The Notary project has officially been accepted in to the Cloud Native Computing Foundation (CNCF). It has moved to https://github.com/theupdateframework/notary. Any downstream consumers should update their Go imports to use this new location, which will be the canonical location going forward.
We have moved the repo in GitHub, which will allow existing importers to continue using the old location via GitHub's redirect.
Notary aims to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server, which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content.
With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.
Consumers, having acquired the publisher's public key through a secure channel, can then communicate with any Notary server or (insecure) mirror, relying only on the publisher's key to determine the validity and integrity of the received content.
Notary is based on The Update Framework, a secure general design for the problem of software distribution and updates. By using TUF, Notary achieves a number of key advantages:
Any security vulnerabilities can be reported to email@example.com.
See Notary's service architecture docs for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
Notary has had two public security audits:
Get the Notary Client CLI binary from the official releases page or you can build one yourself. The version of the Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.
To use the Notary CLI with Docker hub images, have a look at Notary's getting started docs.
For more advanced usage, see the advanced usage docs.
To use the CLI against a local Notary server rather than against Docker Hub:
Ensure that you have docker and docker-compose installed.
git clone https://github.com/theupdateframework/notary.git and from the cloned repository path,
start up a local Notary server and signer and copy the config file and testing certs to your
local Notary config directory:
$ docker-compose build $ docker-compose up -d $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
127.0.0.1 notary-server to your
/etc/hosts, or if using docker-machine,
$(docker-machine ip) notary-server).
You can run through the examples in the
getting started docs and
advanced usage docs, but
-s (server URL) argument to the
notary command since the server
URL is specified already in the configuration, file you copied.
You can also leave off the
-d ~/.docker/trust argument if you do not care
notary with Docker images.
To prevent mistakes in vendoring the go modules a buildscript has been added to properly vendor the modules using the correct version of Go to mitigate differences in CI and development environment.
Following procedure should be executed to upgrade a dependency. Preferably keep dependency upgrades in a separate commit from your code changes.
go get -u github.com/spf13/viper buildscripts/circle-validate-vendor.sh git add . git commit -m "Upgraded github.com/spf13/viper"
go mod tidy and
go mod vendor using the given version of Go to prevent differences if you are for example running on a different version of Go.
GOPATH. Then, run:
$ export GO111MODULE=on $ go get github.com/theupdateframework/notary # build with pkcs11 support by default to support yubikey $ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary $ notary
To build the server and signer, run
：Code submit frequency
：React/respond to issue & PR etc.
：Well-balanced team members and collaboration
：Recent popularity of project
：Star counts, download counts etc.