Quickstart Help Guide
CodeNotary has the ambitious goal to become the standard for modern-age code signing. A true global, decentralized, blockchain-secured platform to enable the signing of code and other digital assets in the simplest possible way.
This post explains how you can use the vcn command line tool to register and sign code, documents, and files using your CodeNotary keypair (based on Ethereum wallet functionality). When code is signed, a unique hash is created for the digital asset and written to the blockchain with your unique identity. This guarantees that the file integrity is stored in a tamper-proof way. Please be aware, that file integrity doesn’t judge the file content (good, bad or neutral). What it does do is makes sure the asset has not been modified.
Let’s dig into the command line and how you can start signing assets with CodeNotary and vcn.
The vcn command is published under GPL3 as Open Source, so you check the code base, build the binary yourself and help to improve the code. All code is written in Golang.
Just open https://dashboard.codenotary.io and set up your account.
Type in your email and CodeNotary automatically detect if you’re registered or not. If it’s your first time, just confirm your email and you’re all set.
First Dashboard Login
Setup your account and download the vcn command line tool for your operating system — available for Mac, Linux, and Microsoft Windows. We recommend getting familiar with the vcn tool by following the onboarding steps in the top bar of your dashboard.
As you don’t use vcn yet, make sure to check the download using traditional methods like md5 or sha256
Download vcn command line tool
You can find the latest vcn release on our GitHub page: https://github.com/vchain-us/vcn/releases
Download integrity check
Make sure to check the integrity of the downloaded file – no worries, from then on, you can use vcn for protecting the integrity of your files.
When using Linux just type:
When using Microsoft Windows:
certutil -hashfile C:\Users\YOUR_USERNAME\Downloads\vcn-v0.3.4-windows-4.0-amd64.exe SHA256
Microsoft Windows installer
We also offer a Microsoft Windows installer (codenotary_vcn_0.3.4_setup.exe) that does all the installation for you and registers vcn actions in the file context of Windows explorer.
Something to mention about any Executable you download from the internet – Windows is going to show an error if the Vendor didn’t buy an $500+/year certificate. That’s why CodeNotary is here, to get rid of these enormous costs that only make sure the Certification Authority is making a profit while providing absolutely no additional security.
Just select keep and run the installer. If you want to make sure the file integrity is perfectly fine, you better install the CodeNotary Chrome Extension immediately as it really protects against evil clones and fake downloads. Of course, you can also build the vcn command yourself or check the installer file on our GitHub repository. Nothing hidden!
Annoying Windows warnings
Of course that’s not it with the warnings. There will be another one, despite the fact that we actually signed with a cheaper certificate. But only the expensive ones count.
Click ‘Run anyway’ to start the installer.
When the installation is successful, you can open vcn here and continue with this guideline.
Open vcn for Windows
vcn command first run
The first thing you should do after downloading vcn is making the file executable and copying the command to your environment path so you don’t need to search for it. Example:
sudo chmod +x vcn-v0.3.4-linux-amd64 && sudo cp vcn-v0.3.4-linux-amd64 /usr/local/bin/vcn
Now you can type vcn to run the command.
Now log into CodeNotary:
When you first login through the CLI, you will need to create your CodeNotary Keypair to be able to sign files.
When running the Microsoft Windows vcn it looks like this (below):
vcn profile folder
That Keypair is stored under $HOME/.vcn (Linux) or %Home%\.vcn (Windows) and you need to use a strong password to protect the private key. Furthermore, you should protect the files within the .vcn directory.
When you check your dashboard, which also opens when you type vcn dashboard, you can find your public key that has just been created as well as the made progress.
That’s it. You are all set up and ready to go. You can now start signing digital assets of any kind:
- source code
- container (i. e. docker)
- media (maybe you own music or created videos)
- and much more
vcn command line
By the way, if you don’t sign up, you will still be able to verify files, documents or other downloads using vcn verify <file>.
As all is set up, it’s time to get started by signing some downloaded files, documents or even docker container images.
vcn sign <file> vcn sign docker:<image>
Public and Private assets
By default all assets are signed private, so not much information is disclosed about the signer.
If you want to make it public and therefore, more trusted, please use the –public switch.
vcn sign --public <file> vcn sign --public docker:<image>
NOTE: The most recent status will be applied to your asset (i.e. if you have signed an asset first as public and then as private, it would be considered private).
Trust, Untrust, and Unsupport
Change the asset’s status — especially as a software publisher, ISV or developer you might want to set the status of your software to ‘Unsupported’ or ‘Untrusted’. CodeNotary will improve these features a lot to make sure that the owner of software has the highest trust level to do these actions.
vcn untrust <file> vcn unsupport <file>
If you want to check the files and the status in a browser you can either visit https://dashboard.codenotary.io or use the dashboard command to take a look at analytics and extended functionality on the dashboard (browser needed):
List your assets
To check what assets you’ve signed, just type:
There is also a nice cheat sheet with all commands and some more advanced stuff which you can see below and access fully on our GitHub page here.
CodeNotary has just been released to the public, so please leave feedback and let us know how we can improve.
If you have any questions that haven’t been covered in our quick guide, please also check our FAQ page.