Create Ledger
Enter the Trustcenter:
https://<address>
user: username
password: password
On Trustcenter Home page click the + Add Ledger
Enter Ledger name
Optionally add labels to the ledger
Add SignerId
As admin on Trustcenter Ledger page select ledger
On top choose Signer Ids tab
Click + Create Signer ID
Enter signer ID name and accept
Copy API KEY value for later use, Click Done
Download vcn
Enter website downloads.codenotary.com
Username: cnccli
Password: GetCLI4CNC
Download the binary for Windows or Linux
Save in your path and rename the file to vcn
(on linux) Make the file executable: $ chmod +x vcn
(on linux) Store vcn in your PATH: $
sudo cp vcn /usr/local/bin/vcn
(on windows) Add the folder with vcn to you PATH.
In command prompt run as admin:
setx /M path "%path%;C:\ path\to\vcn\"
Login using vcn (on linux)
Create an empty text file and fill it with contents
(without the brackets < > ):
export VCN_LC_HOST=eval-honeywell.codenotary.com
export VCN_LC_API_KEY= <paste your API KEY here>
export VCN_LC_PORT=443
Save the file as TC_credentials
Run $ source TC_credentials
Run $ vcn login
You are now logged in to Trustcenter with vcn
Login using vcn (on Windows 11)
Create an empty text file and fill it with contents
setx VCN_LC_HOST "<address>" /M
setx VCN_LC_API_KEY "<paste API KEY here >" /M
setx VCN_LC_PORT "443" /M
Save the file as TC_credentials.bat
Run as admin in command prompt: > TC_credentials.bat
Run > vcn login
You are now logged in to Trustcenter with vcn
Notarize source code
To notarize git repository clone it, eg.:
git clone https://github.com/codenotary/immudb.git
Then notarize the repository:
vcn notarize git://immudb
or simply
vcn n git://immudb
Notarize .py files in current directory:
vcn n -r "./*.py"
Notarize Python library:
vcn n pythoncom://[email protected]
Get more help:
vcn help
vcn n --help
Notarize binary
Navigate to the folder where the binary is
Run vcn notarize
• with label
vcn n artifact --labels-add “label1”
• With metadata:
vcn n artifact --attr “key=value”
You can combine many options in one command.
You can add multiple –attr (metadata) options
Notarize java WAR file: vcn n <war_file>
Notarize image: vcn n image://<image_name>
Also available: container:// and docker://
Notarize image
Notarizing a local Docker image
vcn n image://<image_name:image_version> --image-dockerdaemon
Notarizing an example Docker image from Docker Hub (nginx version perl on linux/386 architecture):
vcn.exe n --bom image://nginx:perl --image-platform linux/386 -- image-registry-user <username>
--image-registry-password <password>
Notarize sbom
Sbom = software bill of materials
• Notarize with sbom:
vcn n --bom <file>
• write bom to file:
vcn n –bom <file> --bom-spdx <spdx_file>
Notarize with attachment
vcn n <file> --attach <file_to_attach>
Authenticate source code, binary, sbom
vcn a git://immudb
vcn a <file>
vcn a <file> --bom
Get a report of bom content:
vcn a --bom --bom-what-includes image://alpine:latest
Untrust binary
vcn untrust <file>
Unsupport binary
vcn unsupport <file>
Generate BOM only
Navigate to the folder where the binary is
vcn bom <file>
To generate SPDX file:
vcn bom <file> --bom-spdx <spdx_filename>
To generate CycloneDX file:
vcn bom <file> --bom-cdx-json <spdx_filename>
Scan for vulnerabilities
Navigate to the folder where the binary is
vcn bom <file> --vuln-scan --experimental
To generate vuln scan report file:
vcn bom <file> --vuln-scan --experimental --vuln-report <file>
Notarize only if vulnerabilities are acceptable
You can set a limit on how many vulnerabilities are acceptable and notarize only below the limit:
vcn n image://zricethezav/gitleaks --experimental --vuln-scan --image-docker-daemon --vuln-max-critical 10
--vuln-max-high 10
All in one
One command to produce BOM file, vuln report and notarize only if vulnerabilities are acceptable:
vcn n image://zricethezav/gitleaks --vuln-scan --bom --vuln-max-critical 999 --vuln-max-high 999 --experimental
--vuln-report gitleaks_vuln.txt --bom-cdx-json gitleaks.cdx --image-docker-daemon
Loading data from CSV file
Prepare a CSV file (comma separated text file) by putting in columns hash, name and labels.
• Hash needs to contain an even number (at least 12) of any of these characters: 0-9, a-f, A-F
• Name can be any string
• Optional <labels> field may contain semicolon-separated list of labels to set for the asset.
vcn n --import-file <csv file name>
This puts artifact data in Trustcenter as if this artifact was notarized.
Using local API server
In a new window start local VCN API server (providing the -- lc-host you usually use as Trustcenter) which works as proxy to the cloud TC:
vcn serve --lc-host= --lc-port=443
Now you can use curl to notarize and authenticate assets. Example notarization:
curl localhost:8080/notarize -X POST -d '{"hash": "5f5ffe805897f33cf667767cdafd818170f888d5a9c09b969f7 01153064b3216", "name": "test3.py", "kind": "python"}' -sH "x-notarization-lc-api-key: <put your API KEY here>"
Example authentication:bom
curl http://localhost:8080/authenticate/<put asset hash here> -H "x-notarization-lc-api-key: <put your API key here>"
Simple search
To search select Query Ledger in Trustcenter.
• Html search for html as whole word anywhere
• *log4j* search for log4j as part of the word anywhere • ledger_name:"l02" Search for all documents notarized in l02 ledger
• signer_id:"user1" Search for all documents notarized by SignerID user1
• status:"untrusted" Search all untrusted documents. Other statuses: trusted, unsupported
• kind:"dir" Search for all directory artifacts List of kinds: container, dir, docker, dpkg, file, git, go, image, java, node, python, rust
• attachment_filenames:* artifacts with attachment
• includes:* artifacts that have the sbom
• metadata:(*) documents with nonempty metadata
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article