Codenotary Trustcenter & vcn cheat sheet

Created by Xinxiang Wang, Modified on Fri, 15 Dec, 2023 at 12:17 AM by Kristaps Felzenbergs

Create Ledger

Enter the Trustcenter:

https://<address>

user: username

password: password 

On Trustcenter Home page click the + Add Ledger 

Enter Ledger name

Optionally add labels to the ledger 


Add SignerId 

As admin on Trustcenter Ledger page select ledger 

On top choose Signer Ids tab 

Click + Create Signer ID

Enter signer ID name and accept 

Copy API KEY value for later use, Click Done 


Download vcn 

Enter website downloads.codenotary.com 

Username: cnccli 

Password: GetCLI4CNC 

Download the binary for Windows or Linux 

Save in your path and rename the file to vcn 

(on linux) Make the file executable: $ chmod +x vcn

(on linux) Store vcn in your PATH: $ 

sudo cp vcn /usr/local/bin/vcn

(on windows) Add the folder with vcn to you PATH. 

In command prompt run as admin: 

setx /M path "%path%;C:\ path\to\vcn\"


Login using vcn (on linux)

Create an empty text file and fill it with contents 

(without the brackets < > ): 

export VCN_LC_HOST=eval-honeywell.codenotary.com 

export VCN_LC_API_KEY= <paste your API KEY here> 

export VCN_LC_PORT=443 

Save the file as TC_credentials 

Run $ source TC_credentials

Run $ vcn login

You are now logged in to Trustcenter with vcn 


Login using vcn (on Windows 11)

Create an empty text file and fill it with contents 

setx VCN_LC_HOST "<address>" /M 

setx VCN_LC_API_KEY "<paste API KEY here >" /M 

setx VCN_LC_PORT "443" /M

Save the file as TC_credentials.bat 

Run as admin in command prompt: > TC_credentials.bat

Run > vcn login 

You are now logged in to Trustcenter with vcn 


Notarize source code

To notarize git repository clone it, eg.: 

git clone https://github.com/codenotary/immudb.git

Then notarize the repository: 

vcn notarize git://immudb

or simply 

vcn n git://immudb

Notarize .py files in current directory: 

vcn n -r "./*.py"

Notarize Python library: 

vcn n pythoncom://[email protected]

Get more help: 

vcn help

vcn n --help


Notarize binary

Navigate to the folder where the  binary is 

Run vcn notarize 

    • with label 

vcn n artifact --labels-add “label1”

    • With metadata: 

vcn n artifact --attr “key=value” 

You can combine many options in one command. 

You can add multiple –attr (metadata) options 

Notarize java WAR file: vcn n <war_file>

Notarize image: vcn n image://<image_name>

Also available: container:// and docker:// 


Notarize image

Notarizing a local Docker image 

vcn n image://<image_name:image_version> --image-dockerdaemon 

Notarizing an example Docker image from Docker Hub (nginx version perl on linux/386 architecture): 

vcn.exe n --bom image://nginx:perl --image-platform linux/386 -- image-registry-user <username>

 --image-registry-password <password>


Notarize sbom

Sbom = software bill of materials 

    • Notarize with sbom: 

vcn n --bom <file>

    • write bom to file: 

vcn n –bom <file> --bom-spdx <spdx_file>


Notarize with attachment 

vcn n <file> --attach <file_to_attach>


Authenticate source code, binary, sbom

vcn a git://immudb 

vcn a <file>

vcn a <file> --bom

Get a report of bom content: 

vcn a --bom --bom-what-includes image://alpine:latest 


Untrust binary

vcn untrust <file>


Unsupport binary

vcn unsupport <file>


Generate BOM only

Navigate to the folder where the  binary is 

vcn bom <file>

To generate SPDX file: 

vcn bom <file> --bom-spdx <spdx_filename>

To generate CycloneDX file: 

vcn bom <file> --bom-cdx-json <spdx_filename>


Scan for vulnerabilities

Navigate to the folder where the  binary is 

vcn bom <file> --vuln-scan --experimental

To generate vuln scan report file: 

vcn bom <file> --vuln-scan --experimental --vuln-report <file>


Notarize only if vulnerabilities are acceptable

You can set a limit on how many vulnerabilities are acceptable and notarize only below the limit: 

vcn n image://zricethezav/gitleaks --experimental --vuln-scan --image-docker-daemon --vuln-max-critical 10

 --vuln-max-high 10


All in one

One command to produce BOM file, vuln report and notarize only if vulnerabilities are acceptable: 

vcn n image://zricethezav/gitleaks --vuln-scan --bom --vuln-max-critical 999 --vuln-max-high 999 --experimental

 --vuln-report gitleaks_vuln.txt --bom-cdx-json gitleaks.cdx --image-docker-daemon 


Loading data from CSV file

Prepare a CSV file (comma separated text file) by putting in columns hash, name and labels. 

• Hash needs to contain an even number (at least 12) of any of these characters: 0-9, a-f, A-F 

• Name can be any string 

• Optional <labels> field may contain semicolon-separated list of labels to set for the asset. 

vcn n --import-file <csv file name>

This puts artifact data in Trustcenter as if this artifact was notarized. 


Using local API server

In a new window start local VCN API server (providing the -- lc-host you usually use as Trustcenter) which works as proxy to the cloud TC: 

vcn serve --lc-host= --lc-port=443

Now you can use curl to notarize and authenticate assets. Example notarization: 

curl localhost:8080/notarize -X POST -d '{"hash": "5f5ffe805897f33cf667767cdafd818170f888d5a9c09b969f7 01153064b3216", "name": "test3.py", "kind": "python"}' -sH "x-notarization-lc-api-key: <put your API KEY here>"

Example authentication:bom 

curl http://localhost:8080/authenticate/<put asset hash here> -H "x-notarization-lc-api-key: <put your API key here>"


Simple search

To search select Query Ledger in Trustcenter. 

• Html search for html as whole word anywhere 

• *log4j* search for log4j as part of the word anywhere • ledger_name:"l02" Search for all documents notarized in l02 ledger 

• signer_id:"user1" Search for all documents notarized by SignerID user1 

• status:"untrusted" Search all untrusted documents. Other statuses: trusted, unsupported 

• kind:"dir" Search for all directory artifacts List of kinds: container, dir, docker, dpkg, file, git, go, image, java, node, python, rust 

• attachment_filenames:* artifacts with attachment 

• includes:* artifacts that have the sbom 

• metadata:(*) documents with nonempty metadata

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article