeynmanZhou in #834
• build(deps): Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #951
• build(deps): Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #950
• build(deps): Bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #949
• build(deps): Bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #948
• build(deps): Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #955
• bump: bump up notation-go v1.1.1 and other dependencies by @JeyJeyGao in #952
• revert: "feat: upgrade to OCI 1.1 (#916)" by @JeyJeyGao in #958
• build(deps): Bump golang.org/x/term from 0.20.0 to 0.21.0 by @JeyJeyGao in #966

Full Changelog: v1.1.0...v1.1.1