Skip to content

Add Notation Quick Start #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SteveLasker merged 9 commits into from
Sep 14, 2021
Merged

Add Notation Quick Start #87

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1db7a79
Notary v2 prototye process
Jun 20, 2020
bd6054b
Notary v2 prototye process
Jun 22, 2020
f1ea87a
Notary v2 prototye process updates
Jun 24, 2020
531a109
Rev of sketch, w/oci-index v3-index.config
Jun 25, 2020
9b64000
merge
SteveLasker Aug 25, 2021
26b2dae
Merge branch 'notaryproject:main' into main
SteveLasker Sep 7, 2021
ae46647
Add quick-getting started to root readme
SteveLasker Sep 7, 2021
e4c7de4
Add quick-getting started to root readme
SteveLasker Sep 7, 2021
dd51d47
Add quick-getting started to root readme
SteveLasker Sep 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 24 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,31 @@ Notation is a project to add signatures as standard items in the registry ecosys

## Table of Contents

- [Notation Quick Start](#notation-quick-start)
- [Branch](#branch)
- [Core Documents](#core-documents)
- [Community](#community)
- [Code of Conduct](#code-of-conduct)
- [License](#license)

## Notation Quick Start

- Install the Notation CLI from [Notation Releases][notation-releases]
```bash
curl -Lo notation.tar.gz https://github.com/shizhMSFT/notation/releases/download/v0.5.2/notation_0.5.2_linux_amd64.tar.gz
tar xvzf notation.tar.gz -C ~/bin notation
```
- Build, Push, Sign, Verify the `net-monitor` software
```bash
export IMAGE=localhost:5000/net-monitor:v1
docker build -t $IMAGE https://github.com/wabbit-networks/net-monitor.git#main
docker push $IMAGE
notation cert generate-test --default --trust "wabbit-networks-dev"
Copy link
Contributor

@gokarnm gokarnm Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear what --default and --trust do, and what is wabbit-networks-dev. We can add comments where we want to explain what a particular notation command does.

Copy link
Contributor Author

@SteveLasker SteveLasker Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was the quick-start, which is an abbreviated version of: #78
This is the challenge with having required parameters, for good security reasons, while enabling quick-starts.
What would you suggest to keep that balance?

Copy link
Contributor

@gokarnm gokarnm Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other docker commands are straightforward and probably well known to the reader. Where we introduce the notation commands, it would be nice to have a one line comments explaining what the specific command does.

Suggested change
notation cert generate-test --default --trust "wabbit-networks-dev"
# Generate a test certificate, make it the default for signing, and add it as a trusted identity for verification
notation cert generate-test --default --trust "wabbit-networks-dev"

notation sign $IMAGE
Copy link
Contributor

@gokarnm gokarnm Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to demonstrate push/pull signatures from repository?

Copy link
Contributor Author

@SteveLasker SteveLasker Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

notation sign defaults to include push. There are separate apis for generating an offline signature, which we'd cover in a different walkthrough for offline/ephemeral client scenarios.

notation list $IMAGE
Copy link
Contributor

@gokarnm gokarnm Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comments explaining what this command does will help.

Copy link
Contributor Author

@SteveLasker SteveLasker Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to above and #78
How would you suggest the quick-start balance, compared to longer explanations?

Once we get automated builds, users could test this themselves, and call --help to get more details or see #78

Copy link
Contributor

@gokarnm gokarnm Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
notation list $IMAGE
# List the image, and any associated signatures
notation list $IMAGE

notation verify $IMAGE
```

## Branch

[Prototype 2][prototype-2] - signing and verifying OCI artifacts, using signatures persisted [ORAS Artifacts manifests][artifact-manifest]
Expand All @@ -36,4 +55,8 @@ This project has adopted the [CNCF Code of Conduct](https://github.com/cncf/foun

## License

This project is covered under the Apache 2.0 license. You can read the license [here](LICENSE).
This project is covered under the Apache 2.0 license. You can read the license [here](LICENSE).

[notation-releases]: https://github.com/shizhMSFT/notation/releases/tag/v0.5.0
[artifact-manifest]: https://github.com/oras-project/artifacts-spec/blob/main/artifact-manifest.md
[cncf-distribution]: https://github.com/oras-project/distribution