In early 2023, Notary Project, under the guidance of CNCF began work with Ada Logics to perform the first security audit of Notation libraries and Notation CLI, a reference implementation of the latest Notary Project specifications. Ada Logics discovered seven issues and they had been triaged and resolved by Notary Project maintainers. This blog post summarizes the overall findings and notes a few things learnt from the security audit, which was preceded by a related but independent Audit. We are very grateful to Cloud Native Computing Foundation for funding this work and helping drive this effort, to OSTIF for arranging the audit, and to Ada Logics for actually conducting the audit and releasing the audit report. Summary of Findings Ada Logics identified seven issues of varying severity - one high, two moderate, three low and one informational which were all fixed in Notation RC-6. All subsequent releases of Notation CLI including latest RC-7 and the upcoming 1.0.0 includes the fixes. The Notary Project maintainers created CVEs for 3 issues, and tracked the remaining issues as non-CVEs involving documentation or CLI command flags name changes. Potential endless data attack in notation ls, ADA-NOT-23-1, aka CVE-2023-33958, fixed in RC-6.

Overview Notary v2 working group is pleased to announce its second release candidate, RC-2. Refer release definitions here. This release includes updates to the notaryproject/notaryproject repo to provide the community with updated specifications and an updated implementation of Notation client for signing and verifying artifacts. Notation Library 1 (notation-core-go-v1.0.0-rc.2) (Updated in this release) Notation Library 2 (notation-go-v1.0.0-rc.3) (Updated in this release) Notation CLI (notation-v1.0.0-rc.2) (Updated in this release) Notary v2 Specs (notaryproject-v1.0.0-rc.2) (Updated in this release) Goal of the release Notary v2 specificationsUpdates to support signing and verification using the fallback method for referrers, as specified in the 1.1 version release candidate of the OCI Distribution specification. With this method, Notary v2 now supports a reference types solution but within the bounds of OCI 1.0 Image and Distribution specs

Description Use notation inspect command to inspect/describe all the signatures associated to a signed artifact/image in a human readable format. Upon successful execution,the digest of the signed artifact and details of all the signatures associated with artifact and it's respective certificate properties are displayed as following: <registry>/<repository>@<digest> └── application/vnd.cncf.notary.signature ├──<digest_of_signature_manifest> ├──<signed attributes...>