notaryproject · FeynmanZhou · Feb 3, 2024 · Feb 20, 2024 · Feb 29, 2024 · Mar 2, 2024
@@ -1,2 +1,2 @@
 # Repo-Level Owners (in alphabetical order). Please note this is only for the notaryproject/notaryproject.dev repo
-* @FeynmanZhou @niazfk @iamsamirzon @justincormack @priteshbandi @shizhMSFT @stevelasker @toddysm @vaninrao10 @yizha1 @zr-msft
+* @FeynmanZhou @niazfk @iamsamirzon @priteshbandi @shizhMSFT @toddysm @vaninrao10 @yizha1
@@ -1,16 +1,20 @@
 # Org-Level Maintainers (in alphabetical order)
 # Pattern: [First Name] [Last Name] <[Email Address]> ([GitHub Handle])
-Justin Cormack <justin.cormack@docker.com> (@justincormack)
 Niaz Khan <niazfk@amazon.com> (@niazfk)
 Pritesh Bandi <priteshbandi@gmail.com> (@priteshbandi)
 Shiwei Zhang <shizh@microsoft.com> (@shizhMSFT)
-Steve Lasker <StevenLasker@hotmail.com> (@stevelasker)
 Toddy Mladenov <toddysm@gmail.com> (@toddysm)
+Vani Rao <vaninrao@amazon.com> (@vaninrao10)
+Yi Zha <yizha1@microsoft.com> (@yizha1)
 
