Codenotary Trustcenter & vcn cheat sheet

Create Ledger

Enter the Trustcenter:

https://<address>

user: username

password: password 

On Trustcenter Home page click the + Add Ledger 

Enter Ledger name

Optionally add labels to the ledger 

Add SignerId 

As admin on Trustcenter Ledger page select ledger 

On top choose Signer Ids tab 

Click + Create Signer ID

Enter signer ID name and accept 

Copy API KEY value for later use, Click Done 

Download vcn 

Enter website downloads.codenotary.com 

Username: cnccli 

Password: GetCLI4CNC 

Download the binary for Windows or Linux 

Save in your path and rename the file to vcn 

(on linux) Make the file executable: $ chmod +x vcn

(on linux) Store vcn in your PATH: $ 

sudo cp vcn /usr/local/bin/vcn

(on windows) Add the folder with vcn to you PATH. 

In command prompt run as admin: 

setx /M path "%path%;C:\ path\to\vcn\"

Login using vcn (on linux)

Create an empty text file and fill it with contents 

(without the brackets < > ): 

export VCN_LC_HOST=eval-honeywell.codenotary.com 

export VCN_LC_API_KEY= <paste your API KEY here> 

export VCN_LC_PORT=443 

Save the file as TC_credentials 

Run $ source TC_credentials

Run $ vcn login

You are now logged in to Trustcenter with vcn 

Login using vcn (on Windows 11)

Create an empty text file and fill it with contents 

setx VCN_LC_HOST "<address>" /M 

setx VCN_LC_API_KEY "<paste API KEY here >" /M 

setx VCN_LC_PORT "443" /M

Save the file as TC_credentials.bat 

Run as admin in command prompt: > TC_credentials.bat

Run > vcn login 

You are now logged in to Trustcenter with vcn 

Notarize source code

To notarize git repository clone it, eg.: 

git clone https://github.com/codenotary/immudb.git

Then notarize the repository: 

vcn notarize git://immudb

or simply 

vcn n git://immudb

Notarize .py files in current directory: 

vcn n -r "./*.py"

Notarize Python library: 

vcn n pythoncom://numpy@1.18

Get more help: 

vcn help

vcn n --help

Notarize binary

Navigate to the folder where the  binary is 

Run vcn notarize 

    • with label 

vcn n artifact --labels-add “label1”

    • With metadata: 

vcn n artifact --attr “key=value” 

You can combine many options in one command. 

You can add multiple –attr (metadata) options 

Notarize java WAR file: vcn n <war_file>

Notarize image: vcn n image://<image_name>

Also available: container:// and docker:// 

Notarize image

Notarizing a local Docker image 

vcn n image://<image_name:image_version> --image-dockerdaemon 

Notarizing an example Docker image from Docker Hub (nginx version perl on linux/386 architecture): 

vcn.exe n --bom image://nginx:perl --image-platform linux/386 -- image-registry-user <username>

 --image-registry-password <password>

Notarize sbom

Sbom = software bill of materials 

    • Notarize with sbom: 

vcn n --bom <file>

    • write bom to file: 

vcn n –bom <file> --bom-spdx <spdx_file>

Notarize with attachment 

vcn n <file> --attach <file_to_attach>

Authenticate source code, binary, sbom

vcn a git://immudb 

vcn a <file>

vcn a <file> --bom

Get a report of bom content: 

vcn a --bom --bom-what-includes image://alpine:latest 

Untrust binary

vcn untrust <file>

Unsupport binary

vcn unsupport <file>

Generate BOM only

Navigate to the folder where the  binary is 

vcn bom <file>

To generate SPDX file: 

vcn bom <file> --bom-spdx <spdx_filename>

To generate CycloneDX file: 

vcn bom <file> --bom-cdx-json <spdx_filename>

Scan for vulnerabilities

Navigate to the folder where the  binary is 

vcn bom <file> --vuln-scan --experimental

To generate vuln scan report file: 

vcn bom <file> --vuln-scan --experimental --vuln-report <file>

Notarize only if vulnerabilities are acceptable

You can set a limit on how many vulnerabilities are acceptable and notarize only below the limit: 

vcn n image://zricethezav/gitleaks --experimental --vuln-scan --image-docker-daemon --vuln-max-critical 10

 --vuln-max-high 10

All in one

One command to produce BOM file, vuln report and notarize only if vulnerabilities are acceptable: 

vcn n image://zricethezav/gitleaks --vuln-scan --bom --vuln-max-critical 999 --vuln-max-high 999 --experimental

 --vuln-report gitleaks_vuln.txt --bom-cdx-json gitleaks.cdx --image-docker-daemon 

Loading data from CSV file

Prepare a CSV file (comma separated text file) by putting in columns hash, name and labels. 

• Hash needs to contain an even number (at least 12) of any of these characters: 0-9, a-f, A-F 

• Name can be any string 

• Optional <labels> field may contain semicolon-separated list of labels to set for the asset. 

vcn n --import-file <csv file name>

This puts artifact data in Trustcenter as if this artifact was notarized. 

Using local API server

In a new window start local VCN API server (providing the -- lc-host you usually use as Trustcenter) which works as proxy to the cloud TC: 

vcn serve --lc-host= --lc-port=443

Now you can use curl to notarize and authenticate assets. Example notarization: 

curl localhost:8080/notarize -X POST -d '{"hash": "5f5ffe805897f33cf667767cdafd818170f888d5a9c09b969f7 01153064b3216", "name": "test3.py", "kind": "python"}' -sH "x-notarization-lc-api-key: <put your API KEY here>"

Example authentication:bom 

curl http://localhost:8080/authenticate/<put asset hash here> -H "x-notarization-lc-api-key: <put your API key here>"

Simple search

To search select Query Ledger in Trustcenter. 

• Html search for html as whole word anywhere 

• *log4j* search for log4j as part of the word anywhere • ledger_name:"l02" Search for all documents notarized in l02 ledger 

• signer_id:"user1" Search for all documents notarized by SignerID user1 

• status:"untrusted" Search all untrusted documents. Other statuses: trusted, unsupported 

• kind:"dir" Search for all directory artifacts List of kinds: container, dir, docker, dpkg, file, git, go, image, java, node, python, rust 

• attachment_filenames:* artifacts with attachment 

• includes:* artifacts that have the sbom 

• metadata:(*) documents with nonempty metadata