Notarizing Assets

Notarizing Assets #

When using vcn with Codenotary Trustcenter, the notarization process creates a cryptographic signature of the asset and stores it in a cryptographically-verifiable immutable database (immudb). That signature can then be used to authenticate the asset and verify its integrity.

Notarize an asset with vcn #

The most basic way to notarize an asset is to pass the asset to the vcn notarize command:

vcn notarize <artifact>

This command will sign the combination of the asset’s name, version, and hash to unique identify it. vcn will then send the signature to Trustcenter, which will store an immutable record of the signature.

Notarizing assets with dependencies #

Passing the --bom flag to the vcn notarize command will notarize the asset itself, in combination with notarization the asset’s dependencies. This process will immutably associate the artifact with its dependencies in Trustcenter:

vcn notarize --bom <artifact>

Notarizing assets in bulk #

If you need to notarize assets in bulk, you can supply a CSV file that enumerates the hash, name, and labels of each asset to the vcn notarize command:

vcn notarize --import-file <csv_file>

The contents of your CSV file should follow the format


where hash is the hash of the asset, name is the name of the asset, and labels is an optional list of semicolon-separated labels. For example, your CSV file will look something like this:


Add attachments to notarization transactions #

To attach files containing user-defined supporting documentation (e.g., build pipeline metadata or deployment information) to a notarization transaction in Trustcenter, use the --attach flag to specify the path to the file and a label to identify it:

vcn notarize <artifact> --attach=<ATTACHMENT_PATH>[:<ATTACHMENT_LABEL>]
vcn notarize Flags Documentation
  • --attach
    • Add user defined file attachments. This flag can be repeated to include multiple attachments.

      It’s possible to specify a label for each entry, by appending the label to the file path after a colon, for example: --attach=metadata.json:jobid123. When authenticating an asset with vcn authenticate, the same path and label can be specifed with the --attach flag to retrieve that attachment. The label alone can be specified with the --attach flag to retrieve all attachments, e.g. vcn a <artifact> --attach=jobid123.