Getting Started
Verified against the
maindevelopment line (v2.0.0-alpha.1,internal/version/version.go:18). Commands assume a Unix shell and an OCI registry you can push to.
Prerequisites
- Go
>= 1.24to build from source (source 12). - An OCI artifact you can push to, in a registry that supports the Referrers API or the Referrers tag schema.
gitandmake.
Install
Build and install from source. make install places the binary at ~/bin/notation (source 12):
git clone https://github.com/notaryproject/notation.git
cd notation
make installIf notation is not found afterwards, add ~/bin to your PATH:
export PATH="$HOME/bin:$PATH"A first working setup
This signs a local artifact and verifies it with a self-generated test key.
Confirm the binary runs.
bashnotation versionGenerate a signing key and a self-signed certificate, registering it in the trust store. A signing key must be configured before signing (
cmd/notation/sign.go:68).bashnotation cert generate-test --default "wabbit-networks.io"Sign an artifact by digest. Signing pins to the digest; a tag reference triggers a mutability warning (
cmd/notation/sign.go:167). Replace the reference with your own.bashnotation sign $REGISTRY/$REPO@$DIGESTExpected output on success (
cmd/notation/sign.go:186-187):textSuccessfully signed <registry>/<repo>@sha256:... Pushed the signature to <registry>/<repo>@sha256:...Add a trust policy. Verification requires a certificate in the trust store and a trust policy (
cmd/notation/verify.go:51). Set the verification level tostrictso revocation and expiry are enforced (source 4, source 9).bashnotation policy import ./trustpolicy.jsonVerify the signature.
bashnotation verify $REGISTRY/$REPO@$DIGEST
Verify it works
A successful notation verify exits zero and reports the verified artifact. A failure composes the verification errors into a printout and returns a non-zero status (cmd/notation/verify.go:147-153). List the signatures attached to an artifact with notation list <reference>.