From a653585d145343ff5e581b75555db9650c66318a Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 27 Oct 2023 17:21:58 -0700 Subject: [PATCH 01/88] Spec updates for arbitrary blob signing Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 364 +++++++++++++++++++++++++++++++++++ specs/commandline/inspect.md | 4 +- specs/commandline/list.md | 4 +- specs/commandline/policy.md | 116 ++++++++++- specs/commandline/sign.md | 2 +- specs/commandline/verify.md | 2 +- specs/notation-cli.md | 28 +-- 7 files changed, 495 insertions(+), 25 deletions(-) create mode 100644 specs/commandline/blob.md diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md new file mode 100644 index 000000000..1c16a8cf6 --- /dev/null +++ b/specs/commandline/blob.md @@ -0,0 +1,364 @@ +# notation policy + +## Description + +Use `notation blob` command to sign, verify, and inspect signatures associated with arbitrary blobs. Notation can sign and verify any arbitrary bag of bits like zip files, documents, executables, etc. When a user signs a blob, `notation` produces a detached signature, which the user can transport/distribute in any medium that the user prefers along with the original blob. On the verification side, Notation can verify the blob's signature and assert that the blob has not been tampered with during its transmission. For more details, see [trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/signing-and-verification-workflow.md#blob-signing-workflow). + +## Outline + +### notation blob command + +```text +Sign, Inspect, and Verify signatures associates with arbitrary blobs. + +Usage: + notation blob [command] + +Available Commands: + sign produce a detached signature for a given blob + inspect inspect a signature associated with a blob + verify verify a signature associated with a blob + +Flags: + -h, --help help for blob +``` + +### notation blob sign + +```text +Produce a detached signature for a given blob + +Usage: + notation blob sign [flags] + +Flags: + -s, --signature path output location of the detached signature + --media-type string media type of the blob. If not provided, notation uses `application/octet-stream` + -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m + --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag + -k, --key string signing key name, for a key previously added to notation's key list. This is mutually exclusive with the --id and --plugin flags + --plugin string signing plugin name. This is mutually exclusive with the --key flag + --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. + --signature-format string signature envelope format, options: "jws", "cose" (default "jws") + -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload + -d, --debug debug mode + -v, --verbose verbose mode + -h, --help help for sign +``` + +### notation blob inspect + +```text +Inspect a signature associated with a blob + +Usage: + notation blob inspect [flags] + +Flags: + -o, --output string output format, options: 'json', 'text' (default "text") + -d, --debug debug mode + -v, --verbose verbose mode + -h, --help help for inspect +``` + +### notation blob verify + +```text +Verify a signature associated with a blob + +Usage: + notation blob verify [flags] + +Flags: + -s, --signature path location of the detached signature + --media-type string optional media type of the blob to verify + --policy-scope string optional policy scope to verify against. If not provided, notation verifies against wildcard policy if it exists. + -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided + -o, --output string output format, options: 'json', 'text' (default "text") + -d, --debug debug mode + -v, --verbose verbose mode + -h, --help help for inspect +``` + +## Usage + +## Produce detached blob signatures + +### Sign a blob by adding a new key + +```shell +# Prerequisites: +# - A signing plugin is installed. See plugin documentation (https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. +# - Configure the signing plugin as instructed by plugin vendor. + +# Add a default signing key referencing the remote key identifier, and the plugin associated with it. +notation key add --default --name --plugin --id + +# sign a blob +notation blob sign --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +An example for a successful signing: + +```console +$ notation blob sign --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +Successfully signed /tmp/my-blob.bin +Signature written to /tmp/my-blob-signature.sig +``` + +### Sign a blob with on-demand remote key + +```shell +notation blob sign --plugin --id --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +### Sign a blob using COSE signature format + +```shell +# Prerequisites: +# A default signing key is configured using CLI "notation key" + +# Use option "--signature-format" to set the signature format to COSE. +notation blob sign --signature-format cose --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +### Sign a blob using the default signing key + +```shell +# Prerequisites: +# A default signing key is configured using CLI "notation key" + +notation blob sign --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +### Sign a blob with user metadata + +```shell +# Prerequisites: +# A default signing key is configured using CLI "notation key" + +# sign a blob and add user-metadata io.wabbit-networks.buildId=123 to the payload +notation blob sign --user-metadata io.wabbit-networks.buildId=123 --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin + +# sign a blob and add user-metadata io.wabbit-networks.buildId=123 and io.wabbit-networks.buildTime=1672944615 to the payload +notation blob sign --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=1672944615 --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +### Sign a blob with media type + +```shell +notation blob sign --media-type --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +### Sign a blob and specify the signature expiry duration, for example 24 hours + +```shell +notation blob sign --expiry 24h --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +### Sign a blob using a specified signing key + +```shell +# List signing keys to get the key name +notation key list + +# Sign a container image using the specified key name +notation blob sign --key --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +``` + +## Inspect detached blob signatures + +### Display details of the given detached blob signature and its associated certificate properties + + +```text +notation blob inspect [flags] /tmp/my-blob-signature.sig +``` + +### Inspect the given detached blob signature + +```shell +# Prerequisites: Signatures is produced by notation blob sign command +notation blob inspect /tmp/my-blob-signature.sig +``` + +An example output: +```shell +Inspecting /tmp/my-blob-signature.sig +/tmp/my-blob-signature.sig +└── application/octet-stream + ├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + ├── signature algorithm: RSASSA-PSS-SHA-256 + ├── signed attributes + │ ├── content type: application/vnd.cncf.notary.payload.v1+json + │ ├── signing scheme: notary.signingAuthority.x509 + │ ├── signing time: Fri Jun 23 22:04:01 2023 + │ ├── expiry: Sat Jun 29 22:04:01 2024 + │ └── io.cncf.notary.verificationPlugin: com.example.nv2plugin + ├── unsigned attributes + │ ├── io.cncf.notary.timestampSignature: + │ └── io.cncf.notary.signingAgent: notation/1.0.0 + ├── certificates + │ ├── SHA256 fingerprint: b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d + │ │ ├── issued to: wabbit-com Software + │ │ ├── issued by: wabbit-com Software Root Certificate Authority + │ │ └── expiry: Sun Jul 06 20:50:17 2025 + │ ├── SHA256 fingerprint: 4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89 + │ │ ├── issued to: wabbit-com Software Code Signing PCA 2010 + │ │ ├── issued by: wabbit-com Software Root Certificate Authority + │ │ └── expiry: Sun Jul 06 20:50:17 2025 + │ └── SHA256 fingerprint: ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536 + │ ├── issued to: wabbit-com Software Root Certificate Authority + │ ├── issued by: wabbit-com Software Root Certificate Authority + │ └── expiry: Sat Jun 23 22:04:01 2035 + └── signed artifact + ├── media type: application/vnd.oci.image.manifest.v1+json + ├── digest: sha256:b94d27b9934d3e08a52e52d7da7fac484efe37a5380ee9088f7ace2efcde9 + └── size: 16724 +``` + +### Inspect the given detached blob signature with JSON Output + +```shell +notation blob inspect -o json /tmp/my-blob-signature.sig +``` + +## Verify detached blob signatures +The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a policy configuration file with Policies scoped to blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. + +- The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. +- Policy named "skip-blob-verification-policy" is for skipping verification on blob artifacts scoped to `skip-blob-verification-selector`. +- Policy "wildcard-blob-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-scope` argument in `notation blob verify` command. + +```jsonc +{ + "version": "1.1", + "trustPolicies": [ + { + "name": "blob-verification-policy", + "scopes": [ + "blob:blob-verification-selector" + ], + "signatureVerification": { + "level": "strict" + }, + "trustStores": [ + "ca:wabbit-networks", + ], + "trustedIdentities": [ + "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" + ] + }, + { + "name": "skip-blob-verification-policy", + "scopes": [ "blob:skip-blob-verification-selector" ], + "signatureVerification": { + "level" : "skip" + } + }, + { + "name": "wildcard-blob-verification-policy", + "scopes": [ "blob:*" ], + "signatureVerification": { + "level" : "audit" + }, + "trustStores": ["ca:acme-rockets"], + "trustedIdentities": ["*"] + } + ] +} +``` + +### Verify the detached signature of a blob + +Configure trust store and trust policy properly before using `notation blob verify` command. + +```shell + +# Prerequisites: Signature is produced on the filesystem from `notation blob sign` command. +# Configure trust store by adding a certificate file into trust store named "wabbit-network" of type "ca" +notation certificate add --type ca --store wabbit-networks wabbit-networks.crt + +# Create a JSON file named "trustpolicy.json" under directory "{NOTATION_CONFIG}". + +# Verify the detached signature +notation blob verify /tmp/my-blob-signature.sig +``` + +An example of output messages for a successful verification: + +```text +Successfully verified signature /tmp/my-blob-signature.sig +``` + +### Verify the signature with user metadata + +Use the `--user-metadata` flag to verify that provided key-value pairs are present in the payload of the valid signature. + +```shell +# Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload +notation blob verify --user-metadata io.wabbit-networks.buildId=123 /tmp/my-blob-signature.sig +``` + +An example of output messages for a successful verification: + +```text +Successfully verified signature /tmp/my-blob-signature.sig + +The blob signature is having the following user metadata. + +KEY VALUE +io.wabbit-networks.buildId 123 +``` + +An example of output messages for an unsuccessful verification: + +```text +Error: signature verification failed: unable to find specified metadata in the given signature +``` + +### Verify the signature with media type + +Use the `--media-type` flag to verify that signature is for the provided media-type. + +```shell +# Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload +notation blob verify --media-type application/my-media-octet-stream /tmp/my-blob-signature.sig +``` + +An example of output messages for a successful verification: + +```text +Successfully verified signature /tmp/my-blob-signature.sig + +The blob is of media type `application/my-media-octet-stream`. + +``` + +An example of output messages for an unsuccessful verification: + +```text +Error: signature verification failed: The blob is not of media type `application/my-media-octet-stream`. +``` + +### Verify the signature using a policy scope + +Use the `--policy-scope` flag to select a Policy scope to verify the signature against. + +```shell +notation blob verify --policy-scope my-blob-verification-selector /tmp/my-blob-signature.sig +``` + +An example of output messages for a successful verification: + +```text +Successfully verified signature /tmp/my-blob-signature.sig using policy scope `my-blob-verification-selector` + +The blob is of media type `application/my-media-octet-stream`. + +``` +An example of output messages for an unsuccessful verification: + +```text +Error: signature verification failed for Policy scope `my-blob-verification-selector` +``` \ No newline at end of file diff --git a/specs/commandline/inspect.md b/specs/commandline/inspect.md index 33db06563..88a441b60 100644 --- a/specs/commandline/inspect.md +++ b/specs/commandline/inspect.md @@ -2,7 +2,7 @@ ## Description -Use `notation inspect` command to inspect all the signatures associated with signed artifact in a human readable format. +Use `notation inspect` command to inspect all the signatures associated a signed OCI artifact in a human readable format. Upon successful execution, both the digest of the signed artifact and the digests of signatures manifest along with their properties associated with the signed artifact are printed in the following format: @@ -27,7 +27,7 @@ Upon successful execution, both the digest of the signed artifact and the digest ## Outline ```text -Inspect all signatures associated with the signed artifact. +Inspect all signatures associated with a signed OCI artifact. Usage: notation inspect [flags] diff --git a/specs/commandline/list.md b/specs/commandline/list.md index 49726724c..b5053f6f8 100644 --- a/specs/commandline/list.md +++ b/specs/commandline/list.md @@ -2,7 +2,7 @@ ## Description -Use `notation list` to list all the signatures associated with signed artifact. +Use `notation list` to list all the signatures associated with a signed OCI artifact. `Tags` are mutable, but `Digests` uniquely and immutably identify an artifact. If a tag is used to identify a signed artifact, notation resolves the tag to the `digest` first. @@ -18,7 +18,7 @@ Upon successful execution, both the digest of the signed artifact and the digest ## Outline ```text -List all the signatures associated with signed artifact +List all the signatures associated with a signed OCI artifact Usage: notation list [flags] diff --git a/specs/commandline/policy.md b/specs/commandline/policy.md index 56abd236a..d93312d73 100644 --- a/specs/commandline/policy.md +++ b/specs/commandline/policy.md @@ -2,14 +2,14 @@ ## Description -As part of signature verification workflow, users need to configure the trust policy configuration file to specify trusted identities that signed the artifacts, the level of signature verification to use and other settings. For more details, see [trust policy specification and examples](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy). +As part of signature verification workflow of signed OCI artifacts or blobs, users need to configure the trust policy configuration file to specify trusted identities that signed the artifacts, the level of signature verification to use and other settings. For more details, see [trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#trust-policy). -The `notation policy` command provides a user-friendly way to manage trust policies. It allows users to show trust policy configuration, import/export a trust policy configuration file from/to a JSON file. To get started user can refer to the following trust policy configuration sample. In this sample, there are four policies configured for different requirements: +The `notation policy` command provides a user-friendly way to manage trust policies. It allows users to show trust policy configuration, import/export a trust policy configuration file from/to a JSON file. To get started, user can refer to the following trust policy configuration sample. In this sample, there are four policies configured for different requirements: -- The Policy named "wabbit-networks-images" is for verifying images signed by Wabbit Networks and stored in two repositories `registry.acme-rockets.io/software/net-monitor` and `registry.acme-rockets.io/software/net-logger`. -- Policy named "unsigned-image" is for skipping the verification on unsigned images stored in repository `registry.acme-rockets.io/software/unsigned/net-utils`. -- Policy "allow-expired-images" is for logging instead of failing expired images stored in repository `registry.acme-rockets.io/software/legacy/metrics`. -- Policy "global-policy-for-all-other-images" is for verifying any other images that signed by the ACME Rockets. +- The Policy named "wabbit-networks-images" is for verifying OCI artifacts signed by Wabbit Networks and stored in two repositories `registry.acme-rockets.io/software/net-monitor` and `registry.acme-rockets.io/software/net-logger`. +- Policy named "unsigned-image" is for skipping the verification on unsigned OCI artifacts stored in repository `registry.acme-rockets.io/software/unsigned/net-utils`. +- Policy "allow-expired-images" is for logging instead of failing expired OCI artifacts stored in repository `registry.acme-rockets.io/software/legacy/metrics`. +- Policy "global-policy-for-all-other-images" is for verifying any other OCI artifacts that signed by the ACME Rockets. ```jsonc { @@ -67,6 +67,110 @@ The `notation policy` command provides a user-friendly way to manage trust polic } ``` +Policy language version 1.1 added support for verifying signatures associated with blob artifacts. User can use `scopes` field as a Policy selector string to decide which Policy gets applied to which blob. The `--policy-scope` argument provided in `notation blob verify` command will dictate which Policy gets picked from the policy configuration file and applied for verification. To get started with verifying blob signatures, users can refer to the following trust policy configuration sample. In this sample, there are three policies configured for different requirements: + +- The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. +- Policy named "skip-blob-verification-policy" is for skipping verification on blob artifacts scoped to `skip-blob-verification-selector`. +- Policy "wildcard-blob-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-scope` argument in `notation blob verify` command. + +```jsonc +{ + "version": "1.1", + "trustPolicies": [ + { + "name": "blob-verification-policy", + "scopes": [ + "blob:blob-verification-selector" + ], + "signatureVerification": { + "level": "strict" + }, + "trustStores": [ + "ca:wabbit-networks", + ], + "trustedIdentities": [ + "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" + ] + }, + { + "name": "skip-blob-verification-policy", + "scopes": [ "blob:skip-blob-verification-selector" ], + "signatureVerification": { + "level" : "skip" + } + }, + { + "name": "wildcard-blob-verification-policy", + "scopes": [ "blob:*" ], + "signatureVerification": { + "level" : "audit" + }, + "trustStores": ["ca:acme-rockets"], + "trustedIdentities": ["*"] + } + ] +} +``` + +Note: Policy language version 1.1 renamed the field `registryScopes` from version 1.0 to `scopes`. The new field accepts values with prefixes `oci` or `blob` to limit a scope value to either OCI signature verification or Blob signature verification. While scope values with `blob` prefix can be of free-form text, values with `oci` prefix must be valid OCI references. `notation` supports both policy language versions 1.0 and 1.1. However, `notation` rejects policy configuration files with mixed terminology i.e. both `registryScopes` and `scopes` defined in a single configuration file. Users migrating from 1.0 to 1.1 can simply rename `registryScopes` to `scopes` and prefix the values with `oci`. +Below is a sample Policy configuration file that verifies OCI artifacts using `scopes` field. + +```jsonc +{ + "version": "1.1", + "trustPolicies": [ + { + "name": "wabbit-networks-images", + "scopes": [ + "oci:registry.acme-rockets.io/software/net-monitor", + "oci:registry.acme-rockets.io/software/net-logger" + ], + "signatureVerification": { + "level": "strict" + }, + "trustStores": [ + "ca:wabbit-networks", + ], + "trustedIdentities": [ + "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" + ] + }, + { + "name": "unsigned-image", + "scopes": [ "oci:registry.acme-rockets.io/software/unsigned/net-utils" ], + "signatureVerification": { + "level" : "skip" + } + }, + { + "name": "allow-expired-images", + "scopes": [ "oci:registry.acme-rockets.io/software/legacy/metrics" ], + "signatureVerification": { + "level" : "strict", + "override" : { + "expiry" : "log" + } + }, + "trustStores": ["ca:acme-rockets"], + "trustedIdentities": ["*"] + }, + { + "name": "global-policy-for-all-other-images", + "scopes": [ "oci:*" ], + "signatureVerification": { + "level": "strict" + }, + "trustStores": [ + "ca:acme-rockets" + ], + "trustedIdentities": [ + "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, CN=SecureBuilder" + ] + } + ] +} +``` + ## Outline ### notation policy command diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 5c3569d5d..58555eeda 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -2,7 +2,7 @@ ## Description -Use `notation sign` to sign artifacts. +Use `notation sign` to sign OCI artifacts. Signs an OCI artifact stored in the registry. Always sign artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. If a tag is used, notation resolves the tag to the `digest` before signing. diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 3fe40a3a4..a47fb1430 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -2,7 +2,7 @@ ## Description -Use `notation verify` command to verify signatures associated with the artifact. Signature verification succeeds if verification succeeds for at least one of the signatures associated with the artifact. Upon successful verification, the output message is printed out as follows: +Use `notation verify` command to verify signatures associated with an OCI artifact. Signature verification succeeds if verification succeeds for at least one of the signatures associated with the artifact. Upon successful verification, the output message is printed out as follows: ```text Successfully verified signature for /@ diff --git a/specs/notation-cli.md b/specs/notation-cli.md index dcb03352e..8d375e477 100644 --- a/specs/notation-cli.md +++ b/specs/notation-cli.md @@ -7,15 +7,16 @@ This spec contains reference information on using notation commands. Each comman | Command | Description | | ------------------------------------------- | ---------------------------------------------------------------------- | | [certificate](./commandline/certificate.md) | Manage certificates in trust store | -| [inspect](./commandline/inspect.md) | Inspect signatures | | [key](./commandline/key.md) | Manage keys used for signing | -| [list](./commandline/list.md) | List signatures of the signed artifact | -| [login](./commandline/login.md) | Login to registries | -| [logout](./commandline/logout.md) | Log out from the logged in registries | +| [list](./commandline/list.md) | List signatures of a signed OCI artifact | +| [login](./commandline/login.md) | Log into OCI registries | +| [logout](./commandline/logout.md) | Log out from the logged in OCI registries | | [plugin](./commandline/plugin.md) | Manage plugins | -| [policy](./commandline/policy.md) | Manage trust policy configuration for signature verification | -| [sign](./commandline/sign.md) | Sign artifacts | -| [verify](./commandline/verify.md) | Verify artifacts | +| [policy](./commandline/policy.md) | Manage trust policy configuration for signature verification | +| [sign](./commandline/sign.md) | Sign OCI artifacts | +| [verify](./commandline/verify.md) | Verify OCI artifacts | +| [inspect](./commandline/inspect.md) | Inspect OCI signatures | +| [blob](./commandline/blob.md) | Sign, verify and inspect singatures associated with blobs | | [version](./commandline/version.md) | Print the version of notation CLI | ## Notation Outline @@ -28,15 +29,16 @@ Usage: Available Commands: certificate Manage certificates in trust store - inspect Inspect all signatures associated with the signed artifact key Manage keys used for signing - list List signatures of the signed artifact - login Login to registry - logout Log out from the logged in registries + list List signatures of a signed OCI artifact + login Log into OCI registries + logout Log out from the logged in OCI registries plugin Manage plugins policy Manage trust policy configuration for signature verification - sign Sign artifacts - verify Verify artifacts + sign Sign OCI artifacts + verify Verify OCI artifacts + blobs Sign, verify and inspect singatures associated with blobs + inspect Inspect all signatures associated with a signed OCI artifact version Show the notation version information Flags: From a59bdfa9d75ca9d1e3f05c6534d84330441c7506 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 27 Oct 2023 17:32:50 -0700 Subject: [PATCH 02/88] fix verify command examples Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 1c16a8cf6..3e7a32261 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -282,7 +282,7 @@ notation certificate add --type ca --store wabbit-networks wabbit-networks.crt # Create a JSON file named "trustpolicy.json" under directory "{NOTATION_CONFIG}". # Verify the detached signature -notation blob verify /tmp/my-blob-signature.sig +notation blob verify --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin ``` An example of output messages for a successful verification: @@ -297,7 +297,7 @@ Use the `--user-metadata` flag to verify that provided key-value pairs are prese ```shell # Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload -notation blob verify --user-metadata io.wabbit-networks.buildId=123 /tmp/my-blob-signature.sig +notation blob verify --user-metadata io.wabbit-networks.buildId=123 --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin ``` An example of output messages for a successful verification: @@ -323,7 +323,7 @@ Use the `--media-type` flag to verify that signature is for the provided media-t ```shell # Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload -notation blob verify --media-type application/my-media-octet-stream /tmp/my-blob-signature.sig +notation blob verify --media-type application/my-media-octet-stream --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin ``` An example of output messages for a successful verification: @@ -346,7 +346,7 @@ Error: signature verification failed: The blob is not of media type `application Use the `--policy-scope` flag to select a Policy scope to verify the signature against. ```shell -notation blob verify --policy-scope my-blob-verification-selector /tmp/my-blob-signature.sig +notation blob verify --policy-scope my-blob-verification-selector --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin ``` An example of output messages for a successful verification: @@ -354,8 +354,6 @@ An example of output messages for a successful verification: ```text Successfully verified signature /tmp/my-blob-signature.sig using policy scope `my-blob-verification-selector` -The blob is of media type `application/my-media-octet-stream`. - ``` An example of output messages for an unsuccessful verification: From b194284c77778babe63119faa08f7fb2737d8f27 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Wed, 1 Nov 2023 14:53:04 -0700 Subject: [PATCH 03/88] update signature-name rather than signature-path for blob sign command Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 59 ++++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 3e7a32261..e041c1a53 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -29,11 +29,11 @@ Flags: Produce a detached signature for a given blob Usage: - notation blob sign [flags] + notation blob sign [flags] -n my-blob-signature Flags: - -s, --signature path output location of the detached signature - --media-type string media type of the blob. If not provided, notation uses `application/octet-stream` + -n, --signature-name string friendly name for the detached signature. Signature file will be written to the currently working directory with this name and signature format as the file extension + --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag -k, --key string signing key name, for a key previously added to notation's key list. This is mutually exclusive with the --id and --plugin flags @@ -67,13 +67,13 @@ Flags: Verify a signature associated with a blob Usage: - notation blob verify [flags] + notation blob verify [flags] --signature Flags: -s, --signature path location of the detached signature --media-type string optional media type of the blob to verify --policy-scope string optional policy scope to verify against. If not provided, notation verifies against wildcard policy if it exists. - -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided + -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided -o, --output string output format, options: 'json', 'text' (default "text") -d, --debug debug mode -v, --verbose verbose mode @@ -95,21 +95,21 @@ Flags: notation key add --default --name --plugin --id # sign a blob -notation blob sign --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --signature-name my-blob-signature /tmp/my-blob.bin ``` An example for a successful signing: ```console -$ notation blob sign --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +$ notation blob sign --signature-name my-blob-signature /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature written to /tmp/my-blob-signature.sig +Signature written to ./my-blob-signature.sig.jws ``` ### Sign a blob with on-demand remote key ```shell -notation blob sign --plugin --id --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --plugin --id --signature-name my-blob-signature /tmp/my-blob.bin ``` ### Sign a blob using COSE signature format @@ -119,7 +119,7 @@ notation blob sign --plugin --id --signature /tmp/ # A default signing key is configured using CLI "notation key" # Use option "--signature-format" to set the signature format to COSE. -notation blob sign --signature-format cose --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --signature-format cose --signature-name my-blob-signature /tmp/my-blob.bin ``` ### Sign a blob using the default signing key @@ -128,7 +128,7 @@ notation blob sign --signature-format cose --signature /tmp/my-blob-signature.si # Prerequisites: # A default signing key is configured using CLI "notation key" -notation blob sign --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --signature-name my-blob-signature /tmp/my-blob.bin ``` ### Sign a blob with user metadata @@ -138,22 +138,22 @@ notation blob sign --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin # A default signing key is configured using CLI "notation key" # sign a blob and add user-metadata io.wabbit-networks.buildId=123 to the payload -notation blob sign --user-metadata io.wabbit-networks.buildId=123 --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --user-metadata io.wabbit-networks.buildId=123 --signature-name my-blob-signature /tmp/my-blob.bin # sign a blob and add user-metadata io.wabbit-networks.buildId=123 and io.wabbit-networks.buildTime=1672944615 to the payload -notation blob sign --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=1672944615 --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=1672944615 --signature-name my-blob-signature /tmp/my-blob.bin ``` ### Sign a blob with media type ```shell -notation blob sign --media-type --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --media-type --signature-name my-blob-signature /tmp/my-blob.bin ``` ### Sign a blob and specify the signature expiry duration, for example 24 hours ```shell -notation blob sign --expiry 24h --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --expiry 24h --signature-name my-blob-signature /tmp/my-blob.bin ``` ### Sign a blob using a specified signing key @@ -163,7 +163,7 @@ notation blob sign --expiry 24h --signature /tmp/my-blob-signature.sig /tmp/my-b notation key list # Sign a container image using the specified key name -notation blob sign --key --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob sign --key --signature-name my-blob-signature /tmp/my-blob.bin ``` ## Inspect detached blob signatures @@ -172,23 +172,24 @@ notation blob sign --key --signature /tmp/my-blob-signature.sig /tmp/ ```text -notation blob inspect [flags] /tmp/my-blob-signature.sig +notation blob inspect [flags] /tmp/my-blob-signature.sig.jws ``` ### Inspect the given detached blob signature ```shell # Prerequisites: Signatures is produced by notation blob sign command -notation blob inspect /tmp/my-blob-signature.sig +notation blob inspect /tmp/my-blob-signature.sig.jws ``` An example output: ```shell -Inspecting /tmp/my-blob-signature.sig -/tmp/my-blob-signature.sig +Inspecting /tmp/my-blob-signature.sig.jws +/tmp/my-blob-signature.sig.jws └── application/octet-stream ├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ├── signature algorithm: RSASSA-PSS-SHA-256 + ├── signature format: jws ├── signed attributes │ ├── content type: application/vnd.cncf.notary.payload.v1+json │ ├── signing scheme: notary.signingAuthority.x509 @@ -220,7 +221,7 @@ Inspecting /tmp/my-blob-signature.sig ### Inspect the given detached blob signature with JSON Output ```shell -notation blob inspect -o json /tmp/my-blob-signature.sig +notation blob inspect -o json /tmp/my-blob-signature.sig.jws ``` ## Verify detached blob signatures @@ -282,13 +283,13 @@ notation certificate add --type ca --store wabbit-networks wabbit-networks.crt # Create a JSON file named "trustpolicy.json" under directory "{NOTATION_CONFIG}". # Verify the detached signature -notation blob verify --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob verify --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig +Successfully verified signature /tmp/my-blob-signature.sig.jws ``` ### Verify the signature with user metadata @@ -297,13 +298,13 @@ Use the `--user-metadata` flag to verify that provided key-value pairs are prese ```shell # Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload -notation blob verify --user-metadata io.wabbit-networks.buildId=123 --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob verify --user-metadata io.wabbit-networks.buildId=123 --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig +Successfully verified signature /tmp/my-blob-signature.sig.jws The blob signature is having the following user metadata. @@ -323,13 +324,13 @@ Use the `--media-type` flag to verify that signature is for the provided media-t ```shell # Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload -notation blob verify --media-type application/my-media-octet-stream --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob verify --media-type application/my-media-octet-stream --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig +Successfully verified signature /tmp/my-blob-signature.sig.jws The blob is of media type `application/my-media-octet-stream`. @@ -346,13 +347,13 @@ Error: signature verification failed: The blob is not of media type `application Use the `--policy-scope` flag to select a Policy scope to verify the signature against. ```shell -notation blob verify --policy-scope my-blob-verification-selector --signature /tmp/my-blob-signature.sig /tmp/my-blob.bin +notation blob verify --policy-scope my-blob-verification-selector --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig using policy scope `my-blob-verification-selector` +Successfully verified signature /tmp/my-blob-signature.sig.jws using policy scope `my-blob-verification-selector` ``` An example of output messages for an unsuccessful verification: From c14aaa7f521d4b113db3897ca87054d914a5c537 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Thu, 2 Nov 2023 11:55:38 -0700 Subject: [PATCH 04/88] minor updates Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index e041c1a53..888ac3aff 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -32,7 +32,7 @@ Usage: notation blob sign [flags] -n my-blob-signature Flags: - -n, --signature-name string friendly name for the detached signature. Signature file will be written to the currently working directory with this name and signature format as the file extension + -n, --signature-name string friendly name for the detached signature. Signature file will be written to the currently working directory with this name plus ".sig" plus signature format as the file extension --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag @@ -120,6 +120,8 @@ notation blob sign --plugin --id --signature-name # Use option "--signature-format" to set the signature format to COSE. notation blob sign --signature-format cose --signature-name my-blob-signature /tmp/my-blob.bin +Successfully signed /tmp/my-blob.bin +Signature written to ./my-blob-signature.sig.cose ``` ### Sign a blob using the default signing key @@ -323,7 +325,7 @@ Error: signature verification failed: unable to find specified metadata in the g Use the `--media-type` flag to verify that signature is for the provided media-type. ```shell -# Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload +# Verify the signature and verify that application/my-media-octet-stream is the media type notation blob verify --media-type application/my-media-octet-stream --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin ``` @@ -347,17 +349,17 @@ Error: signature verification failed: The blob is not of media type `application Use the `--policy-scope` flag to select a Policy scope to verify the signature against. ```shell -notation blob verify --policy-scope my-blob-verification-selector --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin +notation blob verify --policy-scope blob-verification-selector --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig.jws using policy scope `my-blob-verification-selector` +Successfully verified signature /tmp/my-blob-signature.sig.jws using policy scope `blob-verification-selector` ``` An example of output messages for an unsuccessful verification: ```text -Error: signature verification failed for Policy scope `my-blob-verification-selector` +Error: signature verification failed for Policy scope `blob-verification-selector` ``` \ No newline at end of file From ee0dca31935c9545a57bfa9f89e943d3f66cd2da Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Mon, 6 Nov 2023 16:23:38 -0800 Subject: [PATCH 05/88] minor updates Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 10 +++++----- specs/commandline/policy.md | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 888ac3aff..b99c8a041 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -9,14 +9,14 @@ Use `notation blob` command to sign, verify, and inspect signatures associated w ### notation blob command ```text -Sign, Inspect, and Verify signatures associates with arbitrary blobs. +Sign, inspect, and verify signatures associated with arbitrary blobs. Usage: notation blob [command] Available Commands: - sign produce a detached signature for a given blob inspect inspect a signature associated with a blob + sign produce a detached signature for a given blob verify verify a signature associated with a blob Flags: @@ -32,7 +32,7 @@ Usage: notation blob sign [flags] -n my-blob-signature Flags: - -n, --signature-name string friendly name for the detached signature. Signature file will be written to the currently working directory with this name plus ".sig" plus signature format as the file extension + -n, --signature-name string friendly name for the detached signature. Signature file will be written to the currently working directory with this name plus ".sig" plus signature format as the file extension. For example, "mySignature.sig.jws", "mySignature.sig.cose" --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag @@ -146,7 +146,7 @@ notation blob sign --user-metadata io.wabbit-networks.buildId=123 --signature-na notation blob sign --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=1672944615 --signature-name my-blob-signature /tmp/my-blob.bin ``` -### Sign a blob with media type +### Sign a blob and specify the media type for the blob ```shell notation blob sign --media-type --signature-name my-blob-signature /tmp/my-blob.bin @@ -346,7 +346,7 @@ Error: signature verification failed: The blob is not of media type `application ### Verify the signature using a policy scope -Use the `--policy-scope` flag to select a Policy scope to verify the signature against. +Use the `--policy-scope` flag to select a policy scope to verify the signature against. ```shell notation blob verify --policy-scope blob-verification-selector --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin diff --git a/specs/commandline/policy.md b/specs/commandline/policy.md index d93312d73..3c42d6854 100644 --- a/specs/commandline/policy.md +++ b/specs/commandline/policy.md @@ -166,6 +166,22 @@ Below is a sample Policy configuration file that verifies OCI artifacts using `s "trustedIdentities": [ "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, CN=SecureBuilder" ] + }, + { + "name": "skip-blob-verification-policy", + "scopes": [ "blob:skip-blob-verification-selector" ], + "signatureVerification": { + "level" : "skip" + } + }, + { + "name": "wildcard-blob-verification-policy", + "scopes": [ "blob:*" ], + "signatureVerification": { + "level" : "audit" + }, + "trustStores": ["ca:acme-rockets"], + "trustedIdentities": ["*"] } ] } From be48c14bced690fd184908299997b25cba35091a Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Tue, 14 Nov 2023 17:14:56 -0800 Subject: [PATCH 06/88] support signature-directory flag in notation blob sign command Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 72 ++++++++++++++++++++++++--------------- 1 file changed, 44 insertions(+), 28 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index b99c8a041..8c42b295d 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -26,13 +26,13 @@ Flags: ### notation blob sign ```text -Produce a detached signature for a given blob +Produce a detached signature for a given blob. Signature file will be written to the currently working directory with blob file name + ".sig" + signature format as the file extension. For example, signature file name for "myBlob.bin" will be "myBlob.bin.sig.jws" for JWS signature format or "myBlob.bin.sig.cose" for COSE signature format. Usage: - notation blob sign [flags] -n my-blob-signature + notation blob sign [flags] Flags: - -n, --signature-name string friendly name for the detached signature. Signature file will be written to the currently working directory with this name plus ".sig" plus signature format as the file extension. For example, "mySignature.sig.jws", "mySignature.sig.cose" + -sd, --signature-directory path optional path where the detached signature needs to be placed (default: currently working directory) --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag @@ -40,6 +40,7 @@ Flags: --plugin string signing plugin name. This is mutually exclusive with the --key flag --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") + --force skip user confirmation and force overwrite the existing detached signature file -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload -d, --debug debug mode -v, --verbose verbose mode @@ -74,6 +75,7 @@ Flags: --media-type string optional media type of the blob to verify --policy-scope string optional policy scope to verify against. If not provided, notation verifies against wildcard policy if it exists. -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided + --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values -o, --output string output format, options: 'json', 'text' (default "text") -d, --debug debug mode -v, --verbose verbose mode @@ -95,21 +97,35 @@ Flags: notation key add --default --name --plugin --id # sign a blob -notation blob sign --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign /tmp/my-blob.bin ``` An example for a successful signing: ```console -$ notation blob sign --signature-name my-blob-signature /tmp/my-blob.bin +$ notation blob sign /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature written to ./my-blob-signature.sig.jws +Signature file written to ./my-blob.bin.sig.jws +``` + +### Sign a blob by generating the detached signature in a particular directory +```shell +$ notation blob sign --signature-directory /tmp/xyz/sigs /tmp/my-blob.bin +Successfully signed /tmp/my-blob.bin +Signature file written to /tmp/xyz/sigs/my-blob.bin.sig.jws +``` + +### Sign a blob and skip user confirmations when overwriting existing signature +```shell +$ notation blob sign --force /tmp/my-blob.bin +Successfully signed /tmp/my-blob.bin +Signature file overwritten to ./my-blob.bin.sig.jws ``` ### Sign a blob with on-demand remote key ```shell -notation blob sign --plugin --id --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign --plugin --id /tmp/my-blob.bin ``` ### Sign a blob using COSE signature format @@ -119,9 +135,9 @@ notation blob sign --plugin --id --signature-name # A default signing key is configured using CLI "notation key" # Use option "--signature-format" to set the signature format to COSE. -notation blob sign --signature-format cose --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign --signature-format cose /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature written to ./my-blob-signature.sig.cose +Signature file written to ./my-blob.bin.sig.cose ``` ### Sign a blob using the default signing key @@ -130,7 +146,7 @@ Signature written to ./my-blob-signature.sig.cose # Prerequisites: # A default signing key is configured using CLI "notation key" -notation blob sign --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign /tmp/my-blob.bin ``` ### Sign a blob with user metadata @@ -140,22 +156,22 @@ notation blob sign --signature-name my-blob-signature /tmp/my-blob.bin # A default signing key is configured using CLI "notation key" # sign a blob and add user-metadata io.wabbit-networks.buildId=123 to the payload -notation blob sign --user-metadata io.wabbit-networks.buildId=123 --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign --user-metadata io.wabbit-networks.buildId=123 /tmp/my-blob.bin # sign a blob and add user-metadata io.wabbit-networks.buildId=123 and io.wabbit-networks.buildTime=1672944615 to the payload -notation blob sign --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=1672944615 --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=1672944615 /tmp/my-blob.bin ``` ### Sign a blob and specify the media type for the blob ```shell -notation blob sign --media-type --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign --media-type /tmp/my-blob.bin ``` ### Sign a blob and specify the signature expiry duration, for example 24 hours ```shell -notation blob sign --expiry 24h --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign --expiry 24h /tmp/my-blob.bin ``` ### Sign a blob using a specified signing key @@ -165,7 +181,7 @@ notation blob sign --expiry 24h --signature-name my-blob-signature /tmp/my-blob. notation key list # Sign a container image using the specified key name -notation blob sign --key --signature-name my-blob-signature /tmp/my-blob.bin +notation blob sign --key /tmp/my-blob.bin ``` ## Inspect detached blob signatures @@ -174,20 +190,20 @@ notation blob sign --key --signature-name my-blob-signature /tmp/my-b ```text -notation blob inspect [flags] /tmp/my-blob-signature.sig.jws +notation blob inspect [flags] /tmp/my-blob.bin.sig.jws ``` ### Inspect the given detached blob signature ```shell # Prerequisites: Signatures is produced by notation blob sign command -notation blob inspect /tmp/my-blob-signature.sig.jws +notation blob inspect /tmp/my-blob.bin.sig.jws ``` An example output: ```shell -Inspecting /tmp/my-blob-signature.sig.jws -/tmp/my-blob-signature.sig.jws +Inspecting /tmp/my-blob.bin.sig.jws +/tmp/my-blob.bin.sig.jws └── application/octet-stream ├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ├── signature algorithm: RSASSA-PSS-SHA-256 @@ -223,7 +239,7 @@ Inspecting /tmp/my-blob-signature.sig.jws ### Inspect the given detached blob signature with JSON Output ```shell -notation blob inspect -o json /tmp/my-blob-signature.sig.jws +notation blob inspect -o json /tmp/my-blob.bin.sig.jws ``` ## Verify detached blob signatures @@ -285,13 +301,13 @@ notation certificate add --type ca --store wabbit-networks wabbit-networks.crt # Create a JSON file named "trustpolicy.json" under directory "{NOTATION_CONFIG}". # Verify the detached signature -notation blob verify --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin +notation blob verify --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig.jws +Successfully verified signature /tmp/my-blob.bin.sig.jws ``` ### Verify the signature with user metadata @@ -300,13 +316,13 @@ Use the `--user-metadata` flag to verify that provided key-value pairs are prese ```shell # Verify the signature and verify that io.wabbit-networks.buildId=123 is present in the signed payload -notation blob verify --user-metadata io.wabbit-networks.buildId=123 --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin +notation blob verify --user-metadata io.wabbit-networks.buildId=123 --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig.jws +Successfully verified signature /tmp/my-blob.bin.sig.jws The blob signature is having the following user metadata. @@ -326,13 +342,13 @@ Use the `--media-type` flag to verify that signature is for the provided media-t ```shell # Verify the signature and verify that application/my-media-octet-stream is the media type -notation blob verify --media-type application/my-media-octet-stream --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin +notation blob verify --media-type application/my-media-octet-stream --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig.jws +Successfully verified signature /tmp/my-blob.bin.sig.jws The blob is of media type `application/my-media-octet-stream`. @@ -349,13 +365,13 @@ Error: signature verification failed: The blob is not of media type `application Use the `--policy-scope` flag to select a policy scope to verify the signature against. ```shell -notation blob verify --policy-scope blob-verification-selector --signature /tmp/my-blob-signature.sig.jws /tmp/my-blob.bin +notation blob verify --policy-scope blob-verification-selector --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob-signature.sig.jws using policy scope `blob-verification-selector` +Successfully verified signature /tmp/my-blob.bin.sig.jws using policy scope `blob-verification-selector` ``` An example of output messages for an unsuccessful verification: From 83ed0e524f86436ff04641565710c25e6371cbb5 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 17 Nov 2023 13:13:21 -0800 Subject: [PATCH 07/88] address Pritesh's comments Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 8c42b295d..907d317de 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -1,8 +1,8 @@ -# notation policy +# notation blob ## Description -Use `notation blob` command to sign, verify, and inspect signatures associated with arbitrary blobs. Notation can sign and verify any arbitrary bag of bits like zip files, documents, executables, etc. When a user signs a blob, `notation` produces a detached signature, which the user can transport/distribute in any medium that the user prefers along with the original blob. On the verification side, Notation can verify the blob's signature and assert that the blob has not been tampered with during its transmission. For more details, see [trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/signing-and-verification-workflow.md#blob-signing-workflow). +Use `notation blob` command to sign, verify, and inspect signatures associated with arbitrary blobs. Notation can sign and verify any arbitrary bag of bits like zip files, documents, executables, etc. When a user signs a blob, `notation` produces a detached signature, which the user can transport/distribute using any medium that the user prefers along with the original blob. On the verification side, Notation can verify the blob's signature and assert that the blob has not been tampered with during its transmission. For more details on how to create trust policy for verifying blobs, see [trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/signing-and-verification-workflow.md#blob-signing-workflow). ## Outline @@ -32,7 +32,7 @@ Usage: notation blob sign [flags] Flags: - -sd, --signature-directory path optional path where the detached signature needs to be placed (default: currently working directory) + -sd, --signature-directory path optional path where the detached signature needs to be placed (default: currently working directory) --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag @@ -243,7 +243,7 @@ notation blob inspect -o json /tmp/my-blob.bin.sig.jws ``` ## Verify detached blob signatures -The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a policy configuration file with Policies scoped to blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. +The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trsut policy file with Policies scoped to blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. - The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. - Policy named "skip-blob-verification-policy" is for skipping verification on blob artifacts scoped to `skip-blob-verification-selector`. From deff1fa5f2c5d95422389cd3b6ec91caf8b64922 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 17 Nov 2023 13:52:13 -0800 Subject: [PATCH 08/88] minor change Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/policy.md b/specs/commandline/policy.md index 3c42d6854..07e72ff87 100644 --- a/specs/commandline/policy.md +++ b/specs/commandline/policy.md @@ -112,7 +112,7 @@ Policy language version 1.1 added support for verifying signatures associated wi } ``` -Note: Policy language version 1.1 renamed the field `registryScopes` from version 1.0 to `scopes`. The new field accepts values with prefixes `oci` or `blob` to limit a scope value to either OCI signature verification or Blob signature verification. While scope values with `blob` prefix can be of free-form text, values with `oci` prefix must be valid OCI references. `notation` supports both policy language versions 1.0 and 1.1. However, `notation` rejects policy configuration files with mixed terminology i.e. both `registryScopes` and `scopes` defined in a single configuration file. Users migrating from 1.0 to 1.1 can simply rename `registryScopes` to `scopes` and prefix the values with `oci`. +Note: Policy version 1.1 replaced the field `registryScopes` from version 1.0 with `scopes`. The new field accepts values with prefixes `oci` or `blob` to limit a scope value to either OCI signature verification or Blob signature verification. While scope values with `blob` prefix can be alpha-numeric text with `-` and `_` characters, values with `oci` prefix must be valid OCI references. `notation` supports both policy language versions 1.0 and 1.1. However, `notation` rejects policy configuration files with mixed terminology i.e. both `registryScopes` and `scopes` defined in a single configuration file. Users migrating from 1.0 to 1.1 can simply rename `registryScopes` to `scopes` and prefix the values with `oci`. Below is a sample Policy configuration file that verifies OCI artifacts using `scopes` field. ```jsonc From 294a8d0329cbb77ef23366e3f84df62bbf649af8 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 24 Nov 2023 11:36:01 -0800 Subject: [PATCH 09/88] minor updates to help texts Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- specs/commandline/inspect.md | 4 +++- specs/commandline/sign.md | 4 +++- specs/commandline/verify.md | 4 +++- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 907d317de..8fcec0dae 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -243,7 +243,7 @@ notation blob inspect -o json /tmp/my-blob.bin.sig.jws ``` ## Verify detached blob signatures -The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trsut policy file with Policies scoped to blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. +The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trust policy file with Policies scoped to blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. - The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. - Policy named "skip-blob-verification-policy" is for skipping verification on blob artifacts scoped to `skip-blob-verification-selector`. diff --git a/specs/commandline/inspect.md b/specs/commandline/inspect.md index 88a441b60..62c31741d 100644 --- a/specs/commandline/inspect.md +++ b/specs/commandline/inspect.md @@ -2,7 +2,7 @@ ## Description -Use `notation inspect` command to inspect all the signatures associated a signed OCI artifact in a human readable format. +Use `notation inspect` command to inspect all the signatures associated with artifacts stored in OCI compliant registries in a human readable format. Upon successful execution, both the digest of the signed artifact and the digests of signatures manifest along with their properties associated with the signed artifact are printed in the following format: @@ -24,6 +24,8 @@ Upon successful execution, both the digest of the signed artifact and the digest └── ``` +NOTE: This command is for inspecting signatures associated with OCI artifacts only. Use `notation blob inspect` command for inspecting signatures associated with arbitrary blobs. + ## Outline ```text diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 58555eeda..f62105f14 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -2,7 +2,7 @@ ## Description -Use `notation sign` to sign OCI artifacts. +Use `notation sign` to sign artifacts stored in OCI compliant registries. Signs an OCI artifact stored in the registry. Always sign artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. If a tag is used, notation resolves the tag to the `digest` before signing. @@ -19,6 +19,8 @@ Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag( Successfully signed /@ ``` +NOTE: This command is for signing OCI artifacts only. Use `notation blob sign` command for signing arbitrary blobs. + ## Outline ```text diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index a47fb1430..a6e3a6a43 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -2,7 +2,7 @@ ## Description -Use `notation verify` command to verify signatures associated with an OCI artifact. Signature verification succeeds if verification succeeds for at least one of the signatures associated with the artifact. Upon successful verification, the output message is printed out as follows: +Use `notation verify` command to verify signatures associated with artifacts stored in OCI compliant registries. Signature verification succeeds if verification succeeds for at least one of the signatures associated with the artifact. Upon successful verification, the output message is printed out as follows: ```text Successfully verified signature for /@ @@ -25,6 +25,8 @@ The artifact was signed with the following user metadata. KEY VALUE ``` +NOTE: This command is for verifying OCI artifacts only. Use `notation blob verify` command for verifying arbitrary blobs. + ## Outline From a882cc9e6c8b0cc3e3d14b2cbfbd0c23dee06e91 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 3 Nov 2023 08:30:10 +0800 Subject: [PATCH 10/88] fix: improve error messages of notation CLI (#810) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- cmd/notation/inspect.go | 2 +- cmd/notation/list.go | 23 +++++++++- cmd/notation/manifest.go | 11 +++-- cmd/notation/registry.go | 6 ++- cmd/notation/registry_test.go | 12 +++--- cmd/notation/sign.go | 2 +- cmd/notation/verify.go | 22 +++++++++- go.mod | 19 +++++---- go.sum | 51 +++++++++++++---------- test/e2e/suite/trustpolicy/trust_store.go | 4 +- 10 files changed, 100 insertions(+), 52 deletions(-) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index a92b0c083..eb442fc46 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -94,7 +94,7 @@ Example - [Experimental] Inspect signatures on an OCI artifact identified by a d Long: longMessage, Args: func(cmd *cobra.Command, args []string) error { if len(args) == 0 { - return errors.New("missing reference") + return errors.New("missing reference to the artifact: use `notation inspect --help` to see what parameters are required") } opts.reference = args[0] return nil diff --git a/cmd/notation/list.go b/cmd/notation/list.go index e06215821..a651386eb 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -43,14 +43,32 @@ func listCommand(opts *listOpts) *cobra.Command { inputType: inputTypeRegistry, // remote registry by default } } + longMessage := `List all the signatures associated with signed artifact + +Example - List signatures of an OCI artifact: + notation list /@ + +Example - List signatures of an OCI artifact identified by a tag (Notation will resolve tag to digest) + notation list /: +` + experimentalExamples := ` +Example - [Experimental] List signatures of an OCI artifact using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema + notation list --allow-referrers-api /@ + +Example - [Experimental] List signatures of an OCI artifact referenced in an OCI layout + notation list --oci-layout "@" + +Example - [Experimental] List signatures of an OCI artifact identified by a tag and referenced in an OCI layout + notation list --oci-layout ":" +` command := &cobra.Command{ Use: "list [flags] ", Aliases: []string{"ls"}, Short: "List signatures of the signed artifact", - Long: "List all the signatures associated with signed artifact", + Long: longMessage, Args: func(cmd *cobra.Command, args []string) error { if len(args) == 0 { - return errors.New("no reference specified") + return errors.New("missing reference to the artifact: use `notation list --help` to see what parameters are required") } opts.reference = args[0] return nil @@ -74,6 +92,7 @@ func listCommand(opts *listOpts) *cobra.Command { command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] list signatures stored in OCI image layout") experimental.HideFlags(command, "", []string{"allow-referrers-api", "oci-layout"}) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) return command } diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index af2e3e921..da33b1f72 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -48,7 +48,10 @@ func resolveReference(ctx context.Context, inputType inputType, reference string case inputTypeRegistry: ref, err := registry.ParseReference(reference) if err != nil { - return ocispec.Descriptor{}, "", fmt.Errorf("failed to resolve user input reference: %w", err) + return ocispec.Descriptor{}, "", fmt.Errorf("%q: %w. Expecting /: or /@", reference, err) + } + if ref.Reference == "" { + return ocispec.Descriptor{}, "", fmt.Errorf("%q: invalid reference: no tag or digest. Expecting /: or /@", reference) } tagOrDigestRef = ref.Reference resolvedRef = ref.Registry + "/" + ref.Repository @@ -113,16 +116,16 @@ func parseOCILayoutReference(raw string) (string, string, error) { // find `tag` idx := strings.LastIndex(raw, ":") if idx == -1 || (idx == 1 && len(raw) > 2 && unicode.IsLetter(rune(raw[0])) && raw[2] == '\\') { - return "", "", notationerrors.ErrorOCILayoutMissingReference{} + return "", "", notationerrors.ErrorOCILayoutMissingReference{Msg: fmt.Sprintf("%q: invalid reference: missing tag or digest. Expecting : or @", raw)} } else { path, ref = raw[:idx], raw[idx+1:] } } if path == "" { - return "", "", fmt.Errorf("found empty file path in %q", raw) + return "", "", fmt.Errorf("%q: invalid reference: missing oci-layout file path. Expecting : or @", raw) } if ref == "" { - return "", "", fmt.Errorf("found empty reference in %q", raw) + return "", "", notationerrors.ErrorOCILayoutMissingReference{Msg: fmt.Sprintf("%q: invalid reference: missing tag or digest. Expecting : or @", raw)} } return path, ref, nil } diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index 2526e144a..7ef069f21 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -74,9 +74,11 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st logger := log.GetLogger(ctx) ref, err := registry.ParseReference(reference) if err != nil { - return nil, err + return nil, fmt.Errorf("%q: %w. Expecting /: or /@", reference, err) + } + if ref.Reference == "" { + return nil, fmt.Errorf("%q: invalid reference: no tag or digest. Expecting /: or /@", reference) } - // generate notation repository remoteRepo, err := getRepositoryClient(ctx, opts, ref) if err != nil { diff --git a/cmd/notation/registry_test.go b/cmd/notation/registry_test.go index 3566dac1a..5d5526a1f 100644 --- a/cmd/notation/registry_test.go +++ b/cmd/notation/registry_test.go @@ -33,7 +33,7 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { t.Fatal("failed to enable experimental") } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method == http.MethodGet && r.URL.Path == "/v2/test/referrers/"+zeroDigest { + if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusOK) w.Write([]byte(`{ "test": "TEST" }`)) return @@ -49,7 +49,7 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { secureOpts := SecureFlagOpts{ InsecureRegistry: true, } - _, err = getRemoteRepository(context.Background(), &secureOpts, uri.Host+"/test", true) + _, err = getRemoteRepository(context.Background(), &secureOpts, uri.Host+"/test:v1", true) if err != nil { t.Errorf("getRemoteRepository() expected nil error, but got error: %v", err) } @@ -61,7 +61,7 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPINotSupported(t *testing.T) t.Fatal("failed to enable experimental") } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method == http.MethodGet && r.URL.Path == "/v2/test/referrers/"+zeroDigest { + if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusNotFound) return } @@ -76,7 +76,7 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPINotSupported(t *testing.T) secureOpts := SecureFlagOpts{ InsecureRegistry: true, } - _, err = getRemoteRepository(context.Background(), &secureOpts, uri.Host+"/test", true) + _, err = getRemoteRepository(context.Background(), &secureOpts, uri.Host+"/test:v1", true) if err != nil { t.Errorf("getRemoteRepository() expected nil error, but got error: %v", err) } @@ -84,7 +84,7 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPINotSupported(t *testing.T) func TestRegistry_getRemoteRepositoryWithReferrersTagSchema(t *testing.T) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method == http.MethodGet && r.URL.Path == "/v2/test/referrers/"+zeroDigest { + if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusOK) w.Write([]byte(`{ "test": "TEST" }`)) return @@ -100,7 +100,7 @@ func TestRegistry_getRemoteRepositoryWithReferrersTagSchema(t *testing.T) { secureOpts := SecureFlagOpts{ InsecureRegistry: true, } - _, err = getRemoteRepository(context.Background(), &secureOpts, uri.Host+"/test", false) + _, err = getRemoteRepository(context.Background(), &secureOpts, uri.Host+"/test:v1", false) if err != nil { t.Errorf("getRemoteRepository() expected nil error, but got error: %v", err) } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 784647695..5a1c5c8f7 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -90,7 +90,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced Long: longMessage, Args: func(cmd *cobra.Command, args []string) error { if len(args) == 0 { - return errors.New("missing reference") + return errors.New("missing reference to the artifact: use `notation sign --help` to see what parameters are required") } opts.reference = args[0] return nil diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index cfad73159..2ac0b9f48 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -16,12 +16,14 @@ package main import ( "errors" "fmt" + "io/fs" "os" "reflect" "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/verifier" "github.com/notaryproject/notation-go/verifier/trustpolicy" + "github.com/notaryproject/notation-go/verifier/truststore" "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/ioutil" @@ -73,7 +75,7 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t Long: longMessage, Args: func(cmd *cobra.Command, args []string) error { if len(args) == 0 { - return errors.New("missing reference") + return errors.New("missing reference to the artifact: use `notation verify --help` to see what parameters are required") } opts.reference = args[0] return nil @@ -157,6 +159,24 @@ func checkVerificationFailure(outcomes []*notation.VerificationOutcome, printOut // write out on failure if err != nil || len(outcomes) == 0 { if err != nil { + var errTrustStore truststore.TrustStoreError + if errors.As(err, &errTrustStore) { + if errors.Is(err, fs.ErrNotExist) { + return fmt.Errorf("%w. Use command 'notation cert add' to create and add trusted certificates to the trust store", errTrustStore) + } else { + return fmt.Errorf("%w. %w", errTrustStore, errTrustStore.InnerError) + } + } + + var errCertificate truststore.CertificateError + if errors.As(err, &errCertificate) { + if errors.Is(err, fs.ErrNotExist) { + return fmt.Errorf("%w. Use command 'notation cert add' to create and add trusted certificates to the trust store", errCertificate) + } else { + return fmt.Errorf("%w. %w", errCertificate, errCertificate.InnerError) + } + } + var errorVerificationFailed notation.ErrorVerificationFailed if !errors.As(err, &errorVerificationFailed) { return fmt.Errorf("signature verification failed: %w", err) diff --git a/go.mod b/go.mod index 291f509fc..8be77d5ed 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/notaryproject/notation go 1.20 require ( - github.com/notaryproject/notation-core-go v1.0.0 - github.com/notaryproject/notation-go v1.0.0 + github.com/notaryproject/notation-core-go v1.0.1 + github.com/notaryproject/notation-go v1.0.1-0.20231028005734-765d02b5beed github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 @@ -12,20 +12,21 @@ require ( github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 golang.org/x/term v0.13.0 - oras.land/oras-go/v2 v2.3.0 + oras.land/oras-go/v2 v2.3.1 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.4.0 // indirect - github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect - github.com/go-ldap/ldap/v3 v3.4.5 // indirect + github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect + github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.11.0 // indirect - golang.org/x/mod v0.12.0 // indirect - golang.org/x/sync v0.3.0 // indirect + golang.org/x/crypto v0.14.0 // indirect + golang.org/x/mod v0.13.0 // indirect + golang.org/x/sync v0.4.0 // indirect golang.org/x/sys v0.13.0 // indirect ) diff --git a/go.sum b/go.sum index ba155f59e..25e288b84 100644 --- a/go.sum +++ b/go.sum @@ -6,20 +6,22 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= -github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= -github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= -github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-ldap/ldap/v3 v3.4.5 h1:ekEKmaDrpvR2yf5Nc/DClsGG9lAmdDixe44mLzlW5r8= -github.com/go-ldap/ldap/v3 v3.4.5/go.mod h1:bMGIq3AGbytbaMwf8wdv5Phdxz0FWHTIYMSzyrYgnQs= +github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= +github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= +github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= +github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.0 h1:FgOAihtFW4XU9JYyTzItg1xW3OaN4eCasw5Bp00Ydu4= -github.com/notaryproject/notation-core-go v1.0.0/go.mod h1:eoHFJ2e6b31GZO9hckCms5kfXvHLTySvJ1QwRLB9ZCk= -github.com/notaryproject/notation-go v1.0.0 h1:pH+0NVmZu1IhE8zUhK9Oxna3OlHNdy+crNntnuCiThs= -github.com/notaryproject/notation-go v1.0.0/go.mod h1:NpfUnDt94vLSCJ8fAWplgTbf3fmq3JLSEnjDFl7j16U= +github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= +github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= +github.com/notaryproject/notation-go v1.0.1-0.20231028005734-765d02b5beed h1:eKFicg1uGbBce3YGYSTpSrWibw4aS0OsuGzAuUjbgFU= +github.com/notaryproject/notation-go v1.0.1-0.20231028005734-765d02b5beed/go.mod h1:VonyZsbocRQQNIDq/VPV5jKJOQwDH3gvfK4cXNpUA0U= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= @@ -48,23 +50,23 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= +golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -72,20 +74,23 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= @@ -95,5 +100,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.3.0 h1:lqX1aXdN+DAmDTKjiDyvq85cIaI4RkIKp/PghWlAGIU= -oras.land/oras-go/v2 v2.3.0/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ= +oras.land/oras-go/v2 v2.3.1 h1:lUC6q8RkeRReANEERLfH86iwGn55lbSWP20egdFHVec= +oras.land/oras-go/v2 v2.3.1/go.mod h1:5AQXVEu1X/FKp1F9DMOb5ZItZBOa0y5dha0yCm4NR9c= diff --git a/test/e2e/suite/trustpolicy/trust_store.go b/test/e2e/suite/trustpolicy/trust_store.go index b918d489e..099801bf3 100644 --- a/test/e2e/suite/trustpolicy/trust_store.go +++ b/test/e2e/suite/trustpolicy/trust_store.go @@ -41,9 +41,7 @@ var _ = Describe("notation trust policy trust store test", func() { artifact := GenerateArtifact("e2e-valid-signature", "") notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). - MatchErrKeyWords("authenticity validation failed", - "truststore/x509/ca/invalid_store\\\" does not exist", - VerifyFailed) + MatchErrKeyWords("the trust store \"invalid_store\" of type \"ca\" does not exist") }) }) From 14b6b44b6916c1c7721e3074058c1236b380b4fd Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 3 Nov 2023 10:08:03 +0800 Subject: [PATCH 11/88] bump: update dependencies (#815) Bumping up to notation-go v1.0.1. As https://github.com/notaryproject/notation/pull/810 is merged, bumping up build is successful now. --------- Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8be77d5ed..7abcc4d2e 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/notaryproject/notation-core-go v1.0.1 - github.com/notaryproject/notation-go v1.0.1-0.20231028005734-765d02b5beed + github.com/notaryproject/notation-go v1.0.1 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 diff --git a/go.sum b/go.sum index 25e288b84..65b112dc5 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.1-0.20231028005734-765d02b5beed h1:eKFicg1uGbBce3YGYSTpSrWibw4aS0OsuGzAuUjbgFU= -github.com/notaryproject/notation-go v1.0.1-0.20231028005734-765d02b5beed/go.mod h1:VonyZsbocRQQNIDq/VPV5jKJOQwDH3gvfK4cXNpUA0U= +github.com/notaryproject/notation-go v1.0.1 h1:D3fqG3eaBKVESRySV/Tg//MyTg2Q1nTKPh/t2q9LpSw= +github.com/notaryproject/notation-go v1.0.1/go.mod h1:VonyZsbocRQQNIDq/VPV5jKJOQwDH3gvfK4cXNpUA0U= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= From 2d5896f4e393af150adef8ee39c5a03b8c334626 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Nov 2023 03:10:39 +0000 Subject: [PATCH 12/88] build(deps): Bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#814) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a8c771fcb..8203c6d62 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -44,7 +44,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # tag=v2.3.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1 with: results_file: results.sarif results_format: sarif From 67680e5a3bd19afca7aa90cf800ba858ee606607 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Nov 2023 03:11:16 +0000 Subject: [PATCH 13/88] build(deps): Bump github/codeql-action from 2.22.0 to 2.22.5 (#813) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2d99d3eed..6cd074bc9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -45,8 +45,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0 + uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0 + uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8203c6d62..29b7f0944 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,6 +59,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0 + uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: sarif_file: results.sarif From cd982bd39c56c37ea31db94222972809ce343ff5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Sat, 4 Nov 2023 09:14:09 +0800 Subject: [PATCH 14/88] bump: bump up dependencies including E2E tests (#818) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- test/e2e/go.mod | 4 +-- test/e2e/go.sum | 8 +++--- test/e2e/plugin/go.mod | 21 ++++++++-------- test/e2e/plugin/go.sum | 55 +++++++++++++++++++++++------------------- 4 files changed, 47 insertions(+), 41 deletions(-) diff --git a/test/e2e/go.mod b/test/e2e/go.mod index c7944444a..a7f32d798 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation/test/e2e go 1.20 require ( - github.com/notaryproject/notation-core-go v1.0.0 + github.com/notaryproject/notation-core-go v1.0.1 github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/opencontainers/image-spec v1.1.0-rc4 @@ -11,7 +11,7 @@ require ( ) require ( - github.com/fxamacker/cbor/v2 v2.4.0 // indirect + github.com/fxamacker/cbor/v2 v2.5.0 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/go-cmp v0.5.9 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index a938441dd..d1f0f966d 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -1,8 +1,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= -github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= +github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= @@ -12,8 +12,8 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9tRnGuw+ZVCB3FazXODD6JE1R8= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= -github.com/notaryproject/notation-core-go v1.0.0 h1:FgOAihtFW4XU9JYyTzItg1xW3OaN4eCasw5Bp00Ydu4= -github.com/notaryproject/notation-core-go v1.0.0/go.mod h1:eoHFJ2e6b31GZO9hckCms5kfXvHLTySvJ1QwRLB9ZCk= +github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= +github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 441b0db62..2a544e1b5 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -4,25 +4,26 @@ go 1.20 require ( github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/notaryproject/notation-core-go v1.0.0 - github.com/notaryproject/notation-go v1.0.0 + github.com/notaryproject/notation-core-go v1.0.1 + github.com/notaryproject/notation-go v1.0.1 github.com/spf13/cobra v1.7.0 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.4.0 // indirect - github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect - github.com/go-ldap/ldap/v3 v3.4.5 // indirect + github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect + github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc4 // indirect + github.com/opencontainers/image-spec v1.1.0-rc5 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.11.0 // indirect - golang.org/x/mod v0.12.0 // indirect - golang.org/x/sync v0.3.0 // indirect - oras.land/oras-go/v2 v2.2.1 // indirect + golang.org/x/crypto v0.14.0 // indirect + golang.org/x/mod v0.13.0 // indirect + golang.org/x/sync v0.4.0 // indirect + oras.land/oras-go/v2 v2.3.1 // indirect ) diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index a2af753f5..89a136b50 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -6,26 +6,28 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= -github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= -github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= -github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-ldap/ldap/v3 v3.4.5 h1:ekEKmaDrpvR2yf5Nc/DClsGG9lAmdDixe44mLzlW5r8= -github.com/go-ldap/ldap/v3 v3.4.5/go.mod h1:bMGIq3AGbytbaMwf8wdv5Phdxz0FWHTIYMSzyrYgnQs= +github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= +github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= +github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= +github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc= github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.0 h1:FgOAihtFW4XU9JYyTzItg1xW3OaN4eCasw5Bp00Ydu4= -github.com/notaryproject/notation-core-go v1.0.0/go.mod h1:eoHFJ2e6b31GZO9hckCms5kfXvHLTySvJ1QwRLB9ZCk= -github.com/notaryproject/notation-go v1.0.0 h1:pH+0NVmZu1IhE8zUhK9Oxna3OlHNdy+crNntnuCiThs= -github.com/notaryproject/notation-go v1.0.0/go.mod h1:NpfUnDt94vLSCJ8fAWplgTbf3fmq3JLSEnjDFl7j16U= +github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= +github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= +github.com/notaryproject/notation-go v1.0.1 h1:D3fqG3eaBKVESRySV/Tg//MyTg2Q1nTKPh/t2q9LpSw= +github.com/notaryproject/notation-go v1.0.1/go.mod h1:VonyZsbocRQQNIDq/VPV5jKJOQwDH3gvfK4cXNpUA0U= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= -github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= +github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -45,39 +47,42 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= +golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= @@ -87,5 +92,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.2.1 h1:3VJTYqy5KfelEF9c2jo1MLSpr+TM3mX8K42wzZcd6qE= -oras.land/oras-go/v2 v2.2.1/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ= +oras.land/oras-go/v2 v2.3.1 h1:lUC6q8RkeRReANEERLfH86iwGn55lbSWP20egdFHVec= +oras.land/oras-go/v2 v2.3.1/go.mod h1:5AQXVEu1X/FKp1F9DMOb5ZItZBOa0y5dha0yCm4NR9c= From a8566bc3996c494727d922ff9c9bdb978c3a9283 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Sat, 4 Nov 2023 09:14:49 +0800 Subject: [PATCH 15/88] fix: add "release-*" to workflows trigger events (#819) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 8 ++++++-- .github/workflows/license-checker.yml | 8 ++++++-- .github/workflows/scorecard.yml | 4 +++- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6cd074bc9..30bf2477f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,9 +15,13 @@ name: "CodeQL" on: push: - branches: main + branches: + - main + - release-* pull_request: - branches: main + branches: + - main + - release-* schedule: - cron: '38 21 * * 1' diff --git a/.github/workflows/license-checker.yml b/.github/workflows/license-checker.yml index 07303f82e..54e121173 100644 --- a/.github/workflows/license-checker.yml +++ b/.github/workflows/license-checker.yml @@ -15,9 +15,13 @@ name: License Checker on: push: - branches: main + branches: + - main + - release-* pull_request: - branches: main + branches: + - main + - release-* permissions: contents: read diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 29b7f0944..83ba9ceb2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -18,7 +18,9 @@ on: # Weekly on Saturdays. - cron: '30 1 * * 6' push: - branches: [ main ] + branches: + - main + - release-* paths: - '!docs/**' - '!specs/**' From 039d2926110a789fad5a9252a51edc12c76827f6 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 15 Nov 2023 09:00:56 +0800 Subject: [PATCH 16/88] fix: fix the license check (#826) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- internal/trace/context.go | 13 +++++++++++++ internal/trace/context_test.go | 13 +++++++++++++ internal/trace/transport.go | 13 +++++++++++++ internal/trace/transport_test.go | 13 +++++++++++++ test/e2e/internal/utils/exec.go | 13 +++++++++++++ 5 files changed, 65 insertions(+) diff --git a/internal/trace/context.go b/internal/trace/context.go index 50d59a26a..8563d73ee 100644 --- a/internal/trace/context.go +++ b/internal/trace/context.go @@ -1,3 +1,16 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // Copied and adapted from oras (https://github.com/oras-project/oras) /* Copyright The ORAS Authors. diff --git a/internal/trace/context_test.go b/internal/trace/context_test.go index 3d640b968..14e35976d 100644 --- a/internal/trace/context_test.go +++ b/internal/trace/context_test.go @@ -1,3 +1,16 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // Copied and adapted from oras (https://github.com/oras-project/oras) /* Copyright The ORAS Authors. diff --git a/internal/trace/transport.go b/internal/trace/transport.go index ec386bcd7..e75d334d0 100644 --- a/internal/trace/transport.go +++ b/internal/trace/transport.go @@ -1,3 +1,16 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // Copied and adapted from oras (https://github.com/oras-project/oras) /* Copyright The ORAS Authors. diff --git a/internal/trace/transport_test.go b/internal/trace/transport_test.go index 601f93072..58e6dfbc2 100644 --- a/internal/trace/transport_test.go +++ b/internal/trace/transport_test.go @@ -1,3 +1,16 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // Copied and adapted from oras (https://github.com/oras-project/oras) /* Copyright The ORAS Authors. diff --git a/test/e2e/internal/utils/exec.go b/test/e2e/internal/utils/exec.go index df1e2ca94..32307377a 100644 --- a/test/e2e/internal/utils/exec.go +++ b/test/e2e/internal/utils/exec.go @@ -1,3 +1,16 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // copied and adopted from https://github.com/oras-project/oras with // modification /* From 92293430fd862cff9426c18901e7d9395f4c2f25 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 20 Nov 2023 14:36:54 +0800 Subject: [PATCH 17/88] bump: bump up to go version 1.21 (#833) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 7abcc4d2e..b1254d35f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/notaryproject/notation -go 1.20 +go 1.21 require ( github.com/notaryproject/notation-core-go v1.0.1 From 8791d268587bcc2a3c684f0db90cbac6a000f5cb Mon Sep 17 00:00:00 2001 From: Feynman Zhou Date: Tue, 21 Nov 2023 07:59:21 +0800 Subject: [PATCH 18/88] doc: update plugin spec (#809) Signed-off-by: Feynman Zhou Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/plugin.md | 101 +++++++++++++++++++++++++++++------- 1 file changed, 82 insertions(+), 19 deletions(-) diff --git a/specs/commandline/plugin.md b/specs/commandline/plugin.md index be34979ef..9cfdea42e 100644 --- a/specs/commandline/plugin.md +++ b/specs/commandline/plugin.md @@ -2,7 +2,7 @@ ## Description -Use `notation plugin` to manage plugins. See notation [plugin documentation](https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. The `notation plugin` command by itself performs no action. In order to operate on a plugin, one of the subcommands must be used. +Use `notation plugin` to manage plugins. See notation [plugin documentation](https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. The `notation plugin` command by itself performs no action. In order to manage notation plugins, one of the subcommands must be used. ## Outline @@ -15,9 +15,9 @@ Usage: notation plugin [command] Available Commands: + install Install a plugin list List installed plugins - install Installs a plugin - remove Removes a plugin + uninstall Uninstall a plugin Flags: -h, --help help for plugin @@ -41,51 +41,114 @@ Aliases: ### notation plugin install ```text -Installs a plugin +Install a plugin Usage: - notation plugin install [flags] + notation plugin install [flags] <--file|--url> Flags: - -h, --help help for install - -f, --force force the installation of a plugin + -d, --debug debug mode + --file install plugin from a file in file system + --force force the installation of a plugin + -h, --help help for install + --sha256sum string must match SHA256 of the plugin source + --url install plugin from an HTTPS URL + -v, --verbose verbose mode Aliases: install, add ``` -### notation plugin remove +### notation plugin uninstall ```text -Removes a plugin +Uninstall a plugin Usage: - notation plugin remove [flags] + notation plugin uninstall [flags] Flags: -h, --help help for remove - + -y, --yes do not prompt for confirmation Aliases: - remove, rm, uninstall, delete + uninstall, remove, rm ``` ## Usage -### Install a plugin +## Install a plugin + +### Install a plugin from file system + +Install a Notation plugin from file system. Plugin file supports `.zip` and `.tar.gz` format. The checksum validation is optional for this case. ```shell -notation plugin install +$ notation plugin install --file +``` + +Upon successful execution, the plugin is copied to Notation's plugin directory. If the plugin directory does not exist, it will be created. The name and version of the installed plugin are displayed as follows. + +```console +Successfully installed plugin , version +``` + +If the entered plugin checksum digest doesn't match the published checksum, Notation will return an error message and will not start installation. + +```console +Error: failed to install the plugin: plugin checksum does not match user input. Expecting +``` + +If the plugin version is higher than the existing plugin, Notation will start installation and overwrite the existing plugin. + +```console +Successfully installed plugin , updated the version from to +``` + +If the plugin version is equal to the existing plugin, Notation will not start installation and return the following message. Users can use a flag `--force` to skip plugin version check and force the installation. + +```console +Error: failed to install the plugin: with version already exists. +``` + +If the plugin version is lower than the existing plugin, Notation will return an error message and will not start installation. Users can use a flag `--force` to skip plugin version check and force the installation. + +```console +Error: failed to install the plugin: . The installing plugin version is lower than the existing plugin version . +It is not recommended to install an older version. To force the installation, use the "--force" option. ``` +### Install a plugin from URL -Upon successful execution, the plugin is copied to plugins directory and name+version of plugin is displayed. If the plugin directory does not exist, it will be created. When an existing plugin is detected, the versions are compared and if the existing plugin is a lower version then it is replaced by the newer version. +Install a Notation plugin from a remote location and verify the plugin checksum. Notation only supports installing plugins from an HTTPS URL, which means that the URL must start with "https://". + +```shell +$ notation plugin install --sha256sum --url +``` ### Uninstall a plugin ```shell -notation plugin remove +notation plugin uninstall +``` + +Upon successful execution, the plugin is uninstalled from the plugin directory. + +```shell +Are you sure you want to uninstall plugin ""? [y/n] y +Successfully uninstalled +``` + +Uninstall the plugin without prompt for confirmation. + +```shell +notation plugin uninstall --yes ``` -Upon successful execution, the plugin is removed from the plugins directory. If the plugin is not found, an error is returned showing the syntax for the plugin list command to show the installed plugins. +If the plugin is not found, an error is returned showing the syntax for the plugin list command to show the installed plugins. + +```shell +Error: unable to find plugin . +To view a list of installed plugins, use "notation plugin list" +``` ### List installed plugins @@ -99,6 +162,6 @@ An example of output from `notation plugin list`: ```text NAME DESCRIPTION VERSION CAPABILITIES ERROR -azure-kv Sign artifacts with keys in Azure Key Vault v0.5.0-rc.1 [SIGNATURE_GENERATOR.RAW] -com.amazonaws.signer.notation.plugin AWS Signer plugin for Notation 1.0.290 [SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK] +azure-kv Sign artifacts with keys in Azure Key Vault v1.0.0 Signature generation +com.amazonaws.signer.notation.plugin AWS Signer plugin for Notation 1.0.290 Signature envelope generation, Trusted Identity validation, Certificate chain revocation check ``` From 33bf39b06bb4af5b50aa633bc90577827c0308f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 08:03:15 +0800 Subject: [PATCH 19/88] build(deps): Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#823) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 2 +- go.sum | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index b1254d35f..5bbb4c412 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 github.com/sirupsen/logrus v1.9.3 - github.com/spf13/cobra v1.7.0 + github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 golang.org/x/term v0.13.0 oras.land/oras-go/v2 v2.3.1 diff --git a/go.sum b/go.sum index 65b112dc5..d30a5638e 100644 --- a/go.sum +++ b/go.sum @@ -2,7 +2,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -33,8 +33,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= From 9802c0d067946f5c9f1b8525230d8990370866d8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Nov 2023 03:16:15 +0000 Subject: [PATCH 20/88] build(deps): Bump github/codeql-action from 2.22.5 to 2.22.7 (#835) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 30bf2477f..e37b2c66f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 83ba9ceb2..12a0edd58 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 with: sarif_file: results.sarif From 993c1a78d24ddd0e49a4e6a63f099bf6e1238840 Mon Sep 17 00:00:00 2001 From: Cameron Rozean Date: Tue, 21 Nov 2023 19:21:15 -0800 Subject: [PATCH 21/88] Correct broken link to quick start guide (#831) Similarly to https://github.com/notaryproject/notaryproject.dev/issues/360, I attempted to follow the link in the README.md for the quick start guide and discovered the broken link. Linking to the official page. URL: https://notaryproject.dev/docs/quickstart/ Expected page: https://notaryproject.dev/docs/quickstart-guides/quickstart-sign-image-artifact/ Signed-off-by: Cameron Rozean Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0316c149c..c50e9f564 100644 --- a/README.md +++ b/README.md @@ -24,10 +24,10 @@ You can find the Notary Project [README](https://github.com/notaryproject/.githu ## Quick Start -- [Quick start: Sign and validate a container image](https://notaryproject.dev/docs/quickstart-guides/quickstart/) +- [Quick start: Sign and validate a container image](https://notaryproject.dev/docs/quickstart-guides/quickstart-sign-image-artifact/) - [Try out Notation in this Killercoda interactive sandbox environment](https://killercoda.com/notaryproject/scenario/notation) - Build, sign, and verify container images using Notation with [Azure Key Vault](https://docs.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push?wt.mc_id=azurelearn_inproduct_oss_notaryproject) or [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/container-workflow.html) - + ## Community Notary Project is a [CNCF Incubating project](https://www.cncf.io/projects/notary/). We :heart: your contribution. From 1102d9c6ee981e90a3c28d2fe2413602d2ed8ae1 Mon Sep 17 00:00:00 2001 From: Yi Zha Date: Tue, 28 Nov 2023 14:37:22 +0800 Subject: [PATCH 22/88] chore: update tag to digest (#837) Signed-off-by: Yi Zha Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/list.md b/specs/commandline/list.md index b5053f6f8..d73be9758 100644 --- a/specs/commandline/list.md +++ b/specs/commandline/list.md @@ -49,7 +49,7 @@ notation list /: An example output: ```shell -localhost:5000/net-monitor:v1 +localhost:5000/net-monitor@sha256:8456f085dd609fd12cdebc5f80b6f33f25f670a7a9a03c8fa750b8aee0c4d657 └── application/vnd.cncf.notary.signature ├── sha256:647039638efb22a021f59675c9449dd09956c981a44b82c1ff074513c2c9f273 └── sha256:6bfb3c4fd485d6810f9656ddd4fb603f0c414c5f0b175ef90eeb4090ebd9bfa1 From 604b8c29558c79d6016d0588eadced528dadc6d8 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Tue, 5 Dec 2023 14:37:40 -0800 Subject: [PATCH 23/88] fix nits Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 8fcec0dae..26239a6ab 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -32,7 +32,7 @@ Usage: notation blob sign [flags] Flags: - -sd, --signature-directory path optional path where the detached signature needs to be placed (default: currently working directory) + -sd, --signature-directory string optional path where the blob signature needs to be placed (default: currently working directory) --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag @@ -40,7 +40,7 @@ Flags: --plugin string signing plugin name. This is mutually exclusive with the --key flag --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") - --force skip user confirmation and force overwrite the existing detached signature file + --force skip user confirmation and force overwrite the existing blob signature file -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload -d, --debug debug mode -v, --verbose verbose mode @@ -71,7 +71,7 @@ Usage: notation blob verify [flags] --signature Flags: - -s, --signature path location of the detached signature + -s, --signature string location of the blob signature file --media-type string optional media type of the blob to verify --policy-scope string optional policy scope to verify against. If not provided, notation verifies against wildcard policy if it exists. -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided @@ -108,7 +108,7 @@ Successfully signed /tmp/my-blob.bin Signature file written to ./my-blob.bin.sig.jws ``` -### Sign a blob by generating the detached signature in a particular directory +### Sign a blob by generating the signature in a particular directory ```shell $ notation blob sign --signature-directory /tmp/xyz/sigs /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin @@ -184,16 +184,16 @@ notation key list notation blob sign --key /tmp/my-blob.bin ``` -## Inspect detached blob signatures +## Inspect blob signatures -### Display details of the given detached blob signature and its associated certificate properties +### Display details of the given blob signature and its associated certificate properties ```text notation blob inspect [flags] /tmp/my-blob.bin.sig.jws ``` -### Inspect the given detached blob signature +### Inspect the given blob signature ```shell # Prerequisites: Signatures is produced by notation blob sign command @@ -236,13 +236,13 @@ Inspecting /tmp/my-blob.bin.sig.jws └── size: 16724 ``` -### Inspect the given detached blob signature with JSON Output +### Inspect the given blob signature with JSON Output ```shell notation blob inspect -o json /tmp/my-blob.bin.sig.jws ``` -## Verify detached blob signatures +## Verify blob signatures The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trust policy file with Policies scoped to blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. - The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. @@ -288,7 +288,7 @@ The `notation blob verify` command can be used to verify blob signatures. In ord } ``` -### Verify the detached signature of a blob +### Verify the signature of a blob Configure trust store and trust policy properly before using `notation blob verify` command. @@ -300,7 +300,7 @@ notation certificate add --type ca --store wabbit-networks wabbit-networks.crt # Create a JSON file named "trustpolicy.json" under directory "{NOTATION_CONFIG}". -# Verify the detached signature +# Verify the blob signature notation blob verify --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin ``` @@ -357,7 +357,7 @@ The blob is of media type `application/my-media-octet-stream`. An example of output messages for an unsuccessful verification: ```text -Error: signature verification failed: The blob is not of media type `application/my-media-octet-stream`. +Error: signature verification failed: The blob's media type `application/xyz` and not matching `application/my-media-octet-stream`. ``` ### Verify the signature using a policy scope @@ -377,5 +377,5 @@ Successfully verified signature /tmp/my-blob.bin.sig.jws using policy scope `blo An example of output messages for an unsuccessful verification: ```text -Error: signature verification failed for Policy scope `blob-verification-selector` +Error: signature verification failed for policy scope `blob-verification-selector` ``` \ No newline at end of file From 10099bffefaf849828d4c63737b1bfab090cc519 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Fri, 8 Dec 2023 13:29:16 -0800 Subject: [PATCH 24/88] Update specs/commandline/verify.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/verify.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index a6e3a6a43..c75d00dda 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -25,7 +25,8 @@ The artifact was signed with the following user metadata. KEY VALUE ``` -NOTE: This command is for verifying OCI artifacts only. Use `notation blob verify` command for verifying arbitrary blobs. +> [!NOTE] +> This command is for verifying OCI artifacts only. Use `notation blob verify` command for verifying arbitrary blobs. ## Outline From dc2d28968ba3f5e2f0f89019eb388e31ff868be5 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Fri, 8 Dec 2023 13:29:59 -0800 Subject: [PATCH 25/88] Update specs/commandline/inspect.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/inspect.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/specs/commandline/inspect.md b/specs/commandline/inspect.md index 62c31741d..5dc9b334d 100644 --- a/specs/commandline/inspect.md +++ b/specs/commandline/inspect.md @@ -24,7 +24,8 @@ Upon successful execution, both the digest of the signed artifact and the digest └── ``` -NOTE: This command is for inspecting signatures associated with OCI artifacts only. Use `notation blob inspect` command for inspecting signatures associated with arbitrary blobs. +> [!NOTE] +> This command is for inspecting signatures associated with OCI artifacts only. Use `notation blob inspect` command for inspecting signatures associated with arbitrary blobs. ## Outline From 5c113afc74674b34d452f03d2f38b69fe3c70898 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 8 Dec 2023 13:32:05 -0800 Subject: [PATCH 26/88] fix -sd flag Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 26239a6ab..d99162609 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -32,7 +32,7 @@ Usage: notation blob sign [flags] Flags: - -sd, --signature-directory string optional path where the blob signature needs to be placed (default: currently working directory) + -d, --signature-directory string optional path where the blob signature needs to be placed (default: currently working directory) --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag From 2b533cf66485de749292943c27a69c47159698f3 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 28 Dec 2023 13:49:20 -0800 Subject: [PATCH 27/88] Update specs/commandline/blob.md Co-authored-by: Milind Gokarn Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index d99162609..e91954a27 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -26,7 +26,7 @@ Flags: ### notation blob sign ```text -Produce a detached signature for a given blob. Signature file will be written to the currently working directory with blob file name + ".sig" + signature format as the file extension. For example, signature file name for "myBlob.bin" will be "myBlob.bin.sig.jws" for JWS signature format or "myBlob.bin.sig.cose" for COSE signature format. +Produce a signature for a given blob. A detached signature file will be written to the currently working directory with blob file name + ".sig" + signature format as the file extension. For example, signature file name for "myBlob.bin" will be "myBlob.bin.sig.jws" for JWS signature format or "myBlob.bin.sig.cose" for COSE signature format. Usage: notation blob sign [flags] From 39ce37369a2305820f9dbcfdd269fee99375891a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 6 Dec 2023 06:59:11 +0800 Subject: [PATCH 28/88] feat: add notation plugin uninstall command (#842) This PR is based on the spec PR: https://github.com/notaryproject/notation/pull/809. It adds the notation plugin uninstall command. Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- cmd/notation/main.go | 3 +- cmd/notation/plugin/cmd.go | 30 ++++++ cmd/notation/{plugin.go => plugin/list.go} | 13 +-- cmd/notation/plugin/uninstall.go | 107 +++++++++++++++++++++ go.mod | 10 +- go.sum | 20 ++-- internal/osutil/file.go | 4 +- test/e2e/internal/notation/init.go | 37 +++---- test/e2e/run.sh | 5 +- test/e2e/suite/plugin/uninstall.go | 38 ++++++++ 10 files changed, 219 insertions(+), 48 deletions(-) create mode 100644 cmd/notation/plugin/cmd.go rename cmd/notation/{plugin.go => plugin/list.go} (89%) create mode 100644 cmd/notation/plugin/uninstall.go create mode 100644 test/e2e/suite/plugin/uninstall.go diff --git a/cmd/notation/main.go b/cmd/notation/main.go index feb103aa3..f4341da28 100644 --- a/cmd/notation/main.go +++ b/cmd/notation/main.go @@ -17,6 +17,7 @@ import ( "os" "github.com/notaryproject/notation/cmd/notation/cert" + "github.com/notaryproject/notation/cmd/notation/plugin" "github.com/notaryproject/notation/cmd/notation/policy" "github.com/spf13/cobra" ) @@ -40,7 +41,7 @@ func main() { cert.Cmd(), policy.Cmd(), keyCommand(), - pluginCommand(), + plugin.Cmd(), loginCommand(nil), logoutCommand(nil), versionCommand(), diff --git a/cmd/notation/plugin/cmd.go b/cmd/notation/plugin/cmd.go new file mode 100644 index 000000000..39e01bcbf --- /dev/null +++ b/cmd/notation/plugin/cmd.go @@ -0,0 +1,30 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package plugin + +import "github.com/spf13/cobra" + +func Cmd() *cobra.Command { + command := &cobra.Command{ + Use: "plugin", + Short: "Manage plugins", + } + + command.AddCommand( + listCommand(), + uninstallCommand(nil), + ) + + return command +} diff --git a/cmd/notation/plugin.go b/cmd/notation/plugin/list.go similarity index 89% rename from cmd/notation/plugin.go rename to cmd/notation/plugin/list.go index be2c2f3ad..e715ac233 100644 --- a/cmd/notation/plugin.go +++ b/cmd/notation/plugin/list.go @@ -11,7 +11,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package main +package plugin import ( "fmt" @@ -24,16 +24,7 @@ import ( "github.com/spf13/cobra" ) -func pluginCommand() *cobra.Command { - cmd := &cobra.Command{ - Use: "plugin", - Short: "Manage plugins", - } - cmd.AddCommand(pluginListCommand()) - return cmd -} - -func pluginListCommand() *cobra.Command { +func listCommand() *cobra.Command { return &cobra.Command{ Use: "list [flags]", Aliases: []string{"ls"}, diff --git a/cmd/notation/plugin/uninstall.go b/cmd/notation/plugin/uninstall.go new file mode 100644 index 000000000..d60b77e9f --- /dev/null +++ b/cmd/notation/plugin/uninstall.go @@ -0,0 +1,107 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package plugin + +import ( + "context" + "errors" + "fmt" + "os" + + "github.com/notaryproject/notation-go/dir" + "github.com/notaryproject/notation-go/plugin" + "github.com/notaryproject/notation/cmd/notation/internal/cmdutil" + "github.com/notaryproject/notation/internal/cmd" + "github.com/spf13/cobra" +) + +type pluginUninstallOpts struct { + cmd.LoggingFlagOpts + pluginName string + confirmed bool +} + +func uninstallCommand(opts *pluginUninstallOpts) *cobra.Command { + if opts == nil { + opts = &pluginUninstallOpts{} + } + command := &cobra.Command{ + Use: "uninstall [flags] ", + Aliases: []string{"remove", "rm"}, + Short: "Uninstall a plugin", + Long: `Uninstall a plugin + +Example - Uninstall plugin: + notation plugin uninstall wabbit-plugin +`, + Args: func(cmd *cobra.Command, args []string) error { + if len(args) == 0 { + return errors.New("plugin name is required") + } + if len(args) > 1 { + return errors.New("only one plugin can be removed at a time") + } + opts.pluginName = args[0] + return nil + }, + RunE: func(cmd *cobra.Command, args []string) error { + return uninstallPlugin(cmd, opts) + }, + } + + opts.LoggingFlagOpts.ApplyFlags(command.Flags()) + command.Flags().BoolVarP(&opts.confirmed, "yes", "y", false, "do not prompt for confirmation") + return command +} + +func uninstallPlugin(command *cobra.Command, opts *pluginUninstallOpts) error { + // set logger + ctx := opts.LoggingFlagOpts.InitializeLogger(command.Context()) + pluginName := opts.pluginName + exist, err := checkPluginExistence(ctx, pluginName) + if err != nil { + return fmt.Errorf("failed to check plugin existence: %w", err) + } + if !exist { + return fmt.Errorf("unable to find plugin %s.\nTo view a list of installed plugins, use `notation plugin list`", pluginName) + } + // core process + prompt := fmt.Sprintf("Are you sure you want to uninstall plugin %q?", pluginName) + confirmed, err := cmdutil.AskForConfirmation(os.Stdin, prompt, opts.confirmed) + if err != nil { + return fmt.Errorf("failed when asking for confirmation: %w", err) + } + if !confirmed { + return nil + } + mgr := plugin.NewCLIManager(dir.PluginFS()) + if err := mgr.Uninstall(ctx, pluginName); err != nil { + return fmt.Errorf("failed to uninstall %s: %w", pluginName, err) + } + fmt.Printf("Successfully uninstalled plugin %s\n", pluginName) + return nil +} + +// checkPluginExistence returns true if plugin exists in the system +func checkPluginExistence(ctx context.Context, pluginName string) (bool, error) { + mgr := plugin.NewCLIManager(dir.PluginFS()) + _, err := mgr.Get(ctx, pluginName) + if err != nil { + if errors.Is(err, os.ErrNotExist) { // plugin does not exist + return false, nil + } + return false, err + } + return true, nil +} diff --git a/go.mod b/go.mod index 5bbb4c412..ce90192e9 100644 --- a/go.mod +++ b/go.mod @@ -4,14 +4,14 @@ go 1.21 require ( github.com/notaryproject/notation-core-go v1.0.1 - github.com/notaryproject/notation-go v1.0.1 + github.com/notaryproject/notation-go v1.0.2-0.20231123031546-5de0d58b21c1 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - golang.org/x/term v0.13.0 + golang.org/x/term v0.14.0 oras.land/oras-go/v2 v2.3.1 ) @@ -25,8 +25,8 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/mod v0.13.0 // indirect + golang.org/x/crypto v0.15.0 // indirect + golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/sys v0.14.0 // indirect ) diff --git a/go.sum b/go.sum index d30a5638e..4f1f59a82 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.1 h1:D3fqG3eaBKVESRySV/Tg//MyTg2Q1nTKPh/t2q9LpSw= -github.com/notaryproject/notation-go v1.0.1/go.mod h1:VonyZsbocRQQNIDq/VPV5jKJOQwDH3gvfK4cXNpUA0U= +github.com/notaryproject/notation-go v1.0.2-0.20231123031546-5de0d58b21c1 h1:TuSZ+3Eu3A/XKucl7J95sDT8XoG6t2dEcIipt6ydAls= +github.com/notaryproject/notation-go v1.0.2-0.20231123031546-5de0d58b21c1/go.mod h1:tSCFsAdKAtB7AfKS/BaUf8AXzASA+9TEokMDEDutqPM= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= @@ -51,12 +51,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= -golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -76,15 +76,15 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= diff --git a/internal/osutil/file.go b/internal/osutil/file.go index 70fdfdf8c..66f1be0fe 100644 --- a/internal/osutil/file.go +++ b/internal/osutil/file.go @@ -72,8 +72,8 @@ func CopyToDir(src, dst string) (int64, error) { if err := os.MkdirAll(dst, 0700); err != nil { return 0, err } - certFile := filepath.Join(dst, filepath.Base(src)) - destination, err := os.Create(certFile) + dstFile := filepath.Join(dst, filepath.Base(src)) + destination, err := os.Create(dstFile) if err != nil { return 0, err } diff --git a/test/e2e/internal/notation/init.go b/test/e2e/internal/notation/init.go index f323e13b7..2e1659917 100644 --- a/test/e2e/internal/notation/init.go +++ b/test/e2e/internal/notation/init.go @@ -33,17 +33,18 @@ const ( ) const ( - envKeyRegistryHost = "NOTATION_E2E_REGISTRY_HOST" - envKeyRegistryUsername = "NOTATION_E2E_REGISTRY_USERNAME" - envKeyRegistryPassword = "NOTATION_E2E_REGISTRY_PASSWORD" - envKeyDomainRegistryHost = "NOTATION_E2E_DOMAIN_REGISTRY_HOST" - envKeyNotationBinPath = "NOTATION_E2E_BINARY_PATH" - envKeyNotationOldBinPath = "NOTATION_E2E_OLD_BINARY_PATH" - envKeyNotationPluginPath = "NOTATION_E2E_PLUGIN_PATH" - envKeyNotationConfigPath = "NOTATION_E2E_CONFIG_PATH" - envKeyOCILayoutPath = "NOTATION_E2E_OCI_LAYOUT_PATH" - envKeyTestRepo = "NOTATION_E2E_TEST_REPO" - envKeyTestTag = "NOTATION_E2E_TEST_TAG" + envKeyRegistryHost = "NOTATION_E2E_REGISTRY_HOST" + envKeyRegistryUsername = "NOTATION_E2E_REGISTRY_USERNAME" + envKeyRegistryPassword = "NOTATION_E2E_REGISTRY_PASSWORD" + envKeyDomainRegistryHost = "NOTATION_E2E_DOMAIN_REGISTRY_HOST" + envKeyNotationBinPath = "NOTATION_E2E_BINARY_PATH" + envKeyNotationOldBinPath = "NOTATION_E2E_OLD_BINARY_PATH" + envKeyNotationPluginPath = "NOTATION_E2E_PLUGIN_PATH" + envKeyNotationPluginTarGzPath = "NOTATION_E2E_PLUGIN_TAR_GZ_PATH" + envKeyNotationConfigPath = "NOTATION_E2E_CONFIG_PATH" + envKeyOCILayoutPath = "NOTATION_E2E_OCI_LAYOUT_PATH" + envKeyTestRepo = "NOTATION_E2E_TEST_REPO" + envKeyTestTag = "NOTATION_E2E_TEST_TAG" ) var ( @@ -51,12 +52,13 @@ var ( NotationBinPath string // NotationOldBinPath is the path of an old version notation binary for // testing forward compatibility. - NotationOldBinPath string - NotationE2EPluginPath string - NotationE2EConfigPath string - NotationE2ELocalKeysDir string - NotationE2ETrustPolicyDir string - NotationE2EConfigJsonDir string + NotationOldBinPath string + NotationE2EPluginPath string + NotationE2EPluginTarGzPath string + NotationE2EConfigPath string + NotationE2ELocalKeysDir string + NotationE2ETrustPolicyDir string + NotationE2EConfigJsonDir string ) var ( @@ -90,6 +92,7 @@ func setUpNotationValues() { // set Notation e2e-plugin path setPathValue(envKeyNotationPluginPath, &NotationE2EPluginPath) + setPathValue(envKeyNotationPluginTarGzPath, &NotationE2EPluginTarGzPath) // set Notation configuration paths setPathValue(envKeyNotationConfigPath, &NotationE2EConfigPath) diff --git a/test/e2e/run.sh b/test/e2e/run.sh index 7d053aa89..6365793ea 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -71,9 +71,9 @@ fi # install dependency go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.5 -# build e2e plugin +# build e2e plugin and tar.gz PLUGIN_NAME=e2e-plugin -( cd $CWD/plugin && go build -o ./bin/$PLUGIN_NAME . && echo "e2e plugin built." ) +( cd $CWD/plugin && go build -o ./bin/$PLUGIN_NAME . && echo "e2e plugin built." && tar --transform="flags=r;s|$PLUGIN_NAME|notation-$PLUGIN_NAME|" -czvf ./bin/$PLUGIN_NAME.tar.gz -C ./bin/ $PLUGIN_NAME) # setup registry case $REGISTRY_NAME in @@ -107,6 +107,7 @@ export NOTATION_E2E_OCI_LAYOUT_PATH=$CWD/testdata/registry/oci_layout export NOTATION_E2E_TEST_REPO=e2e export NOTATION_E2E_TEST_TAG=v1 export NOTATION_E2E_PLUGIN_PATH=$CWD/plugin/bin/$PLUGIN_NAME +export NOTATION_E2E_PLUGIN_TAR_GZ_PATH=$CWD/plugin/bin/$PLUGIN_NAME.tar.gz # run tests ginkgo -r -p -v \ No newline at end of file diff --git a/test/e2e/suite/plugin/uninstall.go b/test/e2e/suite/plugin/uninstall.go new file mode 100644 index 000000000..7a4b26ee5 --- /dev/null +++ b/test/e2e/suite/plugin/uninstall.go @@ -0,0 +1,38 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package plugin + +import ( + . "github.com/notaryproject/notation/test/e2e/internal/notation" + "github.com/notaryproject/notation/test/e2e/internal/utils" + . "github.com/onsi/ginkgo/v2" +) + +var _ = Describe("notation plugin uninstall", func() { + It("with valid plugin name", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + vhost.SetOption(AddPlugin(NotationE2EPluginPath)) + notation.Exec("plugin", "uninstall", "--yes", "e2e-plugin"). + MatchContent("Successfully uninstalled plugin e2e-plugin\n") + }) + }) + + It("with plugin does not exist", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "uninstall", "--yes", "non-exist"). + MatchErrContent("Error: unable to find plugin non-exist.\nTo view a list of installed plugins, use `notation plugin list`\n") + }) + }) + +}) From dca3df7a7b06045083e4a9567dc9dd552c589bec Mon Sep 17 00:00:00 2001 From: Yi Zha Date: Fri, 8 Dec 2023 07:52:52 +0800 Subject: [PATCH 29/88] chore: update references with the tag version (#836) Resolve #456 Signed-off-by: Yi Zha Signed-off-by: Yi Zha Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/plugin.md | 2 +- specs/commandline/sign.md | 2 +- specs/commandline/verify.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/specs/commandline/plugin.md b/specs/commandline/plugin.md index 9cfdea42e..14d5399ae 100644 --- a/specs/commandline/plugin.md +++ b/specs/commandline/plugin.md @@ -2,7 +2,7 @@ ## Description -Use `notation plugin` to manage plugins. See notation [plugin documentation](https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. The `notation plugin` command by itself performs no action. In order to manage notation plugins, one of the subcommands must be used. +Use `notation plugin` to manage plugins. See notation [plugin documentation](https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/plugin-extensibility.md) for more details. The `notation plugin` command by itself performs no action. In order to manage notation plugins, one of the subcommands must be used. ## Outline diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index f62105f14..1bb445797 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -65,7 +65,7 @@ Notation uses [OCI image manifest][oci-image-spec] to store signatures in regist ```shell # Prerequisites: -# - A signing plugin is installed. See plugin documentation (https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. +# - A signing plugin is installed. See plugin documentation (https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/plugin-extensibility.md) for more details. # - Configure the signing plugin as instructed by plugin vendor. # Add a default signing key referencing the remote key identifier, and the plugin associated with it. diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index c75d00dda..23ddfb46b 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -109,7 +109,7 @@ Example values on trust policy properties: | trustedIdentities | "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Finance, CN=SecureBuilder" | User only trusts the identity with specific subject. User can use `notation certificate show` command to get the `subject` info. | | trustedIdentities | "*" | User trusts any identity (signing certificate) issued by the CA(s) in trust stores. | -User can configure multiple trust policies for different scenarios. See [Trust Policy Schema and properties](https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#trust-policy) for details. +User can configure multiple trust policies for different scenarios. See [Trust Policy Schema and properties](https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy) for details. ### Verify signatures on an OCI artifact stored in a registry From 78ea8a70cc3383dd252d46e2c86cc1ab620a4125 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 01:42:43 +0000 Subject: [PATCH 30/88] build(deps): Bump golang.org/x/term from 0.13.0 to 0.15.0 (#843) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index ce90192e9..704b0690e 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - golang.org/x/term v0.14.0 + golang.org/x/term v0.15.0 oras.land/oras-go/v2 v2.3.1 ) @@ -28,5 +28,5 @@ require ( golang.org/x/crypto v0.15.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.14.0 // indirect + golang.org/x/sys v0.15.0 // indirect ) diff --git a/go.sum b/go.sum index 4f1f59a82..768da42a0 100644 --- a/go.sum +++ b/go.sum @@ -76,15 +76,15 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= -golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= -golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= From 699f7ed4cc367fac8493b1d805e69b1a9406bc90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 03:32:56 +0000 Subject: [PATCH 31/88] build(deps): Bump actions/setup-go from 4.1.0 to 5.0.0 (#845) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/release-github.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a42470d77..0bbbdc15b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,7 +31,7 @@ jobs: fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ matrix.go-version }} check-latest: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e37b2c66f..d03202f78 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,7 +44,7 @@ jobs: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Go ${{ matrix.go-version }} environment - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ matrix.go-version }} check-latest: true diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 0b173fd88..6bb5fd097 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -33,7 +33,7 @@ jobs: fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ matrix.go-version }} check-latest: true From f267a4cf3977245792e7d3a59b4c3b54f4ed75c2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 03:33:18 +0000 Subject: [PATCH 32/88] build(deps): Bump github/codeql-action from 2.22.7 to 2.22.9 (#846) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d03202f78..bdd5cf5da 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 + uses: github/codeql-action/init@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 + uses: github/codeql-action/analyze@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 12a0edd58..add9244f9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 + uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 with: sarif_file: results.sarif From 403423e5dd173b7fadb5d91674faad9f688f87b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Dec 2023 16:33:38 +0000 Subject: [PATCH 33/88] build(deps): Bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#850) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 704b0690e..e07ef8126 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.15.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.4.0 // indirect golang.org/x/sys v0.15.0 // indirect diff --git a/go.sum b/go.sum index 768da42a0..acfed5966 100644 --- a/go.sum +++ b/go.sum @@ -51,8 +51,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= -golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= From 97624b64a0d405b082da1d95d9765758e7d961b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Dec 2023 16:34:07 +0000 Subject: [PATCH 34/88] build(deps): Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/e2e/plugin (#849) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- test/e2e/plugin/go.mod | 2 +- test/e2e/plugin/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 2a544e1b5..c39c68584 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -22,7 +22,7 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/mod v0.13.0 // indirect golang.org/x/sync v0.4.0 // indirect oras.land/oras-go/v2 v2.3.1 // indirect diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 89a136b50..db5dc77e5 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -48,8 +48,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= From 9ef19897e108c41dc2c23c7192260ae471f541fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Dec 2023 16:34:36 +0000 Subject: [PATCH 35/88] build(deps): Bump github/codeql-action from 2.22.9 to 3.22.11 (#847) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bdd5cf5da..bd0bd5430 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 + uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 + uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index add9244f9..6702fbb2f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 + uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 with: sarif_file: results.sarif From 58bf3a0ef27d0bd9a2f62b95db24ee2071a90b7b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Dec 2023 16:34:53 +0000 Subject: [PATCH 36/88] build(deps): Bump actions/upload-artifact from 3.1.3 to 4.0.0 (#848) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6702fbb2f..657a1b28c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -54,7 +54,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # tag=v3.1.3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # tag=v4.0.0 with: name: SARIF file path: results.sarif From c9354be0932172d6b55c9aa13556d035ba455fba Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 21 Dec 2023 15:57:06 +0800 Subject: [PATCH 37/88] feat: notation plugin install command (#827) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- cmd/notation/internal/plugin/plugin.go | 85 +++++++ cmd/notation/plugin/cmd.go | 1 + cmd/notation/plugin/install.go | 315 +++++++++++++++++++++++++ cmd/notation/registry.go | 25 +- go.mod | 2 +- go.sum | 4 +- internal/httputil/client.go | 35 +++ internal/osutil/file.go | 67 ++++++ internal/osutil/file_test.go | 15 +- internal/osutil/testdata/test | 0 internal/trace/transport.go | 17 ++ specs/commandline/plugin.md | 6 +- test/e2e/run.sh | 4 +- test/e2e/suite/plugin/install.go | 124 ++++++++++ 14 files changed, 666 insertions(+), 34 deletions(-) create mode 100644 cmd/notation/internal/plugin/plugin.go create mode 100644 cmd/notation/plugin/install.go create mode 100644 internal/httputil/client.go create mode 100644 internal/osutil/testdata/test create mode 100644 test/e2e/suite/plugin/install.go diff --git a/cmd/notation/internal/plugin/plugin.go b/cmd/notation/internal/plugin/plugin.go new file mode 100644 index 000000000..e06f57c18 --- /dev/null +++ b/cmd/notation/internal/plugin/plugin.go @@ -0,0 +1,85 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package plugin + +import ( + "context" + "fmt" + "io" + "net/http" + "time" + + "github.com/notaryproject/notation/internal/httputil" +) + +// MaxPluginSourceBytes specifies the limit on how many bytes are allowed in the +// server's response to the download from URL request. +// +// The plugin source size must be strictly less than this value. +var MaxPluginSourceBytes int64 = 256 * 1024 * 1024 // 256 MiB + +// PluginSourceType is an enum for plugin source +type PluginSourceType int + +const ( + // PluginSourceTypeFile means plugin source is file + PluginSourceTypeFile PluginSourceType = 1 + iota + + // PluginSourceTypeURL means plugin source is URL + PluginSourceTypeURL +) + +const ( + // MediaTypeZip means plugin file is zip + MediaTypeZip = "application/zip" + + // MediaTypeGzip means plugin file is gzip + MediaTypeGzip = "application/x-gzip" +) + +// DownloadPluginFromURLTimeout is the timeout when downloading plugin from a +// URL +const DownloadPluginFromURLTimeout = 10 * time.Minute + +// DownloadPluginFromURL downloads plugin file from url to a tmp directory +func DownloadPluginFromURL(ctx context.Context, pluginURL string, tmpFile io.Writer) error { + // Get the data + client := httputil.NewAuthClient(ctx, &http.Client{Timeout: DownloadPluginFromURLTimeout}) + req, err := http.NewRequest(http.MethodGet, pluginURL, nil) + if err != nil { + return err + } + resp, err := client.Do(req) + if err != nil { + return err + } + defer resp.Body.Close() + // Check server response + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("%s %q: https response bad status: %s", resp.Request.Method, resp.Request.URL, resp.Status) + } + // Write the body to file + lr := &io.LimitedReader{ + R: resp.Body, + N: MaxPluginSourceBytes, + } + _, err = io.Copy(tmpFile, lr) + if err != nil { + return err + } + if lr.N == 0 { + return fmt.Errorf("%s %q: https response reaches the %d MiB size limit", resp.Request.Method, resp.Request.URL, MaxPluginSourceBytes) + } + return nil +} diff --git a/cmd/notation/plugin/cmd.go b/cmd/notation/plugin/cmd.go index 39e01bcbf..98c494b8f 100644 --- a/cmd/notation/plugin/cmd.go +++ b/cmd/notation/plugin/cmd.go @@ -23,6 +23,7 @@ func Cmd() *cobra.Command { command.AddCommand( listCommand(), + installCommand(nil), uninstallCommand(nil), ) diff --git a/cmd/notation/plugin/install.go b/cmd/notation/plugin/install.go new file mode 100644 index 000000000..2dfed9093 --- /dev/null +++ b/cmd/notation/plugin/install.go @@ -0,0 +1,315 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package plugin + +import ( + "archive/tar" + "archive/zip" + "compress/gzip" + "context" + "errors" + "fmt" + "io" + "io/fs" + "net/url" + "os" + "path/filepath" + "strings" + + "github.com/notaryproject/notation-go/dir" + "github.com/notaryproject/notation-go/log" + "github.com/notaryproject/notation-go/plugin" + notationplugin "github.com/notaryproject/notation/cmd/notation/internal/plugin" + "github.com/notaryproject/notation/internal/cmd" + "github.com/notaryproject/notation/internal/osutil" + "github.com/spf13/cobra" +) + +const ( + notationPluginTmpDir = "notation-plugin" + notationPluginDownloadTmpFile = "notation-plugin-download" +) + +type pluginInstallOpts struct { + cmd.LoggingFlagOpts + pluginSourceType notationplugin.PluginSourceType + pluginSource string + inputChecksum string + isFile bool + isURL bool + force bool +} + +func installCommand(opts *pluginInstallOpts) *cobra.Command { + if opts == nil { + opts = &pluginInstallOpts{} + } + command := &cobra.Command{ + Use: "install [flags] <--file|--url> ", + Aliases: []string{"add"}, + Short: "Install plugin", + Long: `Install a plugin + +Example - Install plugin from file system: + notation plugin install --file wabbit-plugin-v1.0.zip + +Example - Install plugin from file system with user input SHA256 checksum: + notation plugin install --file wabbit-plugin-v1.0.zip --sha256sum 113062a462674a0e35cb5cad75a0bb2ea16e9537025531c0fd705018fcdbc17e + +Example - Install plugin from file system regardless if it's already installed: + notation plugin install --file wabbit-plugin-v1.0.zip --force + +Example - Install plugin from file system with .tar.gz: + notation plugin install --file wabbit-plugin-v1.0.tar.gz + +Example - Install plugin from URL, SHA256 checksum is required: + notation plugin install --url https://wabbit-networks.com/intaller/linux/amd64/wabbit-plugin-v1.0.tar.gz --sha256sum f8a75d9234db90069d9eb5660e5374820edf36d710bd063f4ef81e7063d3810b +`, + Args: func(cmd *cobra.Command, args []string) error { + if len(args) == 0 { + switch { + case opts.isFile: + return errors.New("missing plugin file path") + case opts.isURL: + return errors.New("missing plugin URL") + } + return errors.New("missing plugin source") + } + if len(args) > 1 { + return fmt.Errorf("can only insall one plugin at a time, but got %v", args) + } + opts.pluginSource = args[0] + return nil + }, + RunE: func(cmd *cobra.Command, args []string) error { + switch { + case opts.isFile: + opts.pluginSourceType = notationplugin.PluginSourceTypeFile + case opts.isURL: + opts.pluginSourceType = notationplugin.PluginSourceTypeURL + } + return install(cmd, opts) + }, + } + opts.LoggingFlagOpts.ApplyFlags(command.Flags()) + command.Flags().BoolVar(&opts.isFile, "file", false, "install plugin from a file in file system") + command.Flags().BoolVar(&opts.isURL, "url", false, "install plugin from an HTTPS URL. The timeout of the download HTTPS request is set to 10 minutes") + command.Flags().StringVar(&opts.inputChecksum, "sha256sum", "", "must match SHA256 of the plugin source, required when \"--url\" flag is set") + command.Flags().BoolVar(&opts.force, "force", false, "force the installation of the plugin") + command.MarkFlagsMutuallyExclusive("file", "url") + command.MarkFlagsOneRequired("file", "url") + return command +} + +func install(command *cobra.Command, opts *pluginInstallOpts) error { + // set log level + ctx := opts.LoggingFlagOpts.InitializeLogger(command.Context()) + // core process + switch opts.pluginSourceType { + case notationplugin.PluginSourceTypeFile: + if err := installPlugin(ctx, opts.pluginSource, opts.inputChecksum, opts.force); err != nil { + return fmt.Errorf("plugin installation failed: %w", err) + } + return nil + case notationplugin.PluginSourceTypeURL: + if opts.inputChecksum == "" { + return errors.New("installing from URL requires non-empty SHA256 checksum of the plugin source") + } + pluginURL, err := url.Parse(opts.pluginSource) + if err != nil { + return fmt.Errorf("failed to parse plugin download URL %s with error: %w", pluginURL, err) + } + if pluginURL.Scheme != "https" { + return fmt.Errorf("failed to download plugin from URL: only the HTTPS scheme is supported, but got %s", pluginURL.Scheme) + } + tmpFile, err := os.CreateTemp("", notationPluginDownloadTmpFile) + if err != nil { + return fmt.Errorf("failed to create notationPluginDownloadTmpFile: %w", err) + } + defer os.Remove(tmpFile.Name()) + defer tmpFile.Close() + fmt.Printf("Downloading plugin from %s\n", opts.pluginSource) + err = notationplugin.DownloadPluginFromURL(ctx, opts.pluginSource, tmpFile) + if err != nil { + return fmt.Errorf("failed to download plugin from URL %s with error: %w", opts.pluginSource, err) + } + fmt.Println("Download completed") + if err := installPlugin(ctx, tmpFile.Name(), opts.inputChecksum, opts.force); err != nil { + return fmt.Errorf("plugin installation failed: %w", err) + } + return nil + default: + return errors.New("plugin installation failed: unknown plugin source type") + } +} + +// installPlugin installs the plugin given plugin source path +func installPlugin(ctx context.Context, inputPath string, inputChecksum string, force bool) error { + // sanity check + inputFileStat, err := os.Stat(inputPath) + if err != nil { + return err + } + if !inputFileStat.Mode().IsRegular() { + return fmt.Errorf("%s is not a valid file", inputPath) + } + // checksum check + if inputChecksum != "" { + if err := osutil.ValidateSHA256Sum(inputPath, inputChecksum); err != nil { + return err + } + } + // install the plugin based on file type + fileType, err := osutil.DetectFileType(inputPath) + if err != nil { + return err + } + switch fileType { + case notationplugin.MediaTypeZip: + rc, err := zip.OpenReader(inputPath) + if err != nil { + return err + } + defer rc.Close() + return installPluginFromFS(ctx, rc, force) + case notationplugin.MediaTypeGzip: + // when file is gzip, required to be tar + return installPluginFromTarGz(ctx, inputPath, force) + default: + // input file is not in zip or gzip, try install directly + installOpts := plugin.CLIInstallOptions{ + PluginPath: inputPath, + Overwrite: force, + } + return installPluginWithOptions(ctx, installOpts) + } +} + +// installPluginFromFS extracts, validates and installs the plugin files +// from a fs.FS +// +// Note: zip.ReadCloser implments fs.FS +func installPluginFromFS(ctx context.Context, pluginFs fs.FS, force bool) error { + // set up logger + logger := log.GetLogger(ctx) + root := "." + // extracting all regular files from root into tmpDir + tmpDir, err := os.MkdirTemp("", notationPluginTmpDir) + if err != nil { + return fmt.Errorf("failed to create notationPluginTmpDir: %w", err) + } + defer os.RemoveAll(tmpDir) + if err := fs.WalkDir(pluginFs, root, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + fName := d.Name() + if d.IsDir() && fName != root { // skip any dir in the fs except root + return fs.SkipDir + } + info, err := d.Info() + if err != nil { + return err + } + // only accept regular files. + // it is required by github-advanced-security to check for `..` in fName + if !info.Mode().IsRegular() || strings.Contains(fName, "..") { + return nil + } + logger.Debugf("Extracting file %s...", fName) + rc, err := pluginFs.Open(path) + if err != nil { + return err + } + defer rc.Close() + tmpFilePath := filepath.Join(tmpDir, fName) + return osutil.CopyFromReaderToDir(rc, tmpFilePath, info.Mode()) + }); err != nil { + return err + } + // install core process + installOpts := plugin.CLIInstallOptions{ + PluginPath: tmpDir, + Overwrite: force, + } + return installPluginWithOptions(ctx, installOpts) +} + +// installPluginFromTarGz extracts and untar a plugin tar.gz file, validates and +// installs the plugin +func installPluginFromTarGz(ctx context.Context, tarGzPath string, force bool) error { + logger := log.GetLogger(ctx) + rc, err := os.Open(tarGzPath) + if err != nil { + return err + } + defer rc.Close() + decompressedStream, err := gzip.NewReader(rc) + if err != nil { + return err + } + defer decompressedStream.Close() + tarReader := tar.NewReader(decompressedStream) + // extracting all regular files into tmpDir + tmpDir, err := os.MkdirTemp("", notationPluginTmpDir) + if err != nil { + return fmt.Errorf("failed to create notationPluginTmpDir: %w", err) + } + defer os.RemoveAll(tmpDir) + for { + header, err := tarReader.Next() + if err != nil { + if err == io.EOF { + break + } + return err + } + // only accept regular files. + // it is required by github-advanced-security to check for `..` in fName + if !header.FileInfo().Mode().IsRegular() || strings.Contains(header.Name, "..") { + continue + } + fName := filepath.Base(header.Name) + logger.Debugf("Extracting file %s...", fName) + tmpFilePath := filepath.Join(tmpDir, fName) + if err := osutil.CopyFromReaderToDir(tarReader, tmpFilePath, header.FileInfo().Mode()); err != nil { + return err + } + } + // install core process + installOpts := plugin.CLIInstallOptions{ + PluginPath: tmpDir, + Overwrite: force, + } + return installPluginWithOptions(ctx, installOpts) +} + +// installPluginWithOptions installs plugin with CLIInstallOptions +func installPluginWithOptions(ctx context.Context, opts plugin.CLIInstallOptions) error { + mgr := plugin.NewCLIManager(dir.PluginFS()) + existingPluginMetadata, newPluginMetadata, err := mgr.Install(ctx, opts) + if err != nil { + var errPluginDowngrade plugin.PluginDowngradeError + if errors.As(err, &errPluginDowngrade) { + return fmt.Errorf("%w.\nIt is not recommended to install an older version. To force the installation, use the \"--force\" option", errPluginDowngrade) + } + return err + } + if existingPluginMetadata != nil { + fmt.Printf("Succussefully installed plugin %s, updated the version from %s to %s\n", newPluginMetadata.Name, existingPluginMetadata.Version, newPluginMetadata.Version) + } else { + fmt.Printf("Succussefully installed plugin %s, version %s\n", newPluginMetadata.Name, newPluginMetadata.Version) + } + return nil +} diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index 7ef069f21..fe82b6c6e 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -18,17 +18,14 @@ import ( "errors" "fmt" "net" - "net/http" "github.com/notaryproject/notation-go/log" notationregistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation/cmd/notation/internal/experimental" notationauth "github.com/notaryproject/notation/internal/auth" - "github.com/notaryproject/notation/internal/trace" - "github.com/notaryproject/notation/internal/version" + "github.com/notaryproject/notation/internal/httputil" "github.com/notaryproject/notation/pkg/configutil" credentials "github.com/oras-project/oras-credentials-go" - "github.com/sirupsen/logrus" "oras.land/oras-go/v2/registry" "oras.land/oras-go/v2/registry/remote" "oras.land/oras-go/v2/registry/remote/auth" @@ -122,19 +119,6 @@ func getRegistryLoginClient(ctx context.Context, opts *SecureFlagOpts, serverAdd return reg, nil } -func setHttpDebugLog(ctx context.Context, authClient *auth.Client) { - if logrusLog, ok := log.GetLogger(ctx).(*logrus.Logger); ok && logrusLog.Level != logrus.DebugLevel { - return - } - if authClient.Client == nil { - authClient.Client = http.DefaultClient - } - if authClient.Client.Transport == nil { - authClient.Client.Transport = http.DefaultTransport - } - authClient.Client.Transport = trace.NewTransport(authClient.Client.Transport) -} - // getAuthClient returns an *auth.Client and a bool indicating if the registry // is insecure. // @@ -157,12 +141,7 @@ func getAuthClient(ctx context.Context, opts *SecureFlagOpts, ref registry.Refer } // build authClient - authClient := &auth.Client{ - Cache: auth.NewCache(), - ClientID: "notation", - } - authClient.SetUserAgent("notation/" + version.GetVersion()) - setHttpDebugLog(ctx, authClient) + authClient := httputil.NewAuthClient(ctx, nil) if !withCredential { return authClient, insecureRegistry, nil } diff --git a/go.mod b/go.mod index e07ef8126..9759d13ff 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/notaryproject/notation-core-go v1.0.1 - github.com/notaryproject/notation-go v1.0.2-0.20231123031546-5de0d58b21c1 + github.com/notaryproject/notation-go v1.0.2-0.20231218132318-85a5bb9826c6 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 diff --git a/go.sum b/go.sum index acfed5966..72cf4c8e0 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.2-0.20231123031546-5de0d58b21c1 h1:TuSZ+3Eu3A/XKucl7J95sDT8XoG6t2dEcIipt6ydAls= -github.com/notaryproject/notation-go v1.0.2-0.20231123031546-5de0d58b21c1/go.mod h1:tSCFsAdKAtB7AfKS/BaUf8AXzASA+9TEokMDEDutqPM= +github.com/notaryproject/notation-go v1.0.2-0.20231218132318-85a5bb9826c6 h1:9YgUKLuNU8eNlv2H696aBQzW8CtSjevRgbMGld59wrY= +github.com/notaryproject/notation-go v1.0.2-0.20231218132318-85a5bb9826c6/go.mod h1:nqDueF9YCCX0u41Eec7aGJEXgGdM0a3KD79wqhCnxq0= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= diff --git a/internal/httputil/client.go b/internal/httputil/client.go new file mode 100644 index 000000000..ee0324ed5 --- /dev/null +++ b/internal/httputil/client.go @@ -0,0 +1,35 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package httputil + +import ( + "context" + "net/http" + + "github.com/notaryproject/notation/internal/trace" + "github.com/notaryproject/notation/internal/version" + "oras.land/oras-go/v2/registry/remote/auth" +) + +// NewAuthClient returns an *auth.Client +func NewAuthClient(ctx context.Context, httpClient *http.Client) *auth.Client { + client := &auth.Client{ + Client: httpClient, + Cache: auth.NewCache(), + ClientID: "notation", + } + client.SetUserAgent("notation/" + version.GetVersion()) + trace.SetHTTPDebugLog(ctx, client) + return client +} diff --git a/internal/osutil/file.go b/internal/osutil/file.go index 66f1be0fe..d2de17ce5 100644 --- a/internal/osutil/file.go +++ b/internal/osutil/file.go @@ -14,13 +14,21 @@ package osutil import ( + "crypto/sha256" + "encoding/hex" "fmt" "io" "io/fs" + "net/http" "os" "path/filepath" + "strings" ) +// MaxFileBytes is the maximum file bytes. +// When used, the value should strictly less than this number. +var MaxFileBytes int64 = 256 * 1024 * 1024 // 256 MiB + // WriteFile writes to a path with all parent directories created. func WriteFile(path string, data []byte) error { if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil { @@ -94,3 +102,62 @@ func IsRegularFile(path string) (bool, error) { return fileStat.Mode().IsRegular(), nil } + +// CopyFromReaderToDir copies file from src to dst where dst is the destination +// file path. The file size must be less than 256 MiB. +func CopyFromReaderToDir(src io.Reader, dst string, perm fs.FileMode) error { + dstFile, err := os.Create(dst) + if err != nil { + return err + } + lr := &io.LimitedReader{ + R: src, + N: MaxFileBytes, + } + if _, err := io.Copy(dstFile, lr); err != nil || lr.N == 0 { + _ = dstFile.Close() + if err != nil { + return err + } + return fmt.Errorf("file reaches the %d MiB size limit", MaxFileBytes) + } + if err := dstFile.Chmod(perm); err != nil { + _ = dstFile.Close() + return err + } + return dstFile.Close() +} + +// DetectFileType returns a file's content type given path +func DetectFileType(path string) (string, error) { + rc, err := os.Open(path) + if err != nil { + return "", err + } + defer rc.Close() + lr := io.LimitReader(rc, 512) + header, err := io.ReadAll(lr) + if err != nil { + return "", err + } + return http.DetectContentType(header), nil +} + +// ValidateSHA256Sum returns nil if SHA256 of file at path equals to checksum. +func ValidateSHA256Sum(path string, checksum string) error { + rc, err := os.Open(path) + if err != nil { + return err + } + defer rc.Close() + sha256Hash := sha256.New() + if _, err := io.Copy(sha256Hash, rc); err != nil { + return err + } + sha256sum := sha256Hash.Sum(nil) + enc := hex.EncodeToString(sha256sum[:]) + if !strings.EqualFold(enc, checksum) { + return fmt.Errorf("plugin checksum does not match user input. Expecting %s", checksum) + } + return nil +} diff --git a/internal/osutil/file_test.go b/internal/osutil/file_test.go index 6bd70e541..fdf9dd331 100644 --- a/internal/osutil/file_test.go +++ b/internal/osutil/file_test.go @@ -15,7 +15,6 @@ package osutil import ( "bytes" - "io/ioutil" "os" "path/filepath" "runtime" @@ -23,11 +22,11 @@ import ( ) func validFileContent(t *testing.T, filename string, content []byte) { - b, err := ioutil.ReadFile(filename) + b, err := os.ReadFile(filename) if err != nil { t.Fatal(err) } - if bytes.Compare(content, b) != 0 { + if !bytes.Equal(content, b) { t.Fatal("file content is not correct") } } @@ -260,3 +259,13 @@ func TestCopyToDir(t *testing.T) { validFileContent(t, filepath.Join(destDir, "file.txt"), data) }) } + +func TestValidateChecksum(t *testing.T) { + expectedErrorMsg := "plugin checksum does not match user input. Expecting abcd123" + if err := ValidateSHA256Sum("./testdata/test", "abcd123"); err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected err %s, got %v", expectedErrorMsg, err) + } + if err := ValidateSHA256Sum("./testdata/test", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"); err != nil { + t.Fatalf("expected nil err, got %v", err) + } +} diff --git a/internal/osutil/testdata/test b/internal/osutil/testdata/test new file mode 100644 index 000000000..e69de29bb diff --git a/internal/trace/transport.go b/internal/trace/transport.go index e75d334d0..86700c692 100644 --- a/internal/trace/transport.go +++ b/internal/trace/transport.go @@ -30,10 +30,13 @@ limitations under the License. package trace import ( + "context" "net/http" "strings" "github.com/notaryproject/notation-go/log" + "github.com/sirupsen/logrus" + "oras.land/oras-go/v2/registry/remote/auth" ) // Transport is an http.RoundTripper that keeps track of the in-flight @@ -82,3 +85,17 @@ func logHeader(header http.Header, e log.Logger) { e.Debugf(" Empty header") } } + +// SetHTTPDebugLog sets up http debug log with logrus.Logger +func SetHTTPDebugLog(ctx context.Context, authClient *auth.Client) { + if logrusLog, ok := log.GetLogger(ctx).(*logrus.Logger); ok && logrusLog.Level != logrus.DebugLevel { + return + } + if authClient.Client == nil { + authClient.Client = http.DefaultClient + } + if authClient.Client.Transport == nil { + authClient.Client.Transport = http.DefaultTransport + } + authClient.Client.Transport = NewTransport(authClient.Client.Transport) +} diff --git a/specs/commandline/plugin.md b/specs/commandline/plugin.md index 14d5399ae..8ab20e54f 100644 --- a/specs/commandline/plugin.md +++ b/specs/commandline/plugin.md @@ -95,7 +95,7 @@ Successfully installed plugin , version If the entered plugin checksum digest doesn't match the published checksum, Notation will return an error message and will not start installation. ```console -Error: failed to install the plugin: plugin checksum does not match user input. Expecting +Error: plugin installation failed: plugin checksum does not match user input. Expecting ``` If the plugin version is higher than the existing plugin, Notation will start installation and overwrite the existing plugin. @@ -107,13 +107,13 @@ Successfully installed plugin , updated the version from to If the plugin version is equal to the existing plugin, Notation will not start installation and return the following message. Users can use a flag `--force` to skip plugin version check and force the installation. ```console -Error: failed to install the plugin: with version already exists. +Error: plugin installation failed: plugin with version already exists. ``` If the plugin version is lower than the existing plugin, Notation will return an error message and will not start installation. Users can use a flag `--force` to skip plugin version check and force the installation. ```console -Error: failed to install the plugin: . The installing plugin version is lower than the existing plugin version . +Error: failed to install plugin: . The installing plugin version is lower than the existing plugin version . It is not recommended to install an older version. To force the installation, use the "--force" option. ``` ### Install a plugin from URL diff --git a/test/e2e/run.sh b/test/e2e/run.sh index 6365793ea..a3ce61864 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -72,8 +72,8 @@ fi go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.5 # build e2e plugin and tar.gz -PLUGIN_NAME=e2e-plugin -( cd $CWD/plugin && go build -o ./bin/$PLUGIN_NAME . && echo "e2e plugin built." && tar --transform="flags=r;s|$PLUGIN_NAME|notation-$PLUGIN_NAME|" -czvf ./bin/$PLUGIN_NAME.tar.gz -C ./bin/ $PLUGIN_NAME) +PLUGIN_NAME=notation-e2e-plugin +( cd $CWD/plugin && go build -o ./bin/$PLUGIN_NAME . && echo "e2e plugin built." && tar -czvf ./bin/$PLUGIN_NAME.tar.gz -C ./bin/ $PLUGIN_NAME) # setup registry case $REGISTRY_NAME in diff --git a/test/e2e/suite/plugin/install.go b/test/e2e/suite/plugin/install.go new file mode 100644 index 000000000..bd85d0389 --- /dev/null +++ b/test/e2e/suite/plugin/install.go @@ -0,0 +1,124 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package plugin + +import ( + . "github.com/notaryproject/notation/test/e2e/internal/notation" + "github.com/notaryproject/notation/test/e2e/internal/utils" + . "github.com/onsi/ginkgo/v2" +) + +const ( + PluginURL = "https://github.com/notaryproject/notation-action/raw/e2e-test-plugin/tests/plugin_binaries/notation-e2e-test-plugin_0.1.0_linux_amd64.tar.gz" + PluginChecksum = "be8d035024d3a96afb4118af32f2e201f126c7254b02f7bcffb3e3149d744fd2" +) + +var _ = Describe("notation plugin install", func() { + It("with missing file or url flag", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "."). + MatchErrContent("Error: at least one of the flags in the group [file url] is required\n") + }) + }) + + It("with both file and url flags are set", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--file", "--url", "."). + MatchErrContent("Error: if any flags in the group [file url] are set none of the others can be; [file url] were all set\n") + }) + }) + + It("with missing plugin source", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install"). + MatchErrContent("Error: missing plugin source\n") + }) + }) + + It("with missing plugin file path", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--file"). + MatchErrContent("Error: missing plugin file path\n") + }) + }) + + It("with missing plugin URL", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--url"). + MatchErrContent("Error: missing plugin URL\n") + }) + }) + + It("with valid plugin file path", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath, "-v"). + MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + }) + }) + + It("with plugin executable file path", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.Exec("plugin", "install", "--file", NotationE2EPluginPath). + MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + }) + }) + + It("with plugin already installed", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath). + MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + + notation.ExpectFailure().Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath). + MatchErrContent("Error: plugin installation failed: plugin e2e-plugin with version 1.0.0 already exists\n") + }) + }) + + It("with plugin already installed but force install", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath, "-v"). + MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + + notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath, "--force"). + MatchContent("Succussefully installed plugin e2e-plugin, updated the version from 1.0.0 to 1.0.0\n") + }) + }) + + It("with valid plugin URL", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.Exec("plugin", "install", "--url", PluginURL, "--sha256sum", PluginChecksum). + MatchKeyWords("Succussefully installed plugin e2e-test-plugin, version 0.1.0\n") + }) + }) + + It("with valid plugin URL but missing checksum", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--url", PluginURL). + MatchErrContent("Error: installing from URL requires non-empty SHA256 checksum of the plugin source\n") + }) + }) + + It("with invalid plugin URL scheme", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--url", "http://invalid", "--sha256sum", "abcd"). + MatchErrContent("Error: failed to download plugin from URL: only the HTTPS scheme is supported, but got http\n") + }) + }) + + It("with invalid plugin URL", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--url", "https://invalid", "--sha256sum", "abcd"). + MatchErrKeyWords("failed to download plugin from URL https://invalid") + }) + }) +}) From e6732c31e152aa0ccd1adb81f6820f5be76c6e17 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Wed, 3 Jan 2024 16:00:41 +0800 Subject: [PATCH 38/88] feat: add notation config environment variable (#821) Feat: - added NOTATION_CONFIG and NOTATION_LIBEXEC environment variables Test: - notation sign with NOTATION_LIBEXEC locally - notation verify with NOTATION_CONFIG locally Resolves #822 Signed-off-by: Junjie Gao --------- Signed-off-by: Junjie Gao Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- cmd/notation/main.go | 11 +++++++++++ test/e2e/suite/command/verify.go | 22 +++++++++++++++++++++ test/e2e/suite/plugin/sign.go | 34 ++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+) diff --git a/cmd/notation/main.go b/cmd/notation/main.go index f4341da28..8d5be0e74 100644 --- a/cmd/notation/main.go +++ b/cmd/notation/main.go @@ -16,6 +16,7 @@ package main import ( "os" + "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation/cmd/notation/cert" "github.com/notaryproject/notation/cmd/notation/plugin" "github.com/notaryproject/notation/cmd/notation/policy" @@ -32,6 +33,16 @@ func main() { // to avoid leaking credentials os.Unsetenv(defaultUsernameEnv) os.Unsetenv(defaultPasswordEnv) + + // update Notation config directory + if notationConfig := os.Getenv("NOTATION_CONFIG"); notationConfig != "" { + dir.UserConfigDir = notationConfig + } + + // update Notation Libexec directory (for plugins) + if notationLibexec := os.Getenv("NOTATION_LIBEXEC"); notationLibexec != "" { + dir.UserLibexecDir = notationLibexec + } }, } cmd.AddCommand( diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index d8e794948..7df83ee3d 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -155,4 +155,26 @@ var _ = Describe("notation verify", func() { NoMatchErrKeyWords(HTTPSRequest) }) }) + + It("incorrect NOTATION_CONFIG path", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + vhost.UpdateEnv(map[string]string{"NOTATION_CONFIG": "/not/exist"}) + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchErrKeyWords("trust policy is not present") + }) + }) + + It("correct NOTATION_CONFIG path", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + vhost.UpdateEnv(map[string]string{"NOTATION_CONFIG": vhost.AbsolutePath(NotationDirName)}) + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) }) diff --git a/test/e2e/suite/plugin/sign.go b/test/e2e/suite/plugin/sign.go index 3dc118f7e..2f6eea071 100644 --- a/test/e2e/suite/plugin/sign.go +++ b/test/e2e/suite/plugin/sign.go @@ -265,4 +265,38 @@ var _ = Describe("notation plugin sign", func() { Expect(descriptors[0].Annotations).Should(HaveKeyWithValue("k1", "v1")) }) }) + + It("incorrect NOTATION_LIBEXEC path", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + // setup incorrect NOTATION_LIBEXEC path + vhost.SetOption(AddPlugin(NotationE2EPluginPath)) + notation.Exec("key", "add", "plugin-key", "--id", "key1", "--plugin", "e2e-plugin", + "--plugin-config", string(CapabilityEnvelopeGenerator)+"=true", + "--plugin-config", TamperAnnotation+"=k1=v1"). + MatchKeyWords("plugin-key") + + vhost.UpdateEnv(map[string]string{"NOTATION_LIBEXEC": "/not/exist"}) + + // run signing + notation.ExpectFailure().Exec("sign", artifact.ReferenceWithDigest(), "--key", "plugin-key", "-d"). + MatchErrKeyWords("no such file or directory") + }) + }) + + It("correct NOTATION_LIBEXEC path", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + // setup incorrect NOTATION_LIBEXEC path + vhost.SetOption(AddPlugin(NotationE2EPluginPath)) + notation.Exec("key", "add", "plugin-key", "--id", "key1", "--plugin", "e2e-plugin", + "--plugin-config", string(CapabilityEnvelopeGenerator)+"=true", + "--plugin-config", TamperAnnotation+"=k1=v1"). + MatchKeyWords("plugin-key") + + vhost.UpdateEnv(map[string]string{"NOTATION_LIBEXEC": vhost.AbsolutePath(NotationDirName)}) + + // run signing + notation.Exec("sign", artifact.ReferenceWithDigest(), "--key", "plugin-key", "-d"). + MatchKeyWords("Successfully signed") + }) + }) }) From 116f5ecc298b9f1f475f6266e4344484b69de601 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 4 Jan 2024 11:22:43 +0800 Subject: [PATCH 39/88] fix: fix bug in `SetHTTPDebugLog` (#857) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- internal/trace/transport.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/trace/transport.go b/internal/trace/transport.go index 86700c692..a83ebda19 100644 --- a/internal/trace/transport.go +++ b/internal/trace/transport.go @@ -88,11 +88,11 @@ func logHeader(header http.Header, e log.Logger) { // SetHTTPDebugLog sets up http debug log with logrus.Logger func SetHTTPDebugLog(ctx context.Context, authClient *auth.Client) { - if logrusLog, ok := log.GetLogger(ctx).(*logrus.Logger); ok && logrusLog.Level != logrus.DebugLevel { + if logrusLog, ok := log.GetLogger(ctx).(*logrus.Logger); !ok || logrusLog.Level != logrus.DebugLevel { return } if authClient.Client == nil { - authClient.Client = http.DefaultClient + authClient.Client = &http.Client{} } if authClient.Client.Transport == nil { authClient.Client.Transport = http.DefaultTransport From bea8cf267530cbd7f189ba83d2af000f930d8af1 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 4 Jan 2024 15:26:24 +0800 Subject: [PATCH 40/88] fix: `notation plugin install` error messages and tests (#855) * This PR improves error messages of `notation plugin install` command and updates the related cli specs. (Resolves #853) * This PR also adds zip bomb and zip slip tests. Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- cmd/notation/internal/plugin/plugin.go | 5 +- cmd/notation/plugin/install.go | 68 ++++++++++++------ cmd/notation/plugin/uninstall.go | 2 +- internal/osutil/file.go | 21 ++---- internal/osutil/file_test.go | 6 +- specs/commandline/plugin.md | 24 ++++--- test/e2e/internal/notation/init.go | 41 ++++++----- test/e2e/run.sh | 3 +- test/e2e/suite/plugin/install.go | 51 +++++++++++-- .../malicious-plugin/large_file_tarGz.tar.gz | Bin 0 -> 264717 bytes .../malicious-plugin/large_file_zip.zip | Bin 0 -> 265120 bytes .../testdata/malicious-plugin/zip_bomb.zip | Bin 0 -> 42374 bytes .../testdata/malicious-plugin/zip_slip.zip | Bin 0 -> 226 bytes 13 files changed, 142 insertions(+), 79 deletions(-) create mode 100644 test/e2e/testdata/malicious-plugin/large_file_tarGz.tar.gz create mode 100644 test/e2e/testdata/malicious-plugin/large_file_zip.zip create mode 100644 test/e2e/testdata/malicious-plugin/zip_bomb.zip create mode 100644 test/e2e/testdata/malicious-plugin/zip_slip.zip diff --git a/cmd/notation/internal/plugin/plugin.go b/cmd/notation/internal/plugin/plugin.go index e06f57c18..078f66ea3 100644 --- a/cmd/notation/internal/plugin/plugin.go +++ b/cmd/notation/internal/plugin/plugin.go @@ -52,7 +52,8 @@ const ( // URL const DownloadPluginFromURLTimeout = 10 * time.Minute -// DownloadPluginFromURL downloads plugin file from url to a tmp directory +// DownloadPluginFromURL downloads plugin source from url to a tmp file on file +// system func DownloadPluginFromURL(ctx context.Context, pluginURL string, tmpFile io.Writer) error { // Get the data client := httputil.NewAuthClient(ctx, &http.Client{Timeout: DownloadPluginFromURLTimeout}) @@ -79,7 +80,7 @@ func DownloadPluginFromURL(ctx context.Context, pluginURL string, tmpFile io.Wri return err } if lr.N == 0 { - return fmt.Errorf("%s %q: https response reaches the %d MiB size limit", resp.Request.Method, resp.Request.URL, MaxPluginSourceBytes) + return fmt.Errorf("%s %q: https response reached the %d MiB size limit", resp.Request.Method, resp.Request.URL, MaxPluginSourceBytes/1024/1024) } return nil } diff --git a/cmd/notation/plugin/install.go b/cmd/notation/plugin/install.go index 2dfed9093..6f32c7b0f 100644 --- a/cmd/notation/plugin/install.go +++ b/cmd/notation/plugin/install.go @@ -58,7 +58,7 @@ func installCommand(opts *pluginInstallOpts) *cobra.Command { command := &cobra.Command{ Use: "install [flags] <--file|--url> ", Aliases: []string{"add"}, - Short: "Install plugin", + Short: "Install a plugin", Long: `Install a plugin Example - Install plugin from file system: @@ -73,6 +73,9 @@ Example - Install plugin from file system regardless if it's already installed: Example - Install plugin from file system with .tar.gz: notation plugin install --file wabbit-plugin-v1.0.tar.gz +Example - Install plugin from file system with a single plugin executable file: + notation plugin install --file notation-wabbit-plugin + Example - Install plugin from URL, SHA256 checksum is required: notation plugin install --url https://wabbit-networks.com/intaller/linux/amd64/wabbit-plugin-v1.0.tar.gz --sha256sum f8a75d9234db90069d9eb5660e5374820edf36d710bd063f4ef81e7063d3810b `, @@ -84,10 +87,10 @@ Example - Install plugin from URL, SHA256 checksum is required: case opts.isURL: return errors.New("missing plugin URL") } - return errors.New("missing plugin source") + return errors.New("missing plugin source location") } if len(args) > 1 { - return fmt.Errorf("can only insall one plugin at a time, but got %v", args) + return fmt.Errorf("can only install one plugin at a time, but got %v", args) } opts.pluginSource = args[0] return nil @@ -103,8 +106,8 @@ Example - Install plugin from URL, SHA256 checksum is required: }, } opts.LoggingFlagOpts.ApplyFlags(command.Flags()) - command.Flags().BoolVar(&opts.isFile, "file", false, "install plugin from a file in file system") - command.Flags().BoolVar(&opts.isURL, "url", false, "install plugin from an HTTPS URL. The timeout of the download HTTPS request is set to 10 minutes") + command.Flags().BoolVar(&opts.isFile, "file", false, "install plugin from a file on file system") + command.Flags().BoolVar(&opts.isURL, "url", false, fmt.Sprintf("install plugin from an HTTPS URL. The plugin download timeout is %s", notationplugin.DownloadPluginFromURLTimeout)) command.Flags().StringVar(&opts.inputChecksum, "sha256sum", "", "must match SHA256 of the plugin source, required when \"--url\" flag is set") command.Flags().BoolVar(&opts.force, "force", false, "force the installation of the plugin") command.MarkFlagsMutuallyExclusive("file", "url") @@ -135,7 +138,7 @@ func install(command *cobra.Command, opts *pluginInstallOpts) error { } tmpFile, err := os.CreateTemp("", notationPluginDownloadTmpFile) if err != nil { - return fmt.Errorf("failed to create notationPluginDownloadTmpFile: %w", err) + return fmt.Errorf("failed to create temporary file required for downloading plugin: %w", err) } defer os.Remove(tmpFile.Name()) defer tmpFile.Close() @@ -157,11 +160,11 @@ func install(command *cobra.Command, opts *pluginInstallOpts) error { // installPlugin installs the plugin given plugin source path func installPlugin(ctx context.Context, inputPath string, inputChecksum string, force bool) error { // sanity check - inputFileStat, err := os.Stat(inputPath) + inputFileInfo, err := os.Stat(inputPath) if err != nil { return err } - if !inputFileStat.Mode().IsRegular() { + if !inputFileInfo.Mode().IsRegular() { return fmt.Errorf("%s is not a valid file", inputPath) } // checksum check @@ -182,12 +185,21 @@ func installPlugin(ctx context.Context, inputPath string, inputChecksum string, return err } defer rc.Close() + // check for '..' in file name to avoid zip slip vulnerability + for _, f := range rc.File { + if strings.Contains(f.Name, "..") { + return fmt.Errorf("file name in zip cannot contain '..', but found %q", f.Name) + } + } return installPluginFromFS(ctx, rc, force) case notationplugin.MediaTypeGzip: // when file is gzip, required to be tar return installPluginFromTarGz(ctx, inputPath, force) default: // input file is not in zip or gzip, try install directly + if inputFileInfo.Size() >= osutil.MaxFileBytes { + return fmt.Errorf("file size reached the %d MiB size limit", osutil.MaxFileBytes/1024/1024) + } installOpts := plugin.CLIInstallOptions{ PluginPath: inputPath, Overwrite: force, @@ -200,17 +212,18 @@ func installPlugin(ctx context.Context, inputPath string, inputChecksum string, // from a fs.FS // // Note: zip.ReadCloser implments fs.FS -func installPluginFromFS(ctx context.Context, pluginFs fs.FS, force bool) error { +func installPluginFromFS(ctx context.Context, pluginFS fs.FS, force bool) error { // set up logger logger := log.GetLogger(ctx) root := "." // extracting all regular files from root into tmpDir tmpDir, err := os.MkdirTemp("", notationPluginTmpDir) if err != nil { - return fmt.Errorf("failed to create notationPluginTmpDir: %w", err) + return fmt.Errorf("failed to create temporary directory: %w", err) } defer os.RemoveAll(tmpDir) - if err := fs.WalkDir(pluginFs, root, func(path string, d fs.DirEntry, err error) error { + var pluginFileSize int64 + if err := fs.WalkDir(pluginFS, root, func(path string, d fs.DirEntry, err error) error { if err != nil { return err } @@ -222,13 +235,17 @@ func installPluginFromFS(ctx context.Context, pluginFs fs.FS, force bool) error if err != nil { return err } - // only accept regular files. - // it is required by github-advanced-security to check for `..` in fName - if !info.Mode().IsRegular() || strings.Contains(fName, "..") { + // only accept regular files + if !info.Mode().IsRegular() { return nil } + // check for plugin file size to avoid zip bomb vulnerability + pluginFileSize += info.Size() + if pluginFileSize >= osutil.MaxFileBytes { + return fmt.Errorf("total file size reached the %d MiB size limit", osutil.MaxFileBytes/1024/1024) + } logger.Debugf("Extracting file %s...", fName) - rc, err := pluginFs.Open(path) + rc, err := pluginFS.Open(path) if err != nil { return err } @@ -264,9 +281,10 @@ func installPluginFromTarGz(ctx context.Context, tarGzPath string, force bool) e // extracting all regular files into tmpDir tmpDir, err := os.MkdirTemp("", notationPluginTmpDir) if err != nil { - return fmt.Errorf("failed to create notationPluginTmpDir: %w", err) + return fmt.Errorf("failed to create temporary directory: %w", err) } defer os.RemoveAll(tmpDir) + var pluginFileSize int64 for { header, err := tarReader.Next() if err != nil { @@ -275,11 +293,19 @@ func installPluginFromTarGz(ctx context.Context, tarGzPath string, force bool) e } return err } - // only accept regular files. - // it is required by github-advanced-security to check for `..` in fName - if !header.FileInfo().Mode().IsRegular() || strings.Contains(header.Name, "..") { + // check for '..' in file name to avoid zip slip vulnerability + if strings.Contains(header.Name, "..") { + return fmt.Errorf("file name in tar.gz cannot contain '..', but found %q", header.Name) + } + // only accept regular files + if !header.FileInfo().Mode().IsRegular() { continue } + // check for plugin file size to avoid zip bomb vulnerability + pluginFileSize += header.FileInfo().Size() + if pluginFileSize >= osutil.MaxFileBytes { + return fmt.Errorf("total file size reached the %d MiB size limit", osutil.MaxFileBytes/1024/1024) + } fName := filepath.Base(header.Name) logger.Debugf("Extracting file %s...", fName) tmpFilePath := filepath.Join(tmpDir, fName) @@ -307,9 +333,9 @@ func installPluginWithOptions(ctx context.Context, opts plugin.CLIInstallOptions return err } if existingPluginMetadata != nil { - fmt.Printf("Succussefully installed plugin %s, updated the version from %s to %s\n", newPluginMetadata.Name, existingPluginMetadata.Version, newPluginMetadata.Version) + fmt.Printf("Successfully updated plugin %s from version %s to %s\n", newPluginMetadata.Name, existingPluginMetadata.Version, newPluginMetadata.Version) } else { - fmt.Printf("Succussefully installed plugin %s, version %s\n", newPluginMetadata.Name, newPluginMetadata.Version) + fmt.Printf("Successfully installed plugin %s, version %s\n", newPluginMetadata.Name, newPluginMetadata.Version) } return nil } diff --git a/cmd/notation/plugin/uninstall.go b/cmd/notation/plugin/uninstall.go index d60b77e9f..6c20c1106 100644 --- a/cmd/notation/plugin/uninstall.go +++ b/cmd/notation/plugin/uninstall.go @@ -87,7 +87,7 @@ func uninstallPlugin(command *cobra.Command, opts *pluginUninstallOpts) error { } mgr := plugin.NewCLIManager(dir.PluginFS()) if err := mgr.Uninstall(ctx, pluginName); err != nil { - return fmt.Errorf("failed to uninstall %s: %w", pluginName, err) + return fmt.Errorf("failed to uninstall plugin %s: %w", pluginName, err) } fmt.Printf("Successfully uninstalled plugin %s\n", pluginName) return nil diff --git a/internal/osutil/file.go b/internal/osutil/file.go index d2de17ce5..06f69792a 100644 --- a/internal/osutil/file.go +++ b/internal/osutil/file.go @@ -26,7 +26,7 @@ import ( ) // MaxFileBytes is the maximum file bytes. -// When used, the value should strictly less than this number. +// When used, the value should be strictly less than this number. var MaxFileBytes int64 = 256 * 1024 * 1024 // 256 MiB // WriteFile writes to a path with all parent directories created. @@ -104,25 +104,18 @@ func IsRegularFile(path string) (bool, error) { } // CopyFromReaderToDir copies file from src to dst where dst is the destination -// file path. The file size must be less than 256 MiB. +// file path. func CopyFromReaderToDir(src io.Reader, dst string, perm fs.FileMode) error { dstFile, err := os.Create(dst) if err != nil { return err } - lr := &io.LimitedReader{ - R: src, - N: MaxFileBytes, - } - if _, err := io.Copy(dstFile, lr); err != nil || lr.N == 0 { - _ = dstFile.Close() - if err != nil { - return err - } - return fmt.Errorf("file reaches the %d MiB size limit", MaxFileBytes) + if _, err := io.Copy(dstFile, src); err != nil { + dstFile.Close() + return err } if err := dstFile.Chmod(perm); err != nil { - _ = dstFile.Close() + dstFile.Close() return err } return dstFile.Close() @@ -157,7 +150,7 @@ func ValidateSHA256Sum(path string, checksum string) error { sha256sum := sha256Hash.Sum(nil) enc := hex.EncodeToString(sha256sum[:]) if !strings.EqualFold(enc, checksum) { - return fmt.Errorf("plugin checksum does not match user input. Expecting %s", checksum) + return fmt.Errorf("plugin SHA-256 checksum does not match user input. Expecting %s", checksum) } return nil } diff --git a/internal/osutil/file_test.go b/internal/osutil/file_test.go index fdf9dd331..59226f9b1 100644 --- a/internal/osutil/file_test.go +++ b/internal/osutil/file_test.go @@ -261,11 +261,11 @@ func TestCopyToDir(t *testing.T) { } func TestValidateChecksum(t *testing.T) { - expectedErrorMsg := "plugin checksum does not match user input. Expecting abcd123" + expectedErrorMsg := "plugin SHA-256 checksum does not match user input. Expecting abcd123" if err := ValidateSHA256Sum("./testdata/test", "abcd123"); err == nil || err.Error() != expectedErrorMsg { - t.Fatalf("expected err %s, got %v", expectedErrorMsg, err) + t.Fatalf("expected err %s, but got %v", expectedErrorMsg, err) } if err := ValidateSHA256Sum("./testdata/test", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"); err != nil { - t.Fatalf("expected nil err, got %v", err) + t.Fatalf("expected nil err, but got %v", err) } } diff --git a/specs/commandline/plugin.md b/specs/commandline/plugin.md index 8ab20e54f..c0460ab50 100644 --- a/specs/commandline/plugin.md +++ b/specs/commandline/plugin.md @@ -48,11 +48,11 @@ Usage: Flags: -d, --debug debug mode - --file install plugin from a file in file system - --force force the installation of a plugin + --file install plugin from a file on file system + --force force the installation of the plugin -h, --help help for install - --sha256sum string must match SHA256 of the plugin source - --url install plugin from an HTTPS URL + --sha256sum string must match SHA256 of the plugin source, required when "--url" flag is set + --url install plugin from an HTTPS URL. The plugin download timeout is 10m0s -v, --verbose verbose mode Aliases: @@ -68,7 +68,9 @@ Usage: notation plugin uninstall [flags] Flags: + -d, --debug debug mode -h, --help help for remove + -v, --verbose verbose mode -y, --yes do not prompt for confirmation Aliases: uninstall, remove, rm @@ -80,7 +82,7 @@ Aliases: ### Install a plugin from file system -Install a Notation plugin from file system. Plugin file supports `.zip` and `.tar.gz` format. The checksum validation is optional for this case. +Install a Notation plugin from the host file system. `.zip`, `.tar.gz`, and `single plugin executable file` formats are supported. In this scenario, SHA-256 checksum validation is optional. ```shell $ notation plugin install --file @@ -95,13 +97,13 @@ Successfully installed plugin , version If the entered plugin checksum digest doesn't match the published checksum, Notation will return an error message and will not start installation. ```console -Error: plugin installation failed: plugin checksum does not match user input. Expecting +Error: plugin installation failed: plugin sha256sum does not match user input. Expecting ``` If the plugin version is higher than the existing plugin, Notation will start installation and overwrite the existing plugin. ```console -Successfully installed plugin , updated the version from to +Successfully updated plugin from version to ``` If the plugin version is equal to the existing plugin, Notation will not start installation and return the following message. Users can use a flag `--force` to skip plugin version check and force the installation. @@ -113,12 +115,12 @@ Error: plugin installation failed: plugin with version alr If the plugin version is lower than the existing plugin, Notation will return an error message and will not start installation. Users can use a flag `--force` to skip plugin version check and force the installation. ```console -Error: failed to install plugin: . The installing plugin version is lower than the existing plugin version . +Error: plugin installation failed: failed to install plugin . The installing plugin version is lower than the existing plugin version . It is not recommended to install an older version. To force the installation, use the "--force" option. ``` ### Install a plugin from URL -Install a Notation plugin from a remote location and verify the plugin checksum. Notation only supports installing plugins from an HTTPS URL, which means that the URL must start with "https://". +Install a Notation plugin from a URL. Notation only supports HTTPS URL, which means that the URL must start with "https://". The URL MUST point to a resource in `.zip`, `.tar.gz`, or `single plugin executable file` format. In this scenario, the SHA-256 checksum of the resource MUST be provided. ```shell $ notation plugin install --sha256sum --url @@ -134,7 +136,7 @@ Upon successful execution, the plugin is uninstalled from the plugin directory. ```shell Are you sure you want to uninstall plugin ""? [y/n] y -Successfully uninstalled +Successfully uninstalled plugin ``` Uninstall the plugin without prompt for confirmation. @@ -147,7 +149,7 @@ If the plugin is not found, an error is returned showing the syntax for the plug ```shell Error: unable to find plugin . -To view a list of installed plugins, use "notation plugin list" +To view a list of installed plugins, use `notation plugin list` ``` ### List installed plugins diff --git a/test/e2e/internal/notation/init.go b/test/e2e/internal/notation/init.go index 2e1659917..110a7dde1 100644 --- a/test/e2e/internal/notation/init.go +++ b/test/e2e/internal/notation/init.go @@ -33,18 +33,19 @@ const ( ) const ( - envKeyRegistryHost = "NOTATION_E2E_REGISTRY_HOST" - envKeyRegistryUsername = "NOTATION_E2E_REGISTRY_USERNAME" - envKeyRegistryPassword = "NOTATION_E2E_REGISTRY_PASSWORD" - envKeyDomainRegistryHost = "NOTATION_E2E_DOMAIN_REGISTRY_HOST" - envKeyNotationBinPath = "NOTATION_E2E_BINARY_PATH" - envKeyNotationOldBinPath = "NOTATION_E2E_OLD_BINARY_PATH" - envKeyNotationPluginPath = "NOTATION_E2E_PLUGIN_PATH" - envKeyNotationPluginTarGzPath = "NOTATION_E2E_PLUGIN_TAR_GZ_PATH" - envKeyNotationConfigPath = "NOTATION_E2E_CONFIG_PATH" - envKeyOCILayoutPath = "NOTATION_E2E_OCI_LAYOUT_PATH" - envKeyTestRepo = "NOTATION_E2E_TEST_REPO" - envKeyTestTag = "NOTATION_E2E_TEST_TAG" + envKeyRegistryHost = "NOTATION_E2E_REGISTRY_HOST" + envKeyRegistryUsername = "NOTATION_E2E_REGISTRY_USERNAME" + envKeyRegistryPassword = "NOTATION_E2E_REGISTRY_PASSWORD" + envKeyDomainRegistryHost = "NOTATION_E2E_DOMAIN_REGISTRY_HOST" + envKeyNotationBinPath = "NOTATION_E2E_BINARY_PATH" + envKeyNotationOldBinPath = "NOTATION_E2E_OLD_BINARY_PATH" + envKeyNotationPluginPath = "NOTATION_E2E_PLUGIN_PATH" + envKeyNotationPluginTarGzPath = "NOTATION_E2E_PLUGIN_TAR_GZ_PATH" + envKeyNotationMaliciouPluginArchivePath = "NOTATION_E2E_MALICIOUS_PLUGIN_ARCHIVE_PATH" + envKeyNotationConfigPath = "NOTATION_E2E_CONFIG_PATH" + envKeyOCILayoutPath = "NOTATION_E2E_OCI_LAYOUT_PATH" + envKeyTestRepo = "NOTATION_E2E_TEST_REPO" + envKeyTestTag = "NOTATION_E2E_TEST_TAG" ) var ( @@ -52,13 +53,14 @@ var ( NotationBinPath string // NotationOldBinPath is the path of an old version notation binary for // testing forward compatibility. - NotationOldBinPath string - NotationE2EPluginPath string - NotationE2EPluginTarGzPath string - NotationE2EConfigPath string - NotationE2ELocalKeysDir string - NotationE2ETrustPolicyDir string - NotationE2EConfigJsonDir string + NotationOldBinPath string + NotationE2EPluginPath string + NotationE2EPluginTarGzPath string + NotationE2EMaliciousPluginArchivePath string + NotationE2EConfigPath string + NotationE2ELocalKeysDir string + NotationE2ETrustPolicyDir string + NotationE2EConfigJsonDir string ) var ( @@ -93,6 +95,7 @@ func setUpNotationValues() { // set Notation e2e-plugin path setPathValue(envKeyNotationPluginPath, &NotationE2EPluginPath) setPathValue(envKeyNotationPluginTarGzPath, &NotationE2EPluginTarGzPath) + setPathValue(envKeyNotationMaliciouPluginArchivePath, &NotationE2EMaliciousPluginArchivePath) // set Notation configuration paths setPathValue(envKeyNotationConfigPath, &NotationE2EConfigPath) diff --git a/test/e2e/run.sh b/test/e2e/run.sh index a3ce61864..7da050cb4 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -73,7 +73,7 @@ go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.5 # build e2e plugin and tar.gz PLUGIN_NAME=notation-e2e-plugin -( cd $CWD/plugin && go build -o ./bin/$PLUGIN_NAME . && echo "e2e plugin built." && tar -czvf ./bin/$PLUGIN_NAME.tar.gz -C ./bin/ $PLUGIN_NAME) +( cd $CWD/plugin && go build -o ./bin/$PLUGIN_NAME . && echo "e2e plugin built." && tar -czvf ./bin/$PLUGIN_NAME.tar.gz -C ./bin/ $PLUGIN_NAME ) # setup registry case $REGISTRY_NAME in @@ -108,6 +108,7 @@ export NOTATION_E2E_TEST_REPO=e2e export NOTATION_E2E_TEST_TAG=v1 export NOTATION_E2E_PLUGIN_PATH=$CWD/plugin/bin/$PLUGIN_NAME export NOTATION_E2E_PLUGIN_TAR_GZ_PATH=$CWD/plugin/bin/$PLUGIN_NAME.tar.gz +export NOTATION_E2E_MALICIOUS_PLUGIN_ARCHIVE_PATH=$CWD/testdata/malicious-plugin # run tests ginkgo -r -p -v \ No newline at end of file diff --git a/test/e2e/suite/plugin/install.go b/test/e2e/suite/plugin/install.go index bd85d0389..363801d44 100644 --- a/test/e2e/suite/plugin/install.go +++ b/test/e2e/suite/plugin/install.go @@ -14,6 +14,8 @@ package plugin import ( + "path/filepath" + . "github.com/notaryproject/notation/test/e2e/internal/notation" "github.com/notaryproject/notation/test/e2e/internal/utils" . "github.com/onsi/ginkgo/v2" @@ -42,7 +44,7 @@ var _ = Describe("notation plugin install", func() { It("with missing plugin source", func() { Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("plugin", "install"). - MatchErrContent("Error: missing plugin source\n") + MatchErrContent("Error: missing plugin source location\n") }) }) @@ -60,24 +62,52 @@ var _ = Describe("notation plugin install", func() { }) }) + It("with zip bomb single file exceeds 256 MiB size limit in zip format", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--file", filepath.Join(NotationE2EMaliciousPluginArchivePath, "large_file_zip.zip"), "-v"). + MatchErrContent("Error: plugin installation failed: total file size reached the 256 MiB size limit\n") + }) + }) + + It("with zip bomb single file exceeds 256 MiB size limit in tar.gz format", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--file", filepath.Join(NotationE2EMaliciousPluginArchivePath, "large_file_tarGz.tar.gz"), "-v"). + MatchErrContent("Error: plugin installation failed: total file size reached the 256 MiB size limit\n") + }) + }) + + It("with zip bomb total file size exceeds 256 MiB size limit", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--file", filepath.Join(NotationE2EMaliciousPluginArchivePath, "zip_bomb.zip"), "-v"). + MatchErrContent("Error: plugin installation failed: total file size reached the 256 MiB size limit\n") + }) + }) + + It("with zip slip", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--file", filepath.Join(NotationE2EMaliciousPluginArchivePath, "zip_slip.zip"), "-v"). + MatchErrContent("Error: plugin installation failed: file name in zip cannot contain '..', but found \"../../../../../../../../tmp/evil.txt\"\n") + }) + }) + It("with valid plugin file path", func() { Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath, "-v"). - MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + MatchContent("Successfully installed plugin e2e-plugin, version 1.0.0\n") }) }) It("with plugin executable file path", func() { Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { notation.Exec("plugin", "install", "--file", NotationE2EPluginPath). - MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + MatchContent("Successfully installed plugin e2e-plugin, version 1.0.0\n") }) }) It("with plugin already installed", func() { Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath). - MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + MatchContent("Successfully installed plugin e2e-plugin, version 1.0.0\n") notation.ExpectFailure().Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath). MatchErrContent("Error: plugin installation failed: plugin e2e-plugin with version 1.0.0 already exists\n") @@ -87,17 +117,17 @@ var _ = Describe("notation plugin install", func() { It("with plugin already installed but force install", func() { Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath, "-v"). - MatchContent("Succussefully installed plugin e2e-plugin, version 1.0.0\n") + MatchContent("Successfully installed plugin e2e-plugin, version 1.0.0\n") notation.Exec("plugin", "install", "--file", NotationE2EPluginTarGzPath, "--force"). - MatchContent("Succussefully installed plugin e2e-plugin, updated the version from 1.0.0 to 1.0.0\n") + MatchContent("Successfully updated plugin e2e-plugin from version 1.0.0 to 1.0.0\n") }) }) It("with valid plugin URL", func() { Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { notation.Exec("plugin", "install", "--url", PluginURL, "--sha256sum", PluginChecksum). - MatchKeyWords("Succussefully installed plugin e2e-test-plugin, version 0.1.0\n") + MatchKeyWords("Successfully installed plugin e2e-test-plugin, version 0.1.0\n") }) }) @@ -108,6 +138,13 @@ var _ = Describe("notation plugin install", func() { }) }) + It("with valid plugin URL but mismatched SHA-256 checksum", func() { + Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("plugin", "install", "--url", PluginURL, "--sha256sum", "abcd"). + MatchErrContent("Error: plugin installation failed: plugin SHA-256 checksum does not match user input. Expecting abcd\n") + }) + }) + It("with invalid plugin URL scheme", func() { Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("plugin", "install", "--url", "http://invalid", "--sha256sum", "abcd"). diff --git a/test/e2e/testdata/malicious-plugin/large_file_tarGz.tar.gz b/test/e2e/testdata/malicious-plugin/large_file_tarGz.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..da3db5cbb8016b45462f01898e532aa47c941975 GIT binary patch literal 264717 zcmeI)vCA8E9LMp8*m_6opwK}i#6T9!)+Hb+y$3C*6&;G`pa_NMK@3Rth&Gu-n{pjo z#Np7vv>g&$q&!H-4Nj#z2rhwV3kWsKGsr^_a+;s`NBr=0!>xDk*Zkr8>{sbtcph6n zyi_lMO$`!D_c)D!#X?p-Vg*WNt+{L;NYk8gf(baM8} z(Knx5doTO;ofj^@_}js!XNM23zIOk?{aeq!d+^1bFYjEq^8WP)Km2j<@h{({zaKvH z*U9N;AH99@)BMA;%U}QdMQ;KG2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkJx z5`i1Zpx+Arx~i7xT@L{Q1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oN9;yFh2X z7=|rCUiI3O*lYYh0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAaHkcb zAlpvI1rGuQ2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkJxdV#XpNW)=(&AdB` zzD5860t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyP#^SLVGFRTmMIPb1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZAbNq$dNB-JfV}FpC(-8!AV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t9ABQrnFIvh8$S;2=PN009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjY~7bu&JG#m!l%)6uLYXlG=K!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk^+CTCwg9VYnc^TofB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C7q8I3_7sIdx$g5s^5`B&U0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyKwy?6wcQvX+fK&?4gv%S5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV45` zfwI|1!(o8UygQ1%MgRc<1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNApAM{&c z3$Ut|DGmYz2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkJxdV$V*F$`OPyy~?l z(dP&tK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1ZGK6+l>LT?Q~q=AV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0tBKLD4UHm90u6TyQAo91P~xVfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009E^LBAEY0IO=5;vhhP009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjY~7wD`P!>|R&t6qB&eU1PE1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZV3s7c-54O-PR9if0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyKp=X7ve`((VSvrNJBq$W009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5Fk(=^jl#Iu&S0R4gv%S5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV45` zfzEm{3|oM_>a{1)=LjG`fB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7W=T@p zjRCUlbX?#dK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1fmxxn~gLa2H4EI zqv&e{5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0Rr_wzZJFst7@6zAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0tBKL=&TpRum#AgUV9RKjsOA#2oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkKcmL#>^7$DnD#{~`o1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZAbNqa*+|1-fX%!+ioQkw0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAW$FlTVV^Zs+K7Z0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyKp=X7&U!HnTY$XkwI|W%2p~X!009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjYONmAR50kZ9MT;L!;fB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 zq8IqJ*~tHy0<`uXRgVr|Ey6A!918FvK!5-N0tEh#0yoe9SAFB^`Qz;S)4k`iC;tYL C6_3gQ literal 0 HcmV?d00001 diff --git a/test/e2e/testdata/malicious-plugin/large_file_zip.zip b/test/e2e/testdata/malicious-plugin/large_file_zip.zip new file mode 100644 index 0000000000000000000000000000000000000000..40b2dfc329138bdadf1630abb13357233a7271be GIT binary patch literal 265120 zcmeI*u}U0K6b9hgxCx?QHek}Ek$nJbiwK)0jS#koAXtdSD#F^x7IqqfeVV*NAeCuS zS_CWtLa;OGY|^C&3RVebR%~|W-WNFYji7VSVDW!vszrYLD^uVAV7cs0RjXF5FkLHSpo_Jnze6f2@oJafB*pk1PBlyK!Cu} z@>1vSzY1O*?6z?bAV7cs0RjXF5FkK+009Ew1r!E^U$KA$2oNAZfB*pk1PBlyKwwfp zVZfw^69EDQ2oNAZfB*pk1PBm_E}$?V`iA8rK!5-N0t5&UAV7cs0Roc(3IirRoCpvg zK!5-N0t5&UAV7dXbOD6{(Kjp~0RjXF5FkK+009C72oR_UC=958I1(U0fB*pk1PBly zK!5;&-~tK*f-hJ+0t5&UAV7cs0RjXF5Fk(yP#91FaU?*1009C72oNAZfB*pk!37is z1YfXt1PBlyK!5-N0t5&UAV8ohpfI2+;!J=50RjXF5FkK+009C7Vhbn?h`nFw2oNAZ zfB*pk1PBlyK!8A1Kw&^t#F+pA0t5&UAV7cs0RjXF#1>E(5PQGU5g`MrD8^a009C72oNAZfB*pk1mX%P42Zj1$p{c2K!5-N0t5&UAV7dX zNJRxAPp2oNAZfB*pk z1PBlykP%QAkbyBKK!5-N0t5&UAV7cs0Rlk<6b1xctXKpH5FkK+009C72oNAZASa+O zASYu^fB*pk1PBlyK!5-N0t8|TC=7_XSE&dPAV7cs0RjXF5FkK+Ku$nmKu*S-009C7 z2oNAZfB*pk1PH_wP#6$%uTl{pK!5-N0t5&UAV7csfvkYSfGmv%1PBlyK!5-N0t5&U zAV46bfWm-~YZZzB0RjXF5FkK+009C72xJ8m24rbGAV7cs0RjXF5FkK+009Ca1r!E^ zT&qw72oNAZfB*pk1PBlyKp-!mFd%Q^2>}8G2oNAZfB*pk1PBm_D4;MP;#OrMK!5-N z0t5&UAV7cs0Rnjeg#mdRPY4hoK!5-N0t5&UAV7dXM1c=Cm+y=6>Yd+SeE&SYa}gjw zfB*pk4HNh?(_d*lm@nqb+|$L$dUx&k?E17j+b++&&fL95t5~?d8*c7x4>q=ThJ(e? W{;0q5@X`1|tNeOV{(OD+d;bC91G^>w literal 0 HcmV?d00001 diff --git a/test/e2e/testdata/malicious-plugin/zip_bomb.zip b/test/e2e/testdata/malicious-plugin/zip_bomb.zip new file mode 100644 index 0000000000000000000000000000000000000000..b4d00682f287342d9afab1d70c03075d9a48eed1 GIT binary patch literal 42374 zcmeI*>35B17Y6WiM2ZqqVitAUYE2~(391z*A|WJ^Nd{96shX!!%1fODZwwVm+D56K z)?85~rKZ+VltyZ%R9h!ngruZ3)%fmvdG58>yZ8PRp7?Ud`hCdSAFgXH&dSxNmsdqU zi^Wpe^697^-VajZujamOu?)8YW0EUFHUOd4nk)^7Q9vFPMtMV>)>zSuEchCRi}dk3T%W2h1wN zgb1ci*2;c)U}hVpgJ3d_=B7*nGt@901!D`dUycJ4X_!ueSv00BMSFkymOb723`KPOr&*9JemPdCB*(IBpy8%&{L!UeNse!-*_U^W`2yI``@?*zO9 z<~_qi2xfboq2Wnj#uz42FpIp3(gMN68m5O}j;5{e>;opiFg*oxZOo-NO5Uon zJs%9_ZNtP0=E9e)2iF3VY?wZR`S@|2_sS+%EFBFKCzzL;jfgl5rh#GN1+#XpcgSim z_tT%=CqXb5(?j<-!Te&FM8WKIT?iWhX18II1e5*Ms_#32Sz(yIf*CPBdO;m9GYpd~ znB%R={maK&EQ1V_BAD9unhz=h)73Dkg2~&MTD%^N%`j<}rk3AH)@?m~=c8F*tY9jr zJPZ)f<|n>01_AO6GEks^s;%tV`Bgw}joJyQe%oCobpW|E3KGz)tsSb}9A~jOHEJ)Q zzYiv!DFo!uC|E#~CX7s31IVsXh=3wKZZ^~j$fi*T0aY7ZeOP}$R*gCeXxY`KIUN9b z1{!zjB%t|oBK>Ova%*H4(51FnpO=k=J82Xqps-<0dmIAf)To<)wmb69eh$c?QMiCw zO^zQm1CU*#?gHAqx!d+sKsJpc1oVCSgJ$gkSv86jP=$LbpVt878DQM0hk$CQcBpY} z4BSbho&t*LQ|HSAfLt0y3CLbGY{#d7oEr5KP=ld|rc49m(5Sb7)^2{B+!v5tqi6w@ z9rO7r5Rgry7yk3Lu+CeFd~P zE8)T)qu@>&B@5`ok6xeh9UxCX<4!38^6hlSWczwrl%A>TW<*jik&x z?>}_rhk!h3Pwx~cW#+^+UvHfN$gPo-nScIt#wQw(OCu>Wht9uwx;Y@HMp9-L7MD-) z0_4z0%FG$X|MC581l&m@DKkTD4O;I2WYb8>%x7PJv1lnEt4300ZpbN%8w<#jYTQZ6 z%+SMp9;$9uBx*0p!$3%FNw6_on|c9PXr%l$qa*Pingj zkX<7wGqW;_r!59#(@4t9Ltifq9tFs%k(8O6LN*0Q0`jC7cak!*YQ;I>&jWI6BxUCO zm~$5%4TC#rBxPppm-~158IV&WDKp>yV1DLSKn{(h%=~Lg_D2f=*)@_fGs70NWH=z3 zMp9;;xKm|pI3TM=Qf4mM-Z=0%K%QjdPEuwzJLO(-|4q1)Mp9-TC_P{KG$5BoQfB)7 zFssXEKu(RM%#1lade)Vf(Kvn~_ zlQMInWlW8`L*Y(+pWdmRl$jf54{v<}kXs`uGdI<+|CQf3aC9#EkRAiG9VW^VL3u&Dtcn?_P*hBV&T=hho=Cyk`ce5=v$w4;DL zNyeR|%-k?JztaXlZjGeOta))rh1q~y8cCV?Nv*=0>42OXNtyXf!87|i19E62WoFm+ zPXyKlWYxo2UWO-BG(HIgzjeZViv)&lY*8h4U1^TeZToihQs zHIgzj&~NU!0f1Z@NttB?k}|W?iTy9N z1>}i)dZ!>MGw)CKsr)P;w?-4JIWb%cZxOcBxUBQPhXDM3COLHl$qn=rjlW6k(8O1dqw|w36NbQDKp<~{$QXLkWC{gGvgaA zoqAya+({!TGvB=4v;B5Jo*3g!Qf7YltN+pW0l77jGP7_?T+7jbTpCH4xvk>5(>(w= zHIgzj(6aXU3xFINNtxMXVbp-f{ozg;NtyYm)}b%Y0kUZ%WoEbGk&6ldSq;=)%FMzl zxxI1#d7_`*slAk$Uz|9$d;}o3Mp9$VU2 z!JRacGILMB;}K^7*)@_fGvVr~IbQ*?X(VN4zR!Rz3jkR)k}~tvtM@*96OgC3aVIG= z$Mg%m76!r?)`2asJODKkfPToUF0WYb8> zO#43nnXdt|Y9wXmx;J)&*8}87O$bkkdfHQf6MtznRq! zkV7LWGiNW_btwdpT_Y(oulSu`TMLj)BPla~{VnTiXgJ4u;2pnXpMR6uTxq|DrY ztMj2GKrW4>%)Ay;HY5O$QzI!ex1Y-ktqRDYk(8OsN_}r!PJ}yYBxUA|rPa&bfNUB` znOQmS*xluTtQtv~xzKOR;K_hI5yqXQ%yb2Mt%(QZ)=0|Cc?qkEUIFCNNXpC=)k}V_ z49KaGl$niudTzLs0C&w!C>CIYf*BxUA5 zO)5Q%1?1^&+)2vJ*s%-dwFKnWNXpE@&>2g-0l74iGV@mJ%<_xza3_tV%#7QaR&N&| zhej!7d!3an7R%m%GY@+8&!`Gd^UJ(|c>(hR<^{|Pm=`cFU|ztyfO!G)0_FwG3z!!$ zFJNB4ynuND^8)4t%nO(oFfU+Uz`THY0rLXp1(hR<^{|Pm=`cF zU|ztyfO!G)0_FwG3z!!$FJNB4ynuND^8)4t%nO(oFfU+Uz`THY0rLXp1(hR<^{|Pm=`cFU|ztyfO!G)0_FwG3z!!$FJNB4ynwnudY@j_3Vs$pc*?7_ z|9_?c%ISbD@)zM5NIBiIMcxCR?I@?Sw#Z@0%o0R7UARTQ2%haJr(?Is3*Z?{Io-WQ z{xdv7D5n#+$REP91LbrL7kN`FY?D$>hjEdI1MfsR-N;2g47i2fae z&A_`+PDgZ+p8_6EIo;Dmeh+we%IUN&^2QY`mI%t}$}aM*z#}QAgS*HxfcK!BZto(` z2Hul$I>U>6Bk(B7=^`)kW59b+PRDtX-vZv7a=O!tyuO#k5=}Xs>_z?>@EFSJdN1;H z;IWj`Az$RPfcK%CZu%l$2Rx2)I`5182=I8y>C!Lqo4^w&r=!2f{VG~4iImg*U*sKu zCs9tPfRXnH-j{N^3XFUv@MOyAKrr%Ez*8uvTfxW=0Z*lz&IThd1)fGZT@XfI(_8Hc zQ%}c)(FZHf+KKK8qfb+w)f1fvx1_-!{`qy&l-wu5TpM~c~(($ zju^e~GvHZA(Pd)v9hGM#MMsL!4^W=96x}OEpQ${nDLP$@ey#GXr|60?`XkD-qN0Pw z=*yL7O+~kj(bug6o>di{IY!@EdDc~Q@fdx&@~o`r_%Zs~%CokjJILraD9`GOP9mc} zsyyo}x{i$gmh!By=uk5H2Jq|F16X6x&1CdllxLMi=abP7QJ!@cT~bD$tvo9&I;xC5 zUwPJAbYB_$3FTRB(Wzzhca>+oMOT;6H?9Jn6&D>~MsHW1H5c7tMn6<}R$X+K8U1|a zS$ENeX7rntXXQo5n$e$Dp0yXn}POjefE6tiR}XH2Q7Iv;Lwp(&&Ftp7j@9ltyo<2A=g79hXMmOnKH{ zbY~iUl=7^<=;So|vC6alqU+P>mnzTtiw;qv-=RF~FS<#M{x{`Wf6;kr^j<#TS%1-` zYV^&OXZ=M-tI z|4eo8tiR~&HTqV{v;LwB*y#Hx&-#mwVWXd`2^uT~R0>n}RUjXqF$)?aj+8+~8pS%1-)ZuHZXXZ=MNyU~BD zJnJty-i`i%@~pq;jyL*i%Cr8WliuiS)B?}?i>`a4Z?8P-FFN#%K2>?vUv%>u{S4(< zf6@7G^q(uw`im}sqd%lP>n}PAj=oHJ)?aiV9DVKD;8}mssc`filxO`#SHscwSDy73 z9S}$FRG#%0-4aK?MtRm>bXFXFq4KQ1=)ySqo658PqGRLe>-d6a{Y7`j(Z8xZ>n}P% zj((8xtiR|QIr>@3v;LyPo2;rj((W(tiR~!I{NpNXZ=O@*U@iLp7j@n}PTkN#!lS%1+LdGx)NXZ=M7<(PI!JnJtyUyuHh@~pq;l0Ev$jli@1qNDccUs0a*7u~l< zAFn*?FFJLPezNkczv${c`sK>A{@Usv9C|VhhHi~Tdh~APS%2NFn|pZ^csui#m1q66 zeB{wvbHUq~ui6+q>#ymzD&=N?w=y4~JnOHEuAHb)@E&6+9)JEM#i!_Ve` zw=-YeA3W=?Q5~0rIl$YP4^p1>mwliA%-6tMnNLxk_1C&Lc7)dh?=cqW@&415XZ_VO z`N?~Kr@;N0|4ez-UkQoRbBn;cnEyd})?Xb;7PeUj-pPEa@~pphZ0WK&3%rB*T1~*S z{<`gbxL_c7JM$sRv;KOpzVu=z@HXcADbM=rt&nPy{lHt9pQ$|SuLBt+6K*8K{f%XN zy#H$DS$}0t+t%_&@NVXRRG#%$x5q^_SA%yke?xiJUn5%j=gb7}WZv&N_`n_OuS@wi zv-*K|FyBde)?c$1?Ya~K-p>3$-map7qzm zp`#c40N&H%>3BKbzesu3UuF3b<30oLX8v#GS%0k<7O-qOco*~anu2Hjb*3m|aSC`R z^RFq-`YZ49oRT2$4(1)ov;NxlBr~i!csuiRlxO|rjz8O~Bnj@%{1?iz{%YXUqHsTW zEAz*cXZ^LI((zU+!FwX<{ckJJ`fEV@ocyWa-OM+%foJ`-{Z{8gN#I?~hbqtd>sn0N zkO1&b<};LM{k8pEUT9VD4(8`7&-!awsqc-;iEw}BH!08hYsS**DE8tzszo|Uy zuNBoxeyAB%j0^FbZuasx~HPS0`>bKzS%%4%7_1BL91*`MG+n9f# zJnOI419wDC1aD=&=?malfBn;>(!*Hrp6>Mi-IZtk6+3ppyq4hI%#To>^;co&j3wUS zUCiew&-&|D>&)_t@o<0U3zTR56}L03-Y)PC=Fce){pAgx!?IZJ!=K%4ES7?|)p!2` DBG6lk literal 0 HcmV?d00001 diff --git a/test/e2e/testdata/malicious-plugin/zip_slip.zip b/test/e2e/testdata/malicious-plugin/zip_slip.zip new file mode 100644 index 0000000000000000000000000000000000000000..c0fd13b0ceb5266d16198a5a65c697512afa5d61 GIT binary patch literal 226 zcmWIWW@h1H0D-I$<%l4|-@PnAHVCUQ$S~;X>0?DDxdr;EWtlm8B^4#1A)E}%>I_p; zLAbPnn}Lz#1vAhH5CKvX;LXS+$BfGk36Rwcj6l4k5yZl39Z(R}MplT8Xto7-v$BEA OU Date: Thu, 4 Jan 2024 07:27:00 +0000 Subject: [PATCH 41/88] build(deps): Bump github/codeql-action from 3.22.11 to 3.22.12 (#854) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bd0bd5430..9b6e2b5d5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 657a1b28c..6c6510b20 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: sarif_file: results.sarif From 7db7fca7db1aa51673bf4fd329d848e1d4c96789 Mon Sep 17 00:00:00 2001 From: Toddy Mladenov Date: Sun, 14 Jan 2024 14:06:23 -0800 Subject: [PATCH 42/88] Updated CODEOWNERS and MAINTAINERS files (#862) Addressing https://github.com/notaryproject/.github/issues/55 https://github.com/notaryproject/.github/issues/56 and https://github.com/notaryproject/.github/issues/57 Signed-off-by: Toddy Mladenov Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- CODEOWNERS | 2 +- MAINTAINERS | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 201450366..204535fab 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ # Repo-Level Owners (in alphabetical order) # Note: This is only for the notaryproject/notation repo -* @gokarnm @JeyJeyGao @justincormack @niazfk @priteshbandi @rgnote @shizhMSFT @stevelasker @Two-Hearts +* @gokarnm @JeyJeyGao @justincormack @niazfk @priteshbandi @rgnote @shizhMSFT @stevelasker @toddysm @Two-Hearts diff --git a/MAINTAINERS b/MAINTAINERS index d2a48ede0..82cfeee2c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2,13 +2,14 @@ # Pattern: [First Name] [Last Name] <[Email Address]> ([GitHub Handle]) Justin Cormack (@justincormack) Niaz Khan (@niazfk) +Pritesh Bandi (@priteshbandi) +Shiwei Zhang (@shizhMSFT) Steve Lasker (@stevelasker) +Toddy Mladenov (@toddysm) # Repo-Level Maintainers (in alphabetical order) # Note: This is for the notaryproject/notation repo Junjie Gao (@JeyJeyGao) Milind Gokarn (@gokarnm) Patrick Zheng (@Two-Hearts) -Pritesh Bandi (@priteshbandi) Rakesh Gariganti (@rgnote) -Shiwei Zhang (@shizhMSFT) From 73affa6318e712053580b754a5471d0d01ae0e60 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jan 2024 15:46:02 +0000 Subject: [PATCH 43/88] build(deps): Bump golang.org/x/term from 0.15.0 to 0.16.0 (#860) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 9759d13ff..116424291 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - golang.org/x/term v0.15.0 + golang.org/x/term v0.16.0 oras.land/oras-go/v2 v2.3.1 ) @@ -28,5 +28,5 @@ require ( golang.org/x/crypto v0.17.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.15.0 // indirect + golang.org/x/sys v0.16.0 // indirect ) diff --git a/go.sum b/go.sum index 72cf4c8e0..31002f138 100644 --- a/go.sum +++ b/go.sum @@ -76,15 +76,15 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= From e30df6ceead28dd8209d9aa505a5320dd9fbe066 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jan 2024 23:47:51 +0800 Subject: [PATCH 44/88] bump: bump up notation-go (#863) Bumping up notation-go Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 116424291..4d6690e1a 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/notaryproject/notation-core-go v1.0.1 - github.com/notaryproject/notation-go v1.0.2-0.20231218132318-85a5bb9826c6 + github.com/notaryproject/notation-go v1.0.2-0.20240112021749-b315de42f912 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 diff --git a/go.sum b/go.sum index 31002f138..61c9d5122 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.2-0.20231218132318-85a5bb9826c6 h1:9YgUKLuNU8eNlv2H696aBQzW8CtSjevRgbMGld59wrY= -github.com/notaryproject/notation-go v1.0.2-0.20231218132318-85a5bb9826c6/go.mod h1:nqDueF9YCCX0u41Eec7aGJEXgGdM0a3KD79wqhCnxq0= +github.com/notaryproject/notation-go v1.0.2-0.20240112021749-b315de42f912 h1:7abHy5FOfA4mq47/+0pIg/vjI2xfj9qH6cQ47Vc3arM= +github.com/notaryproject/notation-go v1.0.2-0.20240112021749-b315de42f912/go.mod h1:Sj9N0ZRdwIEHL8ewzMjKFEIcLCJhp0r8h6IoT48Q/8E= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= From a6c8ed70c39070b92180aea7493e24582f92edd8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 06:25:07 +0000 Subject: [PATCH 45/88] build(deps): Bump actions/cache from 3.3.2 to 3.3.3 (#866) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0bbbdc15b..35919c5b7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -38,7 +38,7 @@ jobs: - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Cache Go modules - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 id: go-mod-cache with: path: ~/go/pkg/mod From b078456424e953cdaa9feb11c9fae166331e1fe6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 06:25:31 +0000 Subject: [PATCH 46/88] build(deps): Bump github/codeql-action from 3.22.12 to 3.23.0 (#865) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9b6e2b5d5..001b7ae15 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6c6510b20..257204cd7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: sarif_file: results.sarif From 87cb8b9e9787e233592659577c575704713243a9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 06:25:35 +0000 Subject: [PATCH 47/88] build(deps): Bump actions/upload-artifact from 4.0.0 to 4.1.0 (#864) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 257204cd7..6700aa923 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -54,7 +54,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # tag=v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # tag=v4.1.0 with: name: SARIF file path: results.sarif From ccd10aad3b45faaf624ccdf8ff74bfb5ac64e3ed Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Wed, 17 Jan 2024 14:52:15 -0800 Subject: [PATCH 48/88] address comments on the old CX before rewriting the PR for the new CX Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index e91954a27..9f38e7fbf 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -32,7 +32,7 @@ Usage: notation blob sign [flags] Flags: - -d, --signature-directory string optional path where the blob signature needs to be placed (default: currently working directory) + --signature-directory string optional path where the blob signature needs to be placed (default: currently working directory) --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag @@ -84,7 +84,7 @@ Flags: ## Usage -## Produce detached blob signatures +## Produce blob signatures ### Sign a blob by adding a new key @@ -122,7 +122,7 @@ Successfully signed /tmp/my-blob.bin Signature file overwritten to ./my-blob.bin.sig.jws ``` -### Sign a blob with on-demand remote key +### Sign a blob with a plugin ```shell notation blob sign --plugin --id /tmp/my-blob.bin @@ -243,7 +243,7 @@ notation blob inspect -o json /tmp/my-blob.bin.sig.jws ``` ## Verify blob signatures -The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trust policy file with Policies scoped to blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. +The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trust policy file with Policies for blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. - The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. - Policy named "skip-blob-verification-policy" is for skipping verification on blob artifacts scoped to `skip-blob-verification-selector`. @@ -324,7 +324,7 @@ An example of output messages for a successful verification: ```text Successfully verified signature /tmp/my-blob.bin.sig.jws -The blob signature is having the following user metadata. +The signature contains the following user metadata: KEY VALUE io.wabbit-networks.buildId 123 @@ -357,8 +357,7 @@ The blob is of media type `application/my-media-octet-stream`. An example of output messages for an unsuccessful verification: ```text -Error: signature verification failed: The blob's media type `application/xyz` and not matching `application/my-media-octet-stream`. -``` +Error: Signature verification failed due to a mismatch in the blob's media type 'application/xyz' and the expected type 'application/my-media-octet-stream'.``` ### Verify the signature using a policy scope From 1155995f6fea62aefeaeef407dfa7a73bed43f29 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Wed, 17 Jan 2024 17:36:48 -0800 Subject: [PATCH 49/88] update blob command to address policy management Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 178 ++++++++++++++++++++++++++++++------ specs/commandline/policy.md | 150 ++++-------------------------- 2 files changed, 167 insertions(+), 161 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 9f38e7fbf..6afe846b4 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -2,7 +2,51 @@ ## Description -Use `notation blob` command to sign, verify, and inspect signatures associated with arbitrary blobs. Notation can sign and verify any arbitrary bag of bits like zip files, documents, executables, etc. When a user signs a blob, `notation` produces a detached signature, which the user can transport/distribute using any medium that the user prefers along with the original blob. On the verification side, Notation can verify the blob's signature and assert that the blob has not been tampered with during its transmission. For more details on how to create trust policy for verifying blobs, see [trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/signing-and-verification-workflow.md#blob-signing-workflow). +Use `notation blob` command to sign, verify, and inspect signatures associated with arbitrary blobs. Notation can sign and verify any arbitrary bag of bits like zip files, documents, executables, etc. When a user signs a blob, `notation` produces a detached signature, which the user can transport/distribute using any medium that the user prefers along with the original blob. On the verification side, Notation can verify the blob's signature and assert that the blob has not been tampered with during its transmission. + +Users can use `notation blob policy` command to manage trust policies for signed blob verification. The `notation blob policy` command provides a user-friendly way to manage trust policies for signed blobs. It allows users to show trust policy configuration, import/export a trust policy configuration file from/to a JSON file. For more details, see [blob trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#blob-trust-policy). + +User can refer to the below trust policy configuration sample `trustpolicy.blob.json` that is applicable for verifying signed arbitrary blobs using `notation blob verify` command. In this sample, there are three policies configured for different requirements: + +- The Policy named "wabbit-networks-policy" is for verifying blob artifacts signed by Wabbit Networks. +- Policy named "skip-verification-policy" is for skipping verification on blob artifacts. +- Policy "wildcard-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-name` argument in `notation blob verify` command. + +```jsonc +{ + "version": "1.0", + "policyType": "blob", + "trustPolicies": [ + { + "name": "wabbit-networks-policy", + "signatureVerification": { + "level": "strict" + }, + "trustStores": [ + "ca:wabbit-networks", + ], + "trustedIdentities": [ + "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" + ] + }, + { + "name": "skip-verification-policy", + "signatureVerification": { + "level" : "skip" + } + }, + { + "name": "wildcard-verification-policy", + "wildcardPolicy": true, + "signatureVerification": { + "level" : "audit" + }, + "trustStores": ["ca:acme-rockets"], + "trustedIdentities": ["*"] + } + ] +} +``` ## Outline @@ -16,6 +60,7 @@ Usage: Available Commands: inspect inspect a signature associated with a blob + policy manage trust policy configuration file for signed blobs sign produce a detached signature for a given blob verify verify a signature associated with a blob @@ -62,6 +107,47 @@ Flags: -h, --help help for inspect ``` +### notation blob policy + +```text +Manage trust policy configuration for arbitrary blob signature verification. + +Usage: + notation blob policy [command] + +Available Commands: + import import trust policy configuration from a JSON file + show show trust policy configuration + +Flags: + -h, --help help for policy +``` + +### notation blob policy import + +```text +Import blob trust policy configuration from a JSON file + +Usage: + notation blob policy import [flags] + +Flags: + --force override the existing trust policy configuration, never prompt + -h, --help help for import +``` + +### notation blob policy show + +```text +Show blob trust policy configuration + +Usage: + notation blob policy show [flags] + +Flags: + -h, --help help for show +``` + ### notation blob verify ```text @@ -73,7 +159,7 @@ Usage: Flags: -s, --signature string location of the blob signature file --media-type string optional media type of the blob to verify - --policy-scope string optional policy scope to verify against. If not provided, notation verifies against wildcard policy if it exists. + --policy-name string optional policy name to verify against. If not provided, notation verifies against the wildcard policy if it exists. -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values -o, --output string output format, options: 'json', 'text' (default "text") @@ -242,22 +328,66 @@ Inspecting /tmp/my-blob.bin.sig.jws notation blob inspect -o json /tmp/my-blob.bin.sig.jws ``` +### Import blob trust policy configuration from a JSON file + +An example of import trust policy configuration from a JSON file: + +```shell +notation blob policy import ./my_policy.json +``` + +The trust policy configuration in the JSON file should be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policy configuration are imported successfully. Error logs including the reason should be printed out if the importing fails. + +If there is an existing trust policy configuration, prompt for users to confirm whether discarding existing configuration or not. Users can use `--force` flag to discard existing trust policy configuration without prompt. + +### Show blob trust policies + +Use the following command to show trust policy configuration: + +```shell +notation blob policy show +``` + +Upon successful execution, the trust policy configuration is printed out to standard output. If trust policy is not configured or is malformed, users should receive an error message via standard error output, and a tip to import trust policy configuration from a JSON file. + +### Export blob trust policy configuration into a JSON file + +Users can redirect the output of command `notation blob policy show` to a JSON file. + +```shell +notation blob policy show > ./blob_trust_policy.json +``` + +### Update trust policy configuration + +The steps to update blob trust policy configuration: + +1. Export trust policy configuration into a JSON file. + + ```shell + notation blob policy show > ./blob_trust_policy.json + ``` + +2. Edit the exported JSON file "blob_trust_policy.json", update trust policy configuration and save the file. +3. Import trust policy configuration from the file. + + ```shell + notation blob policy import ./blob_trust_policy.json + ``` + ## Verify blob signatures -The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trust policy file with Policies for blobs. Below are three examples of how a policy configuration file can be setup for verifying blob signatures. +The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trust policy file `trustpolicy.blob.json` with Policies for blobs. Below are two examples of how a policy configuration file can be setup for verifying blob signatures. -- The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. -- Policy named "skip-blob-verification-policy" is for skipping verification on blob artifacts scoped to `skip-blob-verification-selector`. -- Policy "wildcard-blob-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-scope` argument in `notation blob verify` command. +- The Policy named "wabbit-networks-policy" is for verifying blob artifacts signed by Wabbit Networks. +- Policy "wildcard-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-name` argument in `notation blob verify` command. ```jsonc { - "version": "1.1", + "version": "1.0", + "policyType": "blob", "trustPolicies": [ { - "name": "blob-verification-policy", - "scopes": [ - "blob:blob-verification-selector" - ], + "name": "wabbit-networks-policy", "signatureVerification": { "level": "strict" }, @@ -269,15 +399,8 @@ The `notation blob verify` command can be used to verify blob signatures. In ord ] }, { - "name": "skip-blob-verification-policy", - "scopes": [ "blob:skip-blob-verification-selector" ], - "signatureVerification": { - "level" : "skip" - } - }, - { - "name": "wildcard-blob-verification-policy", - "scopes": [ "blob:*" ], + "name": "wildcard-verification-policy", + "wildcardPolicy": true, "signatureVerification": { "level" : "audit" }, @@ -298,7 +421,7 @@ Configure trust store and trust policy properly before using `notation blob veri # Configure trust store by adding a certificate file into trust store named "wabbit-network" of type "ca" notation certificate add --type ca --store wabbit-networks wabbit-networks.crt -# Create a JSON file named "trustpolicy.json" under directory "{NOTATION_CONFIG}". +# Create a JSON file named "trustpolicy.blob.json" under directory "{NOTATION_CONFIG}". # Verify the blob signature notation blob verify --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin @@ -357,24 +480,25 @@ The blob is of media type `application/my-media-octet-stream`. An example of output messages for an unsuccessful verification: ```text -Error: Signature verification failed due to a mismatch in the blob's media type 'application/xyz' and the expected type 'application/my-media-octet-stream'.``` +Error: Signature verification failed due to a mismatch in the blob's media type 'application/xyz' and the expected type 'application/my-media-octet-stream'. +``` -### Verify the signature using a policy scope +### Verify the signature using a policy name -Use the `--policy-scope` flag to select a policy scope to verify the signature against. +Use the `--policy-name` flag to select a policy to verify the signature against. ```shell -notation blob verify --policy-scope blob-verification-selector --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin +notation blob verify --policy-name wabbit-networks-policy --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob.bin.sig.jws using policy scope `blob-verification-selector` +Successfully verified signature /tmp/my-blob.bin.sig.jws using policy `wabbit-networks-policy` ``` An example of output messages for an unsuccessful verification: ```text -Error: signature verification failed for policy scope `blob-verification-selector` +Error: signature verification failed for policy `wabbit-networks-policy` ``` \ No newline at end of file diff --git a/specs/commandline/policy.md b/specs/commandline/policy.md index 07e72ff87..905e19464 100644 --- a/specs/commandline/policy.md +++ b/specs/commandline/policy.md @@ -2,9 +2,11 @@ ## Description -As part of signature verification workflow of signed OCI artifacts or blobs, users need to configure the trust policy configuration file to specify trusted identities that signed the artifacts, the level of signature verification to use and other settings. For more details, see [trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#trust-policy). +As part of signature verification workflow of signed OCI artifacts, users need to configure trust policy configuration file to specify trusted identities that signed the artifacts, the level of signature verification to use and other settings. For more details, see [OCI trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#oci-trust-policy). -The `notation policy` command provides a user-friendly way to manage trust policies. It allows users to show trust policy configuration, import/export a trust policy configuration file from/to a JSON file. To get started, user can refer to the following trust policy configuration sample. In this sample, there are four policies configured for different requirements: +The `notation policy` command provides a user-friendly way to manage trust policies for signed OCI images. It allows users to show trust policy configuration, import/export a trust policy configuration file from/to a JSON file. Users who want to manage trust policies for signed arbitrary blobs, please refer to `notation blob policy` command. + +To get started, user can refer to the following trust policy configuration sample `trustpolicy.json` that is applicable for verifying signed OCI artifacts using `notation verify` command. In this sample, there are four policies configured for different requirements: - The Policy named "wabbit-networks-images" is for verifying OCI artifacts signed by Wabbit Networks and stored in two repositories `registry.acme-rockets.io/software/net-monitor` and `registry.acme-rockets.io/software/net-logger`. - Policy named "unsigned-image" is for skipping the verification on unsigned OCI artifacts stored in repository `registry.acme-rockets.io/software/unsigned/net-utils`. @@ -67,132 +69,12 @@ The `notation policy` command provides a user-friendly way to manage trust polic } ``` -Policy language version 1.1 added support for verifying signatures associated with blob artifacts. User can use `scopes` field as a Policy selector string to decide which Policy gets applied to which blob. The `--policy-scope` argument provided in `notation blob verify` command will dictate which Policy gets picked from the policy configuration file and applied for verification. To get started with verifying blob signatures, users can refer to the following trust policy configuration sample. In this sample, there are three policies configured for different requirements: - -- The Policy named "blob-verification-policy" is for verifying blob artifacts signed by Wabbit Networks and scoped to `blob-verification-selector`. -- Policy named "skip-blob-verification-policy" is for skipping verification on blob artifacts scoped to `skip-blob-verification-selector`. -- Policy "wildcard-blob-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-scope` argument in `notation blob verify` command. - -```jsonc -{ - "version": "1.1", - "trustPolicies": [ - { - "name": "blob-verification-policy", - "scopes": [ - "blob:blob-verification-selector" - ], - "signatureVerification": { - "level": "strict" - }, - "trustStores": [ - "ca:wabbit-networks", - ], - "trustedIdentities": [ - "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" - ] - }, - { - "name": "skip-blob-verification-policy", - "scopes": [ "blob:skip-blob-verification-selector" ], - "signatureVerification": { - "level" : "skip" - } - }, - { - "name": "wildcard-blob-verification-policy", - "scopes": [ "blob:*" ], - "signatureVerification": { - "level" : "audit" - }, - "trustStores": ["ca:acme-rockets"], - "trustedIdentities": ["*"] - } - ] -} -``` - -Note: Policy version 1.1 replaced the field `registryScopes` from version 1.0 with `scopes`. The new field accepts values with prefixes `oci` or `blob` to limit a scope value to either OCI signature verification or Blob signature verification. While scope values with `blob` prefix can be alpha-numeric text with `-` and `_` characters, values with `oci` prefix must be valid