owned this note
owned this note
Published
Linked with GitHub
# Goals for Notation release
## RC-2 Release Additional Items - FEB 13th 2023 (<span style="color:green">Release COMPLETE</span>)
1. Semantic versioning (P0)
- Ensuring only approved/newer-plugins can be used for verification.
- This feature implements SemVer in Notation. Not implementing this feature is blocking using verification plugin minimum version critical attribute in signature verification workflow.
2. Automatic OCI Fall back support – existing OCI 1.0 based registries can transparently work with Notation, with no change to UX (P0)
- Artifact push result in an OCI Image Manifest where OCI Artifact Manifest is not supported by the remote registry.
3. Inspect Command Implementation (P1)
- Allows user to see detail of the signature. Will be used by customer for debugging
## RC-3 Release Items - March 6th
1. Change default Manifest to Image Manifest in Notation. Issue to be created and update.(Yi)
- Changes to be done by MSFT.
- PR review on Tuesday by AWS.
- Testing complete and release by 6th.
2. Support TSA (TimeStamp Authority) trust stores in trust policy (AWS) (P1)
- Create the issue for the documentation in Roadmap.
- As part of RC-3, add documentation to outline 'disclaimer for expiration'. (as per the 02/06 community meeting) - https://hackmd.io/yw2QSaOKRUKP9Nx_Ozh-kA
3. Simplify Signing experience - https://github.com/notaryproject/notation/issues/537
## RC-4 Release Items - March 30th / Apr 06th 2023 (Can be called GA ? )
1. Governance work (MSFT / AWS) (P0) - Toddy to create issues.
2. Security (P0) - Toddy/Yi/Vani
- Create a Security Policy story under Roadmap repo. Ex: Security Overview · containerd/containerd (github.com). The policy will have a link to the security.md file.
- Create a issue under each repo for security policy and link security.md file creation.
- There could be other tasks based on the security audit results and we need to allocate separate time for this discussion.
3. Threat Modeling for Notation (Directory + Configurations _ Registry)(P0) - (AWS/MSFT)
- Threat modeling involves identifying ways that an adversary might try to attack notation and then designing mitigations to prevent, detect or reduce the impact of those attacks. https://github.com/notaryproject/notaryproject/pull/242
4. Revocation specification + Implementation (P0) (AWS) (Pritesh to break up the issue into smaller issues by 02/28 EOD for further development. Pritesh to complete by mid of March.)
- Signature verification needs to perform x509 revocation check (CRL/OCSP) and fail if a certificate in the chain is revoked depending upon the revocation enforcement level in trust policy.
- Estimates:
- Spec 1-2 weeks (AWS)
**Revocation Spec**: https://github.com/priteshbandi/notaryproject/blob/main/specs/trust-store-trust-policy.md#certificate-revocation-evaluation
*(Why is the "DRAFT" used in the spec? is there any open work to be completed? If not, then create a PR and remove the word "DRAFT" from the spec.)*
**Revocation Spec PR that was reviewed**: https://github.com/notaryproject/notaryproject/pull/122
Brekadown of the revocation into smaller issues.
https://github.com/notaryproject/roadmap/issues/60#issuecomment-1447369802
- Implementation 3-4 weeks (Pending to check revocation library support in golang and estimates can increase or decrease based on that,viz. known unkown) - First OCSP and then CRL support, can be a phased approach.
- This is important for the threat model.
5. Notation Sign/verify Offline/Local artifacts - Spec and Implementation (P0) (MSFT)
- Customer able to sign and verify local artifacts on local machines. This item is to sign before push, and then push the image, signature, tag to the registry. https://github.com/notaryproject/roadmap/issues/15
- Improve the security user can sign the aritifact locally and produce the signature locally without interacting with the registry, which is a good security practice.
6. Documentation for support TSA (TimeStamp Authority) trust stores in trust policy for future release (AWS) (P1)
- Create the issue for the documentation in Roadmap.
- As part of RC-3, add documentation to outline 'disclaimer for expiration' . (as per the 02/06 community meeting)
7. Improve the TP experience for Customers (P1) (MSFT)
- (https://github.com/notaryproject/notation/issues/548).
