« Changelog History


Docker v0.6.0 Release Notes

Release Date: 2018-03-01 // about 6 years ago

  • v0.6.0

    • ⚡️ The project has been moved from https://github.com/docker/notary to https://github.com/theupdateframework/notary, as it has been accepted into the CNCF. Downstream users should update their go imports.
    • ✂ Removed support for RSA-key exchange ciphers supported by the server and signer and require TLS >= 1.2 for the server and signer. #1307
    • ⚡️ libykcs11 can be found in several additional locations on Fedora. #1286
    • ⚡️ If a certificate is used as a delegation public key, notary no longer warns if the certificate has expired, since notary should be relying on the role expiry instead. #1263
    • ⚡️ An error is now returned when importing keys if there were invalid PEM blocks. #1260
    • ⚡️ Notary server authentication credentials can now be provided as an environment variable NOTARY_AUTH, which should contain a base64-encoded "username:password" value. #1246
    • ⚡️ Changefeeds are now supported for RethinkDB as well as SQL servers. #1214
    • ⚡️ Notary CLI will now time out after 30 seconds if a username and password are not provided when authenticating to anotary server, fixing an issue where scripts for the notary CLI may hang forever. #1200
    • 🛠 Fixed potential race condition in the signer keystore. #1198
    • ⚡️ Notary now no longer provides the option to generate RSA keys for a repository, but externally generated RSA keys can still be imported as keys for a repository. #1191
    • 🛠 Fixed bug where the notary client would ioutil.ReadAll responses from the server without limiting the size. #1186
    • ⚡️ Default notary CLI log level is now warn, and if the -v option is passed, it is at info. #1179
    • ⚡️ Example Postgres config now includes an example of mutual TLS authentication between the server/signer and Postgres. #1160 #1163
    • 🛠 Fixed an error where piping the server authentication credentials via STDIN when scripting the notary CLI did not work. #1155
    • ⚡️ If the server and signer configurations forget to specify parseTime=true when using MySQL, notary server and signer will automatically add the option. #1150
    • 📇 Custom metadata can now be provided and read on a target when using the notary client as a library (not yet exposed on the CLI). #1146
    • ⚡️ notary init now accepts a --root-cert and --root-key flag for use with privately generated certificates and keys. #1144
    • ⚡️ notary key generate now accepts a --role flag as well as a --output flag. This means it can generate new targets or delegation keys, and it can also output keys to a file instead of storing it in the default notary key store. #1134
    • 🐳 Newly generated keys are now stored encrypted and encoded in PKCS#8 format. This is not forwards-compatible against notary<0.6.0 and docker<17.12.x. Also please note that docker>=17.12.x is not forwards compatible with notary<0.6.0.. #1130 #1201
    • ➕ Added support for wildcarded certificate IDs in the trustpinning configuration #1126
    • ➕ Added support using the client against notary servers which are hosted as subpath under another server (e.g. https://domain.com/notary instead of https://notary.com) #1108
    • ⚡️ If no changes were made to the targets file, you are no longer required to sign the target #1104
    • ➕ Added support for wildcard suffixes for root certificates CNs for root keys, so that a single root certificate would be valid for multiple repositories #1088
    • 📇 Root key rotations now do not require all previous root keys sign new root metadata. #942.
      • New keys are trusted if the root metadata file specifying the new key was signed by the previous root key/threshold
      • Root metadata can now be requested by version from the server, allowing clients with older root metadata to validate each new version one by one up to the current metadata
    • ⚡️ notary key rotate now accepts a flag specifying which key to rotate to #942
    • 🔨 Refactoring of the client to make it easier to use as a library and to inject dependencies:
      • References to GUN have now been changed to "imagename". #1081
      • NewNotaryRepository can now be provided with a remote store and changelist, as opposed to always constructing its own. #1094
      • If needed, the notary repository will be initialized first when publishing. #1105
      • NewNotaryReository now requires a non-nil cache store. #1185
      • The "No valid trust data" error is now typed. #1212
      • TUFClient was previously mistakenly exported, and is now unexported. #1215
      • The notary client now has a Repository interface type to standardize client.NotaryRepository. #1220
      • The constructor functions NewFileCachedNotaryRepository and NewNotaryRepository have been renamed, respectively, to NewFileCachedRepository and NewRepository to reduce redundancy. #1226
      • NewRepository returns an interface as opposed to the concrete type NotaryRepository it previously did. NotaryRepository is also now an unexported concrete type. #1226
      • Key import/export logic has been moved from the utils package to the trustmanager package. #1250

    SHA256

    cross/notary-Darwin-amd64 a58af6a845160d36c650a6d4441ed76d4ca7776a6676bfc5a54658bb275fad8d 
cross/notary-Linux-amd64 f4e421b3bb3c32c39372f7f02fbe80c67580cccd381f9722b1c702b3ab63a1c7
cross/notary-Windows-amd64.exe 9f5e419adbeb19c655f3229ecc5922fe2934b0098d6207089baa679f64949787