Skip to content

Commit

Permalink
Merge branch 'release/0.6.0' into releases
Browse files Browse the repository at this point in the history
Signed-off-by: Ying Li <[email protected]>
  • Loading branch information
cyli committed Feb 28, 2018
2 parents 3657629 + d25e8c4 commit 34f53ad
Show file tree
Hide file tree
Showing 1,620 changed files with 118,635 additions and 277,469 deletions.
7 changes: 5 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
/.vscode
/cmd/notary-server/notary-server
/cmd/notary-server/local.config.json
/cmd/notary-signer/local.config.json
/cmd/notary-server/local.config.*
/cmd/notary-signer/notary-signer
/cmd/notary-signer/local.config.*
/cmd/escrow/escrow
/cmd/escrow/local.config.*
cover
bin
cross
Expand Down
46 changes: 46 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,47 @@
# Changelog

## [v0.6.0](https://github.com/docker/notary/releases/tag/v0.6.0) 02/28/2018
+ **The project has been moved from https://github.com/docker/notary to https://github.com/theupdateframework/notary, as it has been accepted into the CNCF. Downstream users should update their go imports.**
+ Removed support for RSA-key exchange ciphers supported by the server and signer and require TLS >= 1.2 for the server and signer. [#1307](https://github.com/theupdateframework/notary/pull/1307)
+ `libykcs11` can be found in several additional locations on Fedora. [#1286](https://github.com/theupdateframework/notary/pull/1286/)
+ If a certificate is used as a delegation public key, notary no longer warns if the certificate has expired, since notary should be relying on the role expiry instead. [#1263](https://github.com/theupdateframework/notary/pull/1263)
+ An error is now returned when importing keys if there were invalid PEM blocks. [#1260](https://github.com/theupdateframework/notary/pull/1260)
+ Notary server authentication credentials can now be provided as an environment variable `NOTARY_AUTH`, which should contain a base64-encoded "username:password" value. [#1246](https://github.com/theupdateframework/notary/pull/1246)
+ Changefeeds are now supported for RethinkDB as well as SQL servers. [#1214](https://github.com/theupdateframework/notary/pull/1214)
+ Notary CLI will now time out after 30 seconds if a username and password are not provided when authenticating to anotary server, fixing an issue where scripts for the notary CLI may hang forever. [#1200](https://github.com/theupdateframework/notary/pull/1200)
+ Fixed potential race condition in the signer keystore. [#1198](https://github.com/theupdateframework/notary/pull/1198)
+ Notary now no longer provides the option to generate RSA keys for a repository, but externally generated RSA keys can still be imported as keys for a repository. [#1191](https://github.com/theupdateframework/notary/pull/1191)
+ Fixed bug where the notary client would `ioutil.ReadAll` responses from the server without limiting the size. [#1186](https://github.com/theupdateframework/notary/pull/1186)
+ Default notary CLI log level is now `warn`, and if the `-v` option is passed, it is at `info`. [#1179](https://github.com/theupdateframework/notary/pull/1179)
+ Example Postgres config now includes an example of mutual TLS authentication between the server/signer and Postgres. [#1160](https://github.com/theupdateframework/notary/pull/1160) [#1163](https://github.com/theupdateframework/notary/pull/1163/)
+ Fixed an error where piping the server authentication credentials via STDIN when scripting the notary CLI did not work. [#1155](https://github.com/theupdateframework/notary/pull/1155)
+ If the server and signer configurations forget to specify `parseTime=true` when using MySQL, notary server and signer will automatically add the option. [#1150](https://github.com/theupdateframework/notary/pull/1150)
+ Custom metadata can now be provided and read on a target when using the notary client as a library (not yet exposed on the CLI). [#1146](https://github.com/theupdateframework/notary/pull/1146)
+ `notary init` now accepts a `--root-cert` and `--root-key` flag for use with privately generated certificates and keys. [#1144](https://github.com/theupdateframework/notary/pull/1144)
+ `notary key generate` now accepts a `--role` flag as well as a `--output` flag. This means it can generate new targets or delegation keys, and it can also output keys to a file instead of storing it in the default notary key store. [#1134](https://github.com/theupdateframework/notary/pull/1134)
+ Newly generated keys are now stored encrypted and encoded in PKCS#8 format. *This is not forwards-compatible against notary <0.6.0*. [#1130](https://github.com/theupdateframework/notary/pull/1130) [#1201](https://github.com/theupdateframework/notary/pull/1201)
+ Added support for wildcarded certificate IDs in the trustpinning configuration [#1126](https://github.com/theupdateframework/notary/pull/1126)
+ Added support using the client against notary servers which are hosted as subpath under another server (e.g. https://domain.com/notary instead of https://notary.com) [#1108](https://github.com/theupdateframework/notary/pull/1108)
+ If no changes were made to the targets file, you are no longer required to sign the target [#1104](https://github.com/theupdateframework/notary/pull/1104)
+ escrow placeholder [#1096](https://github.com/theupdateframework/notary/pull/1096)
+ Added support for wildcard suffixes for root certificates CNs for root keys, so that a single root certificate would be valid for multiple repositories [#1088](https://github.com/theupdateframework/notary/pull/1088)
+ Root key rotations now do not require all previous root keys sign new root metadata. [#942](https://github.com/theupdateframework/notary/pull/942).
+ New keys are trusted if the root metadata file specifying the new key was signed by the previous root key/threshold
+ Root metadata can now be requested by version from the server, allowing clients with older root metadata to validate each new version one by one up to the current metadata
+ `notary key rotate` now accepts a flag specifying which key to rotate to [#942](https://github.com/theupdateframework/notary/pull/942)
+ Refactoring of the client to make it easier to use as a library and to inject dependencies:
+ References to GUN have now been changed to "imagename". [#1081](https://github.com/theupdateframework/notary/pull/1081)
+ `NewNotaryRepository` can now be provided with a remote store and changelist, as opposed to always constructing its own. [#1094](https://github.com/theupdateframework/notary/pull/1094)
+ If needed, the notary repository will be initialized first when publishing. [#1105](https://github.com/theupdateframework/notary/pull/1105)
+ `NewNotaryReository` now requires a non-nil cache store. [#1185](https://github.com/theupdateframework/notary/pull/1185)
+ The "No valid trust data" error is now typed. [#1212](https://github.com/theupdateframework/notary/pull/1212)
+ `TUFClient` was previously mistakenly exported, and is now unexported. [#1215](https://github.com/theupdateframework/notary/pull/1215)
+ The notary client now has a `Repository` interface type to standardize `client.NotaryRepository`. [#1220](https://github.com/theupdateframework/notary/pull/1220)
+ The constructor functions `NewFileCachedNotaryRepository` and `NewNotaryRepository` have been renamed, respectively, to `NewFileCachedRepository` and `NewRepository` to reduce redundancy. [#1226](https://github.com/theupdateframework/notary/pull/1226)
+ `NewRepository` returns an interface as opposed to the concrete type `NotaryRepository` it previously did. `NotaryRepository` is also now an unexported concrete type. [#1226](https://github.com/theupdateframework/notary/pull/1226)
+ Key import/export logic has been moved from the `utils` package to the `trustmanager` package. [#1250](https://github.com/theupdateframework/notary/pull/1250)


