Affected by GO-2023-1829 and 2 other vulnerabilities

GO-2023-1829: Notation vulnerable to denial of service from high number of artifact signatures in github.com/notaryproject/notation

GO-2023-1831: Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack in github.com/notaryproject/notation

GO-2024-2472: Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry

The highest tagged major version is v2.

notation

module

v0.11.0-alpha.4.dev.20... Latest Latest Go to latest Published: Oct 14, 2022 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/notaryproject/notation

Links

Open Source Insights

README ¶

Notation

Notation is a CLI project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. This should be viewed as similar security to checking git commit signatures, although the signatures are generic and can be used for additional purposes. Notation is an implementation of the Notary v2 specifications.

Notation Quick Start

Install the Notation CLI from Notation Releases:

curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v0.11.0-alpha.4/notation_0.11.0-alpha.4_linux_amd64.tar.gz
tar xvzf notation.tar.gz -C ~/bin notation

Run a local instance of the CNCF Distribution Registry, with ORAS Artifacts support:
```
docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v1.0.0-rc2
```

Build, push, sign, verify the net-monitor software:

export IMAGE=localhost:5000/net-monitor:v1
docker build -t $IMAGE https://github.com/wabbit-networks/net-monitor.git#main
docker push $IMAGE
notation cert generate-test --default --trust "wabbit-networks-dev"
notation sign --plain-http $IMAGE
notation list --plain-http $IMAGE
notation verify --plain-http $IMAGE

Note: Signatures are persisted as ORAS Artifacts manifests.

Documents

Community

Development and Contributing

Build Notation from source code
Governance for Notation
Maintainers and reviewers list
Regular conversations for Notation occur on the Cloud Native Computing Slack notary-v2 channel.

Notary v2 Community Meeting

Mondays 5-6 PM Pacific time, 8-9 PM US Eastern, 8-9 AM Shanghai
Thursdays 9-10 AM Pacific time, 12 PM US Eastern, 5 PM UK

Join us at Zoom Dial-in link / Passcode: 77777. Please see the CNCF Calendar for community meeting details. Meeting notes are captured on hackmd.io.

Release Management

The Notation release process is defined in RELEASE_MANAGEMENT.md.

Support

Support for the Notation project is defined in supported releases.

Code of Conduct

This project has adopted the CNCF Code of Conduct. See CODE_OF_CONDUCT.md for further details.

License

This project is covered under the Apache 2.0 license. You can read the license here.

Directories ¶

Path	Synopsis
cmd
notation command
internal
cmd Package cmd contains common flags and routines for all CLIs.	Package cmd contains common flags and routines for all CLIs.
docker
envelope
ioutil
osutil
slices
version
pkg
auth
cache
configutil
docker
test
e2e module
e2e/plugin module

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL