From 4b1d3135d5df3a135f18550d2aa3564045a765b9 Mon Sep 17 00:00:00 2001 From: Stuart Parmenter Date: Mon, 29 Sep 2025 10:38:54 -0700 Subject: [PATCH] Get rid of codenotary references from addon docs --- docs/add-ons/configuration.md | 4 ---- docs/add-ons/presentation.md | 1 - docs/add-ons/security.md | 5 ----- 3 files changed, 10 deletions(-) diff --git a/docs/add-ons/configuration.md b/docs/add-ons/configuration.md index e5a781a9e8c..9a2a2fa8567 100644 --- a/docs/add-ons/configuration.md +++ b/docs/add-ons/configuration.md @@ -173,7 +173,6 @@ Avoid using `config.yaml` as filename in your add-on for anything other than the | `options` | dict | | Default options value of the add-on. | `schema` | dict | | Schema for options value of the add-on. It can be `false` to disable schema validation and options. | `image` | string | | For use with Docker Hub and other container registries. This should be set to the name of the image only (E.g, `ghcr.io/home-assistant/{arch}-addon-example`). If you use this option, set the active docker tag using the `version` option. -| `codenotary` | string | | For use with Codenotary CAS. This is the E-Mail address used to verify your image with Codenotary (E.g, `example@home-assistant.io`). This should match the E-Mail address used as the signer in the [add-on's extended build options](#add-on-extended-build) | `timeout` | integer | 10 | Default 10 (seconds). The timeout to wait until the Docker daemon is done or will be killed. | `tmpfs` | bool | `false` | If this is set to `true`, the containers `/tmp` uses tmpfs, a memory file system. | `discovery` | list | | A list of services that this add-on provides for Home Assistant. @@ -272,9 +271,6 @@ args: | build_from | no | A dictionary with the hardware architecture as the key and the base Docker image as the value. | args | no | Allow additional Docker build arguments as a dictionary. | labels | no | Allow additional Docker labels as a dictionary. -| codenotary | no | Enable container signature with codenotary CAS. -| codenotary.signer | no | Owner signer E-Mail address for this image. -| codenotary.base_image | no | Verify the base container image. If you use our official images, use `notary@home-assistant.io` We provide a set of [base images][docker-base] which should cover a lot of needs. If you don't want to use the Alpine based version or need a specific image tag, feel free to pin this requirement for your build with the `build_from` option. diff --git a/docs/add-ons/presentation.md b/docs/add-ons/presentation.md index eae90e325d6..0af1b3229eb 100644 --- a/docs/add-ons/presentation.md +++ b/docs/add-ons/presentation.md @@ -219,7 +219,6 @@ Each add-on starts with a base rating of 5, on a scale of 1 to 6. Depending on d |---|---|---| | Use `ingress: true` in [`config.yaml`](/docs/add-ons/configuration#optional-configuration-options) | +2 | overrides `auth_api` rating | | Use `auth_api: true` in [`config.yaml`](/docs/add-ons/configuration#optional-configuration-options) | +1 | overridden by `ingress` | -| Add-on is signed with [CodeNotary](https://cas.codenotary.com/)| +1|| | Use custom [`apparmor.txt`](/docs/add-ons/presentation#apparmor)| +1| Rating applied after installation | | Set `apparmor: false` in [`config.yaml`](/docs/add-ons/configuration#optional-configuration-options) | -1 | | | Use `privileged: NET_ADMIN`, `SYS_ADMIN`, `SYS_RAWIO`, `SYS_PTRACE`, `SYS_MODULE`, or `DAC_READ_SEARCH`, or `kernel_modules: ` used in [`config.yaml`](/docs/add-ons/configuration#optional-configuration-options)| -1 | Rating applied only once if multiple are used. | diff --git a/docs/add-ons/security.md b/docs/add-ons/security.md index 09972eff731..b3383aa7513 100644 --- a/docs/add-ons/security.md +++ b/docs/add-ons/security.md @@ -18,10 +18,6 @@ For access to the Supervisor API you need to define a role or run in default mod | `manager` | Is for Add-ons that run CLIs and need extended rights | | `admin` | Have access to every API call. That is the only one they can disable/enable the Add-on protection mode | -## Codenotary CAS - -You can sign your images and also verify our base image which you build from to provide a full chain of trust. This feature is supported by our [Builder](https://github.com/home-assistant/builder) and the [build config](/docs/add-ons/configuration#add-on-extended-build). To enable this feature on the Supervisor for your add-on, you simply need to add your email address to the add-on configuration `codenotary`. - ## Protection Default, all add-ons run in protection enabled mode. This mode prevents the add-on from getting any rights on the system. If an add-on requires more rights, you can disable this protection via the API add-on options for that add-on. But be careful, an add-on with disabled protection can destroy your system! @@ -34,7 +30,6 @@ As a developer, follow the following best practices to make your add-on secure: - Create an AppArmor profile - Map folders read only if you don't need write access - If you need any API access, make sure that you do not grant permission that aren't needed -- Sign the image with [Codenotary CAS](https://cas.codenotary.com/) ## Use Home Assistant user backend