 # Repo-Level Maintainers (in alphabetical order)
 # Note: This is for the notaryproject/notaryproject.dev repo
 Feynman Zhou <feynmanzhou@microsoft.com> (@FeynmanZhou)
 Samir Kakkar <iamsamir@amazon.com> (@iamsamirzon)
-Vani Rao <vaninrao@amazon.com> (@vaninrao10)
-Yi Zha <yizha1@microsoft.com> (@yizha1)
-Zach Rhoads <zachary.rhoads@microsoft.com> (@zr-msft)
+
+# Emeritus Org Maintainers (in alphabetical order)
+Justin Cormack <justin.cormack@docker.com> (@justincormack)
+Steve Lasker <StevenLasker@hotmail.com> (@stevelasker)
+
+# In memoriam
+Zach Rhoads <zachary.rhoads@microsoft.com> (@zr-msft)
@@ -0,0 +1,69 @@
+---
+title: Notary Project announces Notation v1.1.0!
+author:  "Notary Project Release Team"
+date: 2024-02-08
+draft: false
+---
+
+The Notary Project maintainers are proud to announce new releases for its sub-projects, including [Notary Project specifications v1.1.0](https://github.com/notaryproject/specifications/releases/tag/v1.1.0), [notation v1.1.0](https://github.com/notaryproject/notation/releases/tag/v1.1.0), [notation-go v1.1.0](https://github.com/notaryproject/notation-go/releases/tag/v1.1.0), and [notation-core-go v1.0.2](https://github.com/notaryproject/notation-core-go/releases/tag/v1.0.2), [Notation GitHub Actions v1.0.1](https://github.com/notaryproject/notation-action/releases/tag/v1.0.1) which are ready for production use! 
+
+Meanwhile, a new library [notation-plugin-framework-go
+](https://github.com/notaryproject/notation-plugin-framework-go) released the first release v1.0.0. It contains framework required to create notation plugins as per [Notation Plugin specification](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md). 
+
+## Notable Capabilities in this Release
+
+Here are some of the major capabilities and features included in this release.
+
+### Easier plugin management functionalities
+
+Notation has an [extensible design based on a plugin framework](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md). This framework provides plugin interfaces for users and vendors to implement their own integration with key/certificate management solutions or signing services. 
+
+In this release, Notation offers Notation plugin management capabilities to simplify the plugin user experience.  
+
+- Added new command `notation plugin install`. Users are now able to install a notation plugin directly from a URL or from their file system. Supported plugin installation formats are `.zip`, `.tar.gz`, and single plugin executable file. See an example usage below:
+
+```bash
+$ notation plugin install --file <file_path>
+```
+
+```bash
+$ notation plugin install --sha256sum <digest> --url <HTTPS_URL>
+```
+
+- Added new command `notation plugin uninstall`. Users are now able to uninstall a notation plugin by providing the plugin name. See an example usage below:
+
+```bash
+notation plugin uninstall <plugin_name>
+```
+
+The following plugins have been well tested with Notation plugin commands by Notary Project maintainers:
+
+- [AWS Signer plugin for Notation](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html)
+- [Azure Key Vault for Notation](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push)
+- [Venafi CodeSign Protect Signing Plugin for Notation](https://github.com/Venafi/notation-venafi-csp)
+
+### Specifications
+
+For plugin vendors who want to package and distribute a Notation plugin,  [Notation Plugin specification](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/plugin-extensibility.md) defines the plugin conventions to ensure plugins are delivered in a consistent format and compatible with `notation plugin` management commands.
+
+### Get started with Notation v1.1.0
+
+You can follow this [quick start](https://notaryproject.dev/docs/quickstart/) to try Notation v1.1.0 on your terminal.
+
+The default Notation CLI setup action in Notation GitHub Actions has also been updated to v1.1.0. It enables users to install Notation and its plugin, sign and verify OCI artifacts in GitHub Actions workflow with ease.
+
+To get started with Notation v1.1.0 in a CI/CD workflow, you can find the Notation GitHub Actions in the [Marketplace](https://github.com/marketplace/actions/notation-actions). 
+
+## What's next
+
+The Notary Project maintainers are considering the following features for future milestones. Feel free to reach out on the [Slack channel](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/) or [GitHub issues](https://github.com/notaryproject/notation/issues) to ask questions, provide feedback, or share ideas.
+
+- Sign and verify arbitrary blobs
+- Timestamping support
+- Improve error messages and verbose logs
+
+And more!
+
+## Acknowledgements
+
+The Notary Project release team wants to thank the entire Notary Project community for all the activity and engagement that has been vital for helping the project grow and reach this major milestone.
@@ -0,0 +1,18 @@
+---
+title: Bitnami now uses Notation for signing and verifying containers and Helm charts on Docker Hub
+author:  Beltran Rueda
+date: 2024-03-18
+draft: false
+---
+
+Bitnami-packaged open source software container images and Helm charts [available in DockerHub](https://hub.docker.com/u/bitnami) are now signed by [Notation](https://github.com/notaryproject/notation).
+
+[Bitnami](https://bitnami.com) provides the latest versions of pre-packaged, hardened, ready-to-deploy open source software application packages that enable developers to hit the ground running when building new applications and services on any platform. Bitnami open source software packages are highly popular with developers with over 500 million pulls per month and over 2 billion computer hours per year. This strong developer community of Bitnami has leveraged its robust application catalog to build millions of applications for almost 20 years now.
+
+In December 2023, [we announced](https://tanzu.vmware.com/content/tanzu-application-catalog-resources/tanzu-application-catalog-leverages-notation) that Tanzu Application Catalog, the enterprise edition of Bitnami Application Catalog, started making use of Notation as a tool for signing and verifying open container initiative (OCI) artifacts (e.g. container images, Helm charts, and metadata bundles.
+
+Now, we are happy to have extended our collaboration with Notation and announce the extension of this capability to the community edition of Bitnami-packaged container images and Helm charts in DockerHub as well.
+
+To know more about the benefits that the Bitnami users stand to enjoy with this integration and to learn how to verify the signature of a Bitnami-package, check out [this blog](https://blog.bitnami.com/2024/03/bitnami-packaged-containers-and-helm.html).
+
+If you are interested in learning more about Tanzu Application Catalog, check out their [product webpage](https://tanzu.vmware.com/application-catalog) and [additional resources](https://tanzu.vmware.com/content/vmware-application-catalog-resources/jun-23-boost-developer-productivity-and-operator-confidence-with-secure-open-source-components).
@@ -14,11 +14,12 @@ All organizations are sorted alphabetically below.
 | Organization | Website | Scenario | 
 | --- | --- | --- | 
 | Amazon | https://aws.amazon.com/ | [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-prerequisites.html) |
+| Bitnami | https://bitnami.com/ | [Sign and verify containers and Helm charts available in Docker Hub](https://blog.bitnami.com/2024/03/bitnami-packaged-containers-and-helm.html) |
 | containerd |  http://containerd.io/ |  [container image sign and verify with notation tool](https://github.com/containerd/nerdctl/blob/main/docs/notation.md) |
 | Harbor | https://goharbor.io/ |  [Storage and display Notary Project signature](https://goharbor.io/docs/main/working-with-projects/working-with-images/sign-images/#use-notationexperimental-to-sign-artifacts-with-distribution-spec-v11-mode) |
 | Kyverno | https://kyverno.io/ | [Support verifying Notary Project signature](https://kyverno.io/docs/writing-policies/verify-images/notary/) |
 | Microsoft | https://www.microsoft.com/ | [Build, sign, and verify container images using Notation and Azure Key Vault](https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push?wt.mc_id=azurelearn_inproduct_oss_notaryproject)  |
 | Ratify |  https://ratify.sh/ | Validating OCI Artifact signatures using Notation library |
 | Tanzu Application Catalog | https://tanzu.vmware.com/application-catalog | [Sign and Verify OCI artifacts (e.g. Helm charts, container images, and metadata bundles](https://tanzu.vmware.com/content/vmware-application-catalog-resources/tanzu-application-catalog-leverages-notation) |
 | Venafi | https://venafi.com/codesign-protect/ | [Sign and Verify container images using Notation and Venafi CodeSign Protect](https://github.com/Venafi/notation-venafi-csp) |
-
+| Nomad Admission Control Proxy | https://github.com/mxab/nacp | [Uses `notation-go` remote verify to validate images when deploying Nomad Jobs](https://github.com/mxab/nacp?tab=readme-ov-file#notation) |
@@ -5,17 +5,6 @@ type: docs
 weight: 7
 ---
 