OCI references. `notation` supports both policy language versions 1.0 and 1.1. However, `notation` rejects policy configuration files with mixed terminology i.e. both `registryScopes` and `scopes` defined in a single configuration file. Users migrating from 1.0 to 1.1 can simply rename `registryScopes` to `scopes` and prefix the values with `oci`. -Below is a sample Policy configuration file that verifies OCI artifacts using `scopes` field. - -```jsonc -{ - "version": "1.1", - "trustPolicies": [ - { - "name": "wabbit-networks-images", - "scopes": [ - "oci:registry.acme-rockets.io/software/net-monitor", - "oci:registry.acme-rockets.io/software/net-logger" - ], - "signatureVerification": { - "level": "strict" - }, - "trustStores": [ - "ca:wabbit-networks", - ], - "trustedIdentities": [ - "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" - ] - }, - { - "name": "unsigned-image", - "scopes": [ "oci:registry.acme-rockets.io/software/unsigned/net-utils" ], - "signatureVerification": { - "level" : "skip" - } - }, - { - "name": "allow-expired-images", - "scopes": [ "oci:registry.acme-rockets.io/software/legacy/metrics" ], - "signatureVerification": { - "level" : "strict", - "override" : { - "expiry" : "log" - } - }, - "trustStores": ["ca:acme-rockets"], - "trustedIdentities": ["*"] - }, - { - "name": "global-policy-for-all-other-images", - "scopes": [ "oci:*" ], - "signatureVerification": { - "level": "strict" - }, - "trustStores": [ - "ca:acme-rockets" - ], - "trustedIdentities": [ - "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, CN=SecureBuilder" - ] - }, - { - "name": "skip-blob-verification-policy", - "scopes": [ "blob:skip-blob-verification-selector" ], - "signatureVerification": { - "level" : "skip" - } - }, - { - "name": "wildcard-blob-verification-policy", - "scopes": [ "blob:*" ], - "signatureVerification": { - "level" : "audit" - }, - "trustStores": ["ca:acme-rockets"], - "trustedIdentities": ["*"] - } - ] -} -``` - ## Outline ### notation policy command ```text -Manage trust policy configuration for signature verification. +Manage trust policy configuration for OCI image signature verification. Usage: notation policy [command] @@ -208,12 +90,12 @@ Flags: ### notation policy import ```text -Import trust policy configuration from a JSON file +Import OCI trust policy configuration from a JSON file Usage: notation policy import [flags] -Flags: +Flags: --force override the existing trust policy configuration, never prompt -h, --help help for import ``` @@ -221,7 +103,7 @@ Flags: ### notation policy show ```text -Show trust policy configuration +Show OCI trust policy configuration Usage: notation policy show [flags] @@ -240,7 +122,7 @@ An example of import trust policy configuration from a JSON file: notation policy import ./my_policy.json ``` -The trust policy configuration in the JSON file should be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policy configuration are imported successfully. Error logs including the reason should be printed out if the importing fails. +The trust policy configuration in the JSON file should be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policy configuration are imported successfully. Error logs including the reason should be printed out if the importing fails. If there is an existing trust policy configuration, prompt for users to confirm whether discarding existing configuration or not. Users can use `--force` flag to discard existing trust policy configuration without prompt. @@ -252,29 +134,29 @@ Use the following command to show trust policy configuration: notation policy show ``` -Upon successful execution, the trust policy configuration are printed out to standard output. If trust policy is not configured or is malformed, users should receive an error message via standard error output, and a tip to import trust policy configuration from a JSON file. +Upon successful execution, the trust policy configuration is printed out to standard output. If trust policy is not configured or is malformed, users should receive an error message via standard error output, and a tip to import trust policy configuration from a JSON file. -### Export trust policy configuration into a JSON file +### Export OCI trust policy configuration into a JSON file Users can redirect the output of command `notation policy show` to a JSON file. ```shell -notation policy show > ./trust_policy.json +notation policy show > ./oci_trust_policy.json ``` ### Update trust policy configuration -The steps to update trust policy configuration: +The steps to update OCI trust policy configuration: 1. Export trust policy configuration into a JSON file. ```shell - notation policy show > ./trust_policy.json + notation policy show > ./oci_trust_policy.json ``` -2. Edit the exported JSON file "trust_policy.json", update trust policy configuration and save the file. +2. Edit the exported JSON file "oci_trust_policy.json", update trust policy configuration and save the file. 3. Import trust policy configuration from the file. ```shell - notation policy import ./trust_policy.json + notation policy import ./oci_trust_policy.json ``` From 4099f17f3fb6bfbe2a2ef7854bf29e0b7dac2a70 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 26 Jan 2024 12:59:26 -0800 Subject: [PATCH 50/88] fix typos Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/notation-cli.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/specs/notation-cli.md b/specs/notation-cli.md index 8d375e477..849438fa0 100644 --- a/specs/notation-cli.md +++ b/specs/notation-cli.md @@ -28,17 +28,17 @@ Usage: notation [command] Available Commands: + blob Sign, verify and inspect signatures associated with blobs certificate Manage certificates in trust store + inspect Inspect all signatures associated with a signed OCI artifact key Manage keys used for signing list List signatures of a signed OCI artifact login Log into OCI registries logout Log out from the logged in OCI registries plugin Manage plugins - policy Manage trust policy configuration for signature verification + policy Manage trust policy configuration for OCI signature verification sign Sign OCI artifacts verify Verify OCI artifacts - blobs Sign, verify and inspect singatures associated with blobs - inspect Inspect all signatures associated with a signed OCI artifact version Show the notation version information Flags: From 999f3c2a751dd14c190bf96b7a2421e395b44627 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Fri, 26 Jan 2024 13:47:50 -0800 Subject: [PATCH 51/88] Fix sub-command order Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/notation-cli.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/specs/notation-cli.md b/specs/notation-cli.md index 849438fa0..24e83f12a 100644 --- a/specs/notation-cli.md +++ b/specs/notation-cli.md @@ -6,17 +6,17 @@ This spec contains reference information on using notation commands. Each comman | Command | Description | | ------------------------------------------- | ---------------------------------------------------------------------- | +| [blob](./commandline/blob.md) | Sign, verify and inspect singatures associated with blobs | | [certificate](./commandline/certificate.md) | Manage certificates in trust store | +| [inspect](./commandline/inspect.md) | Inspect OCI signatures | | [key](./commandline/key.md) | Manage keys used for signing | | [list](./commandline/list.md) | List signatures of a signed OCI artifact | | [login](./commandline/login.md) | Log into OCI registries | | [logout](./commandline/logout.md) | Log out from the logged in OCI registries | | [plugin](./commandline/plugin.md) | Manage plugins | -| [policy](./commandline/policy.md) | Manage trust policy configuration for signature verification | +| [policy](./commandline/policy.md) | Manage trust policy configuration for OCI signature verification | | [sign](./commandline/sign.md) | Sign OCI artifacts | | [verify](./commandline/verify.md) | Verify OCI artifacts | -| [inspect](./commandline/inspect.md) | Inspect OCI signatures | -| [blob](./commandline/blob.md) | Sign, verify and inspect singatures associated with blobs | | [version](./commandline/version.md) | Print the version of notation CLI | ## Notation Outline From a5bebbd45156fbf0a749e531bba9726f65ec1553 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Wed, 31 Jan 2024 17:38:15 -0800 Subject: [PATCH 52/88] remove policyType field from trust policies Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 4 +--- specs/commandline/verify.md | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 6afe846b4..1bf4e18f4 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -15,7 +15,6 @@ User can refer to the below trust policy configuration sample `trustpolicy.blob. ```jsonc { "version": "1.0", - "policyType": "blob", "trustPolicies": [ { "name": "wabbit-networks-policy", @@ -53,7 +52,7 @@ User can refer to the below trust policy configuration sample `trustpolicy.blob. ### notation blob command ```text -Sign, inspect, and verify signatures associated with arbitrary blobs. +Sign, inspect, and verify signatures and setup trust policies. Usage: notation blob [command] @@ -384,7 +383,6 @@ The `notation blob verify` command can be used to verify blob signatures. In ord ```jsonc { "version": "1.0", - "policyType": "blob", "trustPolicies": [ { "name": "wabbit-networks-policy", diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 23ddfb46b..943e7bcd3 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -62,7 +62,7 @@ Use `notation certificate` command to configure trust stores. ### Configure Trust Policy -Users who consume signed artifact from a registry use the trust policy to specify trusted identities which sign the artifacts, and level of signature verification to use. The trust policy is a JSON document. User needs to create a file named `trustpolicy.json` under `{NOTATION_CONFIG}`. See [Notation Directory Structure](https://notaryproject.dev/docs/user-guides/how-to/directory-structure/) for `{NOTATION_CONFIG}`. +Users who consume signed artifact from a registry use the trust policy to specify trusted identities which sign the artifacts, and level of signature verification to use. The trust policy is a JSON document. User needs to create a file named `trustpolicy.json` or `trustpolicy.oci.json` under `{NOTATION_CONFIG}`. See [Notation Directory Structure](https://notaryproject.dev/docs/user-guides/how-to/directory-structure/) for `{NOTATION_CONFIG}`. An example of `trustpolicy.json`: From d41bdb4795ab2a9a486bf26d27af304d6a4e12d5 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Wed, 7 Feb 2024 17:16:52 -0800 Subject: [PATCH 53/88] address comments Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 90 +++++++++++++++++++-------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 1bf4e18f4..329656ddb 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -4,13 +4,13 @@ Use `notation blob` command to sign, verify, and inspect signatures associated with arbitrary blobs. Notation can sign and verify any arbitrary bag of bits like zip files, documents, executables, etc. When a user signs a blob, `notation` produces a detached signature, which the user can transport/distribute using any medium that the user prefers along with the original blob. On the verification side, Notation can verify the blob's signature and assert that the blob has not been tampered with during its transmission. -Users can use `notation blob policy` command to manage trust policies for signed blob verification. The `notation blob policy` command provides a user-friendly way to manage trust policies for signed blobs. It allows users to show trust policy configuration, import/export a trust policy configuration file from/to a JSON file. For more details, see [blob trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#blob-trust-policy). +Users can use `notation blob policy` command to manage trust policies for verifying a blob signature. The `notation blob policy` command provides a user-friendly way to manage trust policies for signed blobs. It allows users to show trust policy configuration, import/export a trust policy configuration file from/to a JSON file. For more details, see [blob trust policy specification and examples](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#blob-trust-policy). -User can refer to the below trust policy configuration sample `trustpolicy.blob.json` that is applicable for verifying signed arbitrary blobs using `notation blob verify` command. In this sample, there are three policies configured for different requirements: +The sample trust policy file (`trustpolicy.blob.json`) for verifying signed blobs is shown below. This sample trust policy file, contains three different statements for different usecases: - The Policy named "wabbit-networks-policy" is for verifying blob artifacts signed by Wabbit Networks. - Policy named "skip-verification-policy" is for skipping verification on blob artifacts. -- Policy "wildcard-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-name` argument in `notation blob verify` command. +- Policy "global-verification-policy" is for auditing verification results when user does not provide `--policy-name` argument in `notation blob verify` command. ```jsonc { @@ -35,8 +35,8 @@ User can refer to the below trust policy configuration sample `trustpolicy.blob. } }, { - "name": "wildcard-verification-policy", - "wildcardPolicy": true, + "name": "global-verification-policy", + "globalPolicy": true, "signatureVerification": { "level" : "audit" }, @@ -52,14 +52,14 @@ User can refer to the below trust policy configuration sample `trustpolicy.blob. ### notation blob command ```text -Sign, inspect, and verify signatures and setup trust policies. +Sign, inspect, and verify signatures and configure trust policies. Usage: notation blob [command] Available Commands: inspect inspect a signature associated with a blob - policy manage trust policy configuration file for signed blobs + policy manage trust policy configuration for signed blobs sign produce a detached signature for a given blob verify verify a signature associated with a blob @@ -76,7 +76,7 @@ Usage: notation blob sign [flags] Flags: - --signature-directory string optional path where the blob signature needs to be placed (default: currently working directory) + --signature-directory string optional path where the blob signature needs to be placed (default: currently working directory) --media-type string optional media type of the blob (default: "application/octet-stream") -e, --expiry duration optional expiry that provides a "best by use" time for the blob. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag @@ -158,7 +158,7 @@ Usage: Flags: -s, --signature string location of the blob signature file --media-type string optional media type of the blob to verify - --policy-name string optional policy name to verify against. If not provided, notation verifies against the wildcard policy if it exists. + --policy-name string optional policy name to verify against. If not provided, notation verifies against the global policy if it exists. -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values -o, --output string output format, options: 'json', 'text' (default "text") @@ -287,38 +287,36 @@ notation blob inspect /tmp/my-blob.bin.sig.jws An example output: ```shell -Inspecting /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin.sig.jws └── application/octet-stream - ├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa - ├── signature algorithm: RSASSA-PSS-SHA-256 - ├── signature format: jws - ├── signed attributes - │ ├── content type: application/vnd.cncf.notary.payload.v1+json - │ ├── signing scheme: notary.signingAuthority.x509 - │ ├── signing time: Fri Jun 23 22:04:01 2023 - │ ├── expiry: Sat Jun 29 22:04:01 2024 - │ └── io.cncf.notary.verificationPlugin: com.example.nv2plugin - ├── unsigned attributes - │ ├── io.cncf.notary.timestampSignature: - │ └── io.cncf.notary.signingAgent: notation/1.0.0 - ├── certificates - │ ├── SHA256 fingerprint: b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d - │ │ ├── issued to: wabbit-com Software - │ │ ├── issued by: wabbit-com Software Root Certificate Authority - │ │ └── expiry: Sun Jul 06 20:50:17 2025 - │ ├── SHA256 fingerprint: 4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89 - │ │ ├── issued to: wabbit-com Software Code Signing PCA 2010 - │ │ ├── issued by: wabbit-com Software Root Certificate Authority - │ │ └── expiry: Sun Jul 06 20:50:17 2025 - │ └── SHA256 fingerprint: ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536 - │ ├── issued to: wabbit-com Software Root Certificate Authority - │ ├── issued by: wabbit-com Software Root Certificate Authority - │ └── expiry: Sat Jun 23 22:04:01 2035 - └── signed artifact - ├── media type: application/vnd.oci.image.manifest.v1+json - ├── digest: sha256:b94d27b9934d3e08a52e52d7da7fac484efe37a5380ee9088f7ace2efcde9 - └── size: 16724 + ├── signature algorithm: RSASSA-PSS-SHA-256 + ├── signature envelope type: jws + ├── signed attributes + │ ├── content type: application/vnd.cncf.notary.payload.v1+json + │ ├── signing scheme: notary.signingAuthority.x509 + │ ├── signing time: Fri Jun 23 22:04:01 2023 + │ ├── expiry: Sat Jun 29 22:04:01 2024 + │ └── io.cncf.notary.verificationPlugin: com.example.nv2plugin + ├── unsigned attributes + │ ├── io.cncf.notary.timestampSignature: + │ └── io.cncf.notary.signingAgent: notation/1.0.0 + ├── certificates + │ ├── SHA256 fingerprint: b13a843be16b1f461f08d61c14f3eab7d87c073570da077217541a7eb31c084d + │ │ ├── issued to: wabbit-com Software + │ │ ├── issued by: wabbit-com Software Root Certificate Authority + │ │ └── expiry: Sun Jul 06 20:50:17 2025 + │ ├── SHA256 fingerprint: 4b9fa61d5aed0fabbc7cb8fe2efd049da57957ed44f2b98f7863ce18effd3b89 + │ │ ├── issued to: wabbit-com Software Code Signing PCA 2010 + │ │ ├── issued by: wabbit-com Software Root Certificate Authority + │ │ └── expiry: Sun Jul 06 20:50:17 2025 + │ └── SHA256 fingerprint: ea3939548ad0c0a86f164ab8b97858854238c797f30bddeba6cb28688f3f6536 + │ ├── issued to: wabbit-com Software Root Certificate Authority + │ ├── issued by: wabbit-com Software Root Certificate Authority + │ └── expiry: Sat Jun 23 22:04:01 2035 + └── signed artifact + ├── media type: application/octet-stream + ├── digest: sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + └── size: 16724 ``` ### Inspect the given blob signature with JSON Output @@ -327,6 +325,8 @@ Inspecting /tmp/my-blob.bin.sig.jws notation blob inspect -o json /tmp/my-blob.bin.sig.jws ``` +## Import/Export trust policy configuration files + ### Import blob trust policy configuration from a JSON file An example of import trust policy configuration from a JSON file: @@ -335,7 +335,7 @@ An example of import trust policy configuration from a JSON file: notation blob policy import ./my_policy.json ``` -The trust policy configuration in the JSON file should be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policy configuration are imported successfully. Error logs including the reason should be printed out if the importing fails. +The trust policy configuration in the JSON file should be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/specs/trust-store-trust-policy.md#blob-trust-policy). A successful message should be printed out if trust policy configuration are imported successfully. Error logs including the reason should be printed out if the importing fails. If there is an existing trust policy configuration, prompt for users to confirm whether discarding existing configuration or not. Users can use `--force` flag to discard existing trust policy configuration without prompt. @@ -378,7 +378,7 @@ The steps to update blob trust policy configuration: The `notation blob verify` command can be used to verify blob signatures. In order to verify signatures, user will need to setup a trust policy file `trustpolicy.blob.json` with Policies for blobs. Below are two examples of how a policy configuration file can be setup for verifying blob signatures. - The Policy named "wabbit-networks-policy" is for verifying blob artifacts signed by Wabbit Networks. -- Policy "wildcard-verification-policy" is for auditing verification results when user wants to apply a wildcard policy by not providing `--policy-name` argument in `notation blob verify` command. +- Policy named "global-verification-policy" is for auditing verification results when user doesn't not provide `--policy-name` argument in `notation blob verify` command. ```jsonc { @@ -397,8 +397,8 @@ The `notation blob verify` command can be used to verify blob signatures. In ord ] }, { - "name": "wildcard-verification-policy", - "wildcardPolicy": true, + "name": "global-verification-policy", + "globalPolicy": true, "signatureVerification": { "level" : "audit" }, @@ -415,11 +415,11 @@ Configure trust store and trust policy properly before using `notation blob veri ```shell -# Prerequisites: Signature is produced on the filesystem from `notation blob sign` command. +# Prerequisites: Blob and its associated signature is present on the filesystem. # Configure trust store by adding a certificate file into trust store named "wabbit-network" of type "ca" notation certificate add --type ca --store wabbit-networks wabbit-networks.crt -# Create a JSON file named "trustpolicy.blob.json" under directory "{NOTATION_CONFIG}". +# Setup the trust policy in a JSON file named "trustpolicy.blob.json" under directory "{NOTATION_CONFIG}". # Verify the blob signature notation blob verify --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin From 8dd04570f5fe14768493136324f73254e5964ca5 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 8 Feb 2024 12:46:51 -0800 Subject: [PATCH 54/88] Update specs/commandline/blob.md Co-authored-by: Pritesh Bandi Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 1 - 1 file changed, 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 329656ddb..bb7c767f2 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -288,7 +288,6 @@ notation blob inspect /tmp/my-blob.bin.sig.jws An example output: ```shell /tmp/my-blob.bin.sig.jws -└── application/octet-stream ├── signature algorithm: RSASSA-PSS-SHA-256 ├── signature envelope type: jws ├── signed attributes From bcdb44a1c352c9dc845b1ca859c3f7dc4e3a5c91 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Thu, 8 Feb 2024 15:29:54 -0800 Subject: [PATCH 55/88] remove --signature's short-hand flag Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index bb7c767f2..29307c0a3 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -156,7 +156,7 @@ Usage: notation blob verify [flags] --signature Flags: - -s, --signature string location of the blob signature file + --signature string location of the blob signature file --media-type string optional media type of the blob to verify --policy-name string optional policy name to verify against. If not provided, notation verifies against the global policy if it exists. -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided From 3d70c29dfe14ac8bcd73653104d71e8a2fd62f37 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:03:37 -0800 Subject: [PATCH 56/88] Update specs/commandline/policy.md Co-authored-by: Yi Zha Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/policy.md b/specs/commandline/policy.md index 905e19464..806c5479f 100644 --- a/specs/commandline/policy.md +++ b/specs/commandline/policy.md @@ -74,7 +74,7 @@ To get started, user can refer to the following trust policy configuration sampl ### notation policy command ```text -Manage trust policy configuration for OCI image signature verification. +Manage trust policy configuration for OCI artifact signature verification. Usage: notation policy [command] From 0b09a80ad2b2279b7d917e173bf19427b4fe3030 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:03:51 -0800 Subject: [PATCH 57/88] Update specs/commandline/blob.md Co-authored-by: Yi Zha Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 29307c0a3..434727e12 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -158,7 +158,7 @@ Usage: Flags: --signature string location of the blob signature file --media-type string optional media type of the blob to verify - --policy-name string optional policy name to verify against. If not provided, notation verifies against the global policy if it exists. + --policy-name string optional policy name to verify against. If not provided, notation verifies against the global policy if it exists. -m, --user-metadata stringArray user defined {key}={value} pairs that must be present in the signature for successful verification if provided --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values -o, --output string output format, options: 'json', 'text' (default "text") From 688bb2c30937cad5cbf4e381bb9d737fb6d66421 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:04:01 -0800 Subject: [PATCH 58/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 434727e12..8176d41d3 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -190,7 +190,7 @@ An example for a successful signing: ```console $ notation blob sign /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature file written to ./my-blob.bin.sig.jws +Signature file written to my-blob.bin.sig.jws ``` ### Sign a blob by generating the signature in a particular directory From a5f3afcd436109978a7d5cc403e173e30a118455 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:04:09 -0800 Subject: [PATCH 59/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 8176d41d3..7b2ab04f3 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -194,7 +194,7 @@ Signature file written to my-blob.bin.sig.jws ``` ### Sign a blob by generating the signature in a particular directory -```shell +```console $ notation blob sign --signature-directory /tmp/xyz/sigs /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin Signature file written to /tmp/xyz/sigs/my-blob.bin.sig.jws From 70c8f477003d1d0556219a502e71c6f51c33c74b Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:04:17 -0800 Subject: [PATCH 60/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 7b2ab04f3..727799493 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -201,7 +201,7 @@ Signature file written to /tmp/xyz/sigs/my-blob.bin.sig.jws ``` ### Sign a blob and skip user confirmations when overwriting existing signature -```shell +```console $ notation blob sign --force /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin Signature file overwritten to ./my-blob.bin.sig.jws From e85bfe033133122782af5c978118dfc9447b8b9a Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:04:27 -0800 Subject: [PATCH 61/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 727799493..d45548870 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -204,7 +204,7 @@ Signature file written to /tmp/xyz/sigs/my-blob.bin.sig.jws ```console $ notation blob sign --force /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature file overwritten to ./my-blob.bin.sig.jws +Signature file overwritten to my-blob.bin.sig.jws ``` ### Sign a blob with a plugin From 59e2fb99eee9e5a2d32696d815c10ec1c55f811f Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:04:53 -0800 Subject: [PATCH 62/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index d45548870..bf5d29ba4 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -220,7 +220,7 @@ notation blob sign --plugin --id /tmp/my-blob.bin # A default signing key is configured using CLI "notation key" # Use option "--signature-format" to set the signature format to COSE. -notation blob sign --signature-format cose /tmp/my-blob.bin +$ notation blob sign --signature-format cose /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin Signature file written to ./my-blob.bin.sig.cose ``` From 002ca4814ad0b68628c84348dea4a425a64cda20 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:05:01 -0800 Subject: [PATCH 63/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index bf5d29ba4..452ac5c6b 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -215,7 +215,7 @@ notation blob sign --plugin --id /tmp/my-blob.bin ### Sign a blob using COSE signature format -```shell +```console # Prerequisites: # A default signing key is configured using CLI "notation key" From c40c667a254751ea6af374dc57a279e1c879bcb7 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:05:19 -0800 Subject: [PATCH 64/88] Update specs/commandline/policy.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/policy.md b/specs/commandline/policy.md index 806c5479f..f31361757 100644 --- a/specs/commandline/policy.md +++ b/specs/commandline/policy.md @@ -95,7 +95,7 @@ Import OCI trust policy configuration from a JSON file Usage: notation policy import [flags] -Flags: +Flags: --force override the existing trust policy configuration, never prompt -h, --help help for import ``` From 9b793743c72f94297ad6e35571d194c7b9eaa090 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Thu, 22 Feb 2024 13:34:18 -0800 Subject: [PATCH 65/88] use related paths Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 452ac5c6b..2545ffac0 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -190,7 +190,7 @@ An example for a successful signing: ```console $ notation blob sign /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature file written to my-blob.bin.sig.jws +Signature file written to /tmp/my-blob.bin.sig.jws ``` ### Sign a blob by generating the signature in a particular directory @@ -200,11 +200,18 @@ Successfully signed /tmp/my-blob.bin Signature file written to /tmp/xyz/sigs/my-blob.bin.sig.jws ``` +### Sign a blob using a relative path +```console +$ notation blob sign ./relative/path/my-blob.bin +Successfully signed ./relative/path/my-blob.bin +Signature file written to ./relative/path/my-blob.bin.sig.jws +``` + ### Sign a blob and skip user confirmations when overwriting existing signature ```console $ notation blob sign --force /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature file overwritten to my-blob.bin.sig.jws +Signature file overwritten to /tmp/my-blob.bin.sig.jws ``` ### Sign a blob with a plugin @@ -222,7 +229,7 @@ notation blob sign --plugin --id /tmp/my-blob.bin # Use option "--signature-format" to set the signature format to COSE. $ notation blob sign --signature-format cose /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature file written to ./my-blob.bin.sig.cose +Signature file written to /tmp/my-blob.bin.sig.cose ``` ### Sign a blob using the default signing key @@ -485,13 +492,13 @@ Error: Signature verification failed due to a mismatch in the blob's media type Use the `--policy-name` flag to select a policy to verify the signature against. ```shell -notation blob verify --policy-name wabbit-networks-policy --signature /tmp/my-blob.bin.sig.jws /tmp/my-blob.bin +notation blob verify --policy-name wabbit-networks-policy --signature ./sigs/my-blob.bin.sig.jws ./blobs/my-blob.bin ``