## [v0.5.0](https://github.com/docker/notary/releases/tag/v0.5.0) 11/14/2016
+ Non-certificate public keys in PEM format can now be added to delegation roles [#965](https://github.com/docker/notary/pull/965)
+ PostgreSQL support as a storage backend for Server and Signer [#920](https://github.com/docker/notary/pull/920)
Expand All @@ -8,6 +50,10 @@
+ The keys on disk are now stored in the `~/.notary/private` directory, rather than in a key hierarchy that separates them by GUN and by role. Notary will automatically migrate old-style directory layouts to the new style. **This is not forwards-compatible against notary<0.4.2 and docker<=1.12** [#872](https://github.com/docker/notary/pull/872)
+ A new changefeed API has been added to Notary Server. It is only supported when using one of the relational database backends: MySQL, PostgreSQL, or SQLite.[#1019](https://github.com/docker/notary/pull/1019)

## [v0.4.3](https://github.com/docker/notary/releases/tag/v0.4.3) 1/3/2017
+ Fix build tags for static notary client binaries in linux [#1039](https://github.com/docker/notary/pull/1039)
+ Fix key import for exported delegation keys [#1067](https://github.com/docker/notary/pull/1067)

## [v0.4.2](https://github.com/docker/notary/releases/tag/v0.4.2) 9/30/2016
+ Bump the cross compiler to golang 1.7.1, since [1.6.3 builds binaries that could have non-deterministic bugs in OS X Sierra](https://groups.google.com/forum/#!msg/golang-dev/Jho5sBHZgAg/cq6d97S1AwAJ) [#984](https://github.com/docker/notary/pull/984)

Expand Down
11 changes: 8 additions & 3 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Contributing to notary

## Before reporting an issue...
## Before reporting an issue...

### If your problem is with...

Expand All @@ -26,7 +26,7 @@ By following these simple rules you will get better and faster feedback on your

- search the bugtracker for an already reported issue

### If you found an issue that describes your problem:
### If you found an issue that describes your problem:

- please read other user comments first, and confirm this is the same issue: a given error condition might be indicative of different problems - you may also find a workaround in the comments
- please refrain from adding "same thing here" or "+1" comments
Expand Down Expand Up @@ -87,4 +87,9 @@ Complying to these simple rules will greatly accelerate the review process, and
## Review and Development notes

- All merges require LGTMs from any 2 maintainers.
- We use the git flow model (as best we can) using the `releases` branch as the stable branch, and the `master` branch as the development branch. When we get near a potential release, a release branch (`release/<semver>`) will be created from `master`. Any PRs that should go into the release should be made against that branch. Hotfixes for a minor release will be added to the branch `hotfox/<semver>`.
- We use the git flow model (as best we can) using the `releases` branch as the stable branch, and the `master` branch as the development branch. When we get near a potential release, a release branch (`release/<semver>`) will be created from `master`. Any PRs that should go into the release should be made against that branch. Hotfixes for a minor release will be added to the branch `hotfix/<semver>`.

## Vendoring new dependency versions

We use [VNDR](https://github.com/LK4D4/vndr); please update `vendor.conf` with the new dependency or the new version, and run
`vndr <top level package name>`.
20 changes: 4 additions & 16 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.7.1
FROM golang:1.9.4

RUN apt-get update && apt-get install -y \
curl \
Expand All @@ -10,29 +10,17 @@ RUN apt-get update && apt-get install -y \
xz-utils \
python \
python-pip \
python-setuptools \
--no-install-recommends \
&& rm -rf /var/lib/apt/lists/*

RUN useradd -ms /bin/bash notary \
&& pip install codecov \
&& go get github.com/golang/lint/golint github.com/fzipp/gocyclo github.com/client9/misspell/cmd/misspell github.com/gordonklaus/ineffassign github.com/HewlettPackard/gas

# Configure the container for OSX cross compilation
ENV OSX_SDK MacOSX10.11.sdk
ENV OSX_CROSS_COMMIT 8aa9b71a394905e6c5f4b59e2b97b87a004658a4
RUN set -x \
&& export OSXCROSS_PATH="/osxcross" \
&& git clone https://github.com/tpoechtrager/osxcross.git $OSXCROSS_PATH \
&& ( cd $OSXCROSS_PATH && git checkout -q $OSX_CROSS_COMMIT) \
&& curl -sSL https://s3.dockerproject.org/darwin/v2/${OSX_SDK}.tar.xz -o "${OSXCROSS_PATH}/tarballs/${OSX_SDK}.tar.xz" \
&& UNATTENDED=yes OSX_VERSION_MIN=10.6 ${OSXCROSS_PATH}/build.sh > /dev/null
ENV PATH /osxcross/target/bin:$PATH

ENV NOTARYDIR /go/src/github.com/docker/notary
ENV NOTARYDIR /go/src/github.com/theupdateframework/notary

COPY . ${NOTARYDIR}
RUN chmod -R a+rw /go
RUN chmod -R a+rw /go && chmod 0600 ${NOTARYDIR}/fixtures/database/*

WORKDIR ${NOTARYDIR}

# Note this cannot use alpine because of the MacOSX Cross SDK: the cctools there uses sys/cdefs.h and that cannot be used in alpine: http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h
Loading

0 comments on commit 34f53ad

Please sign in to comment.