Docker v0.6.0 Release Notes
Release Date: 2018-03-01 // about 6 years ago-
v0.6.0
- ⚡️ The project has been moved from https://github.com/docker/notary to https://github.com/theupdateframework/notary, as it has been accepted into the CNCF. Downstream users should update their go imports.
- ✂ Removed support for RSA-key exchange ciphers supported by the server and signer and require TLS >= 1.2 for the server and signer. #1307
- ⚡️
libykcs11
can be found in several additional locations on Fedora. #1286 - ⚡️ If a certificate is used as a delegation public key, notary no longer warns if the certificate has expired, since notary should be relying on the role expiry instead. #1263
- ⚡️ An error is now returned when importing keys if there were invalid PEM blocks. #1260
- ⚡️ Notary server authentication credentials can now be provided as an environment variable
NOTARY_AUTH
, which should contain a base64-encoded "username:password" value. #1246 - ⚡️ Changefeeds are now supported for RethinkDB as well as SQL servers. #1214
- ⚡️ Notary CLI will now time out after 30 seconds if a username and password are not provided when authenticating to anotary server, fixing an issue where scripts for the notary CLI may hang forever. #1200
- 🛠 Fixed potential race condition in the signer keystore. #1198
- ⚡️ Notary now no longer provides the option to generate RSA keys for a repository, but externally generated RSA keys can still be imported as keys for a repository. #1191
- 🛠 Fixed bug where the notary client would
ioutil.ReadAll
responses from the server without limiting the size. #1186 - ⚡️ Default notary CLI log level is now
warn
, and if the-v
option is passed, it is atinfo
. #1179 - ⚡️ Example Postgres config now includes an example of mutual TLS authentication between the server/signer and Postgres. #1160 #1163
- 🛠 Fixed an error where piping the server authentication credentials via STDIN when scripting the notary CLI did not work. #1155
- ⚡️ If the server and signer configurations forget to specify
parseTime=true
when using MySQL, notary server and signer will automatically add the option. #1150 - 📇 Custom metadata can now be provided and read on a target when using the notary client as a library (not yet exposed on the CLI). #1146
- ⚡️
notary init
now accepts a--root-cert
and--root-key
flag for use with privately generated certificates and keys. #1144 - ⚡️
notary key generate
now accepts a--role
flag as well as a--output
flag. This means it can generate new targets or delegation keys, and it can also output keys to a file instead of storing it in the default notary key store. #1134 - 🐳 Newly generated keys are now stored encrypted and encoded in PKCS#8 format. This is not forwards-compatible against notary<0.6.0 and docker<17.12.x. Also please note that docker>=17.12.x is not forwards compatible with notary<0.6.0.. #1130 #1201
- ➕ Added support for wildcarded certificate IDs in the trustpinning configuration #1126
- ➕ Added support using the client against notary servers which are hosted as subpath under another server (e.g. https://domain.com/notary instead of https://notary.com) #1108
- ⚡️ If no changes were made to the targets file, you are no longer required to sign the target #1104
- ➕ Added support for wildcard suffixes for root certificates CNs for root keys, so that a single root certificate would be valid for multiple repositories #1088
- 📇 Root key rotations now do not require all previous root keys sign new root metadata. #942.
- New keys are trusted if the root metadata file specifying the new key was signed by the previous root key/threshold
- Root metadata can now be requested by version from the server, allowing clients with older root metadata to validate each new version one by one up to the current metadata
- ⚡️
notary key rotate
now accepts a flag specifying which key to rotate to #942 - 🔨 Refactoring of the client to make it easier to use as a library and to inject dependencies:
- References to GUN have now been changed to "imagename". #1081
NewNotaryRepository
can now be provided with a remote store and changelist, as opposed to always constructing its own. #1094- If needed, the notary repository will be initialized first when publishing. #1105
NewNotaryReository
now requires a non-nil cache store. #1185- The "No valid trust data" error is now typed. #1212
TUFClient
was previously mistakenly exported, and is now unexported. #1215- The notary client now has a
Repository
interface type to standardizeclient.NotaryRepository
. #1220 - The constructor functions
NewFileCachedNotaryRepository
andNewNotaryRepository
have been renamed, respectively, toNewFileCachedRepository
andNewRepository
to reduce redundancy. #1226 NewRepository
returns an interface as opposed to the concrete typeNotaryRepository
it previously did.NotaryRepository
is also now an unexported concrete type. #1226- Key import/export logic has been moved from the
utils
package to thetrustmanager
package. #1250
SHA256
cross/notary-Darwin-amd64 a58af6a845160d36c650a6d4441ed76d4ca7776a6676bfc5a54658bb275fad8d cross/notary-Linux-amd64 f4e421b3bb3c32c39372f7f02fbe80c67580cccd381f9722b1c702b3ab63a1c7 cross/notary-Windows-amd64.exe 9f5e419adbeb19c655f3229ecc5922fe2934b0098d6207089baa679f64949787