8. Installation improvement for notation(P1) (MSFT) - Further discussion is needed for cross platform installation improvement.
- https://github.com/notaryproject/roadmap/issues/76 (Installation package - MacOS homebrew, Windows MSI, Container image, Linux script, offline packages)
- https://github.com/notaryproject/notation/issues/549 (Plugin Installation)
- GitHub actions
9. Removing unwanted signature from signed images.(Samir) (P2) (2-3 weeks) (AWS) - Currently workaround exists, so tentative for rc-4. Can be prioritized post v1.0
- Samir to create the issue in the Roadmap repo, outline the scenarios and customer specific data.
- Only Spec for rc.3, implementation for post v1.0
- Oras CLI already supports it and should we bring to the Notation CLI) https://github.com/oras-project/oras/blob/main/cmd/oras/manifest/delete.go
10. Improve Error Message for Notation CLI (Functional Feature Requirement)(P2) (MSFT & AWS). This is ongoing improvement, address what comes out of the testing for v1.0. Continue post v1.0
- This needs more testing and fix only important one in rc.4 - (Issue #128)(github.com)
## POST RC-4 items prior to v1.0 (based on customer feedback and security audit feedback) - Apr 2023 prior to Kubecon.
1. Any left overs from the previous releases.
2. Bug fixes
3. Documentation
## POST GA Release Items - 2023
1. Support TSA (TimeStamp Authority) trust stores in trust policy (Non-Functional Feature Requirement)
- Large item for RC-3, to be planned for post 1.0 and mark it has P1.
2. Adding Payload validation (Non-Functional Feature Requirement) (P2)
- Need to make sure that application/vnd.cncf.notary.payload.v1+json content type abides by the rules.
- TargetArtifact : Required property whose value is the descriptor of the target artifact manifest that is being signed. Both [OCI descriptor](https://github.com/opencontainers/image-spec/blob/main/descriptor.md) and [ORAS artifact descriptors](https://github.com/oras-project/artifacts-spec/blob/main/descriptor.md) are supported.
- Descriptor MUST contain mediaType, digest, size fields.
- Descriptor MAY contain annotations and if present it MUST follow the [annotation rules](https://github.com/opencontainers/image-spec/blob/main/annotations.md#rules). Notation uses annotations for storing both Notary specific and user defined metadata. The prefix io.cncf.notary in annotation keys is reserved for use in Notation and MUST NOT be used outside this specification.
- Descriptor MAY contain artifactType field for artifact manifests, or the config.mediaType for oci.image based manifests.
3. Support Pagination as default option in Notation List CLI (Non-Functional Feature Requirement)(P4)
- Need to align based on the OCI Distribution Spec .
4. Address Open SSF Scorecard issues (Non-Functional Feature Requirement) (P4)
- Address all high and medium issues found during security code scanning.
5. Notation Push/Pull Signatures (Non-Functional Feature Requirement) (P3)
- Push and Pull signatures from remote registry, using tag or digest references.
- notation verify does push/pull automatically, and this really becomes more relevant once verifying local artifacts is enabled.
6. Timeout Implementation for signature verification (Non-Functional Feature Requirement) (P3) <span style="color:red">Pritesh: GOOD TO HAVE for GA</style>
- Notation's timeout property ensures signature verification API returns error.
7. Support expiry in Days (Non-Functional Feature Requirement) (P4)
- notation sign command supports an optional expiry flag for user to specify a "best by use" time for the artifact. The duration can be specified in minutes(m) or/and hours(h). The intention of this issue is to support duration in days, for example, 30d, 1d3h20m.
8. Notation CLI command for Trust Policy Management (Non-Functional Feature Requirement)(P3) <span style="color:red">Yi: Suggest moving to post 1.0 to prioritize feature: notation sign/verify offline artifacts for security purpose</style> (*Vani: Agree with Yi*)
- Configure trust policy using the notation cli.
9. Signing with local private keys:
- https://github.com/notaryproject/notation/issues/539
- https://github.com/notaryproject/roadmap/issues/44
10. Multiple Signature verification(Samir - to clarify, is it siganture format or some other type of signature - clarification is needed)
- Move to post rc-3 and post v1.0
- Spec and CLI to be updated (6-8 weeks)
Sign in with Wallet