-## What registries are compatible with the Notary Project OCI signature specification and its implementation in Notation?
-
-The following registries are compatible with the Notary Project OCI signature specification and its implementation in Notation:
-
-- [Azure Container Registry](https://learn.microsoft.com/azure/container-registry/?wt.mc_id=azurelearn_inproduct_oss_notaryproject)
-- [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html)
-- [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry)
-- [ORAS Distribution Registry](https://github.com/oras-project/distribution/pkgs/container/registry/64589674?tag=v1.0.0-rc.4)
-- [Zot registry](https://zotregistry.io/)
-
-
 ## JWS signature envelope
 
 **Q: Why is JWT not used as the signature envelope format?**
@@ -104,4 +93,4 @@ Below are the frequently asked questions about Notary Project terms. For detaile
 
 **Q: I've heard the term "Notary v2". What does this mean?**
 
-**A:** The term "Notary v2" or "notary v2" was previously used by members of the Notary Project community and others. However, various meanings were ascribed to it, leading to its ambiguous usage with some people referring to it as the entire Notary Project and others as the [Notation CLI](https://github.com/notaryproject/notation). Because of this ambiguity, the term "Notary v2" or "notary v2" is no longer used by the Notary Project community. While the term may still be visible in some articles on the internet, the name "Notary v2" or "notary v2" is only preserved for historical reasons and will not be used by the Notary Project community going forward.
+**A:** The term "Notary v2" or "notary v2" was previously used by members of the Notary Project community and others. However, various meanings were ascribed to it, leading to its ambiguous usage with some people referring to it as the entire Notary Project and others as the [Notation CLI](https://github.com/notaryproject/notation). Because of this ambiguity, the term "Notary v2" or "notary v2" is no longer used by the Notary Project community. While the term may still be visible in some articles on the internet, the name "Notary v2" or "notary v2" is only preserved for historical reasons and will not be used by the Notary Project community going forward.
@@ -30,7 +30,7 @@ docker run -d -p 5001:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true --name regist
 If the host port 5001 is already in use, you can use another host port. 
 {{% /alert %}}
 
-If you want to use Notation with other registries, refer to [which registries are compatible with Notary]({{< ref "/docs/faq#what-registries-are-compatible-with-notary" >}}) for more alternatives. See [Authenticate with OCI-compliant registries]({{< ref "/docs/user-guides/how-to/registry-authentication" >}}) when you log in to another OCI registry.
+If you want to use Notation with other registries, refer to [which registries support Notary Project signatures]({{< ref "/docs/registry-support" >}}) for more alternatives. See [Authenticate with OCI-compliant registries]({{< ref "/docs/user-guides/how-to/registry-authentication" >}}) when you log in to another OCI registry.
 
 ## Add an image to the OCI-compatible registry
 

@@ -0,0 +1,17 @@
+---
+title: "Registry support"
+description: "A list of registries that support Notary Project OCI signatures"
+type: docs
+weight: 9
+---
+
+The following registries, listed in alphabetical order, support Notary Project OCI signatures:
+
+- [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html)
+- [Azure Container Registry](https://learn.microsoft.com/azure/container-registry/?wt.mc_id=azurelearn_inproduct_oss_notaryproject)
+- [Distribution Distribution](https://github.com/distribution/distribution)
+- [Docker Hub](https://hub.docker.com)
+- [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry)
+- [Harbor](https://goharbor.io/)
+- [JFrog Artifactory](https://jfrog.com/artifactory/)
+- [Zot registry](https://zotregistry.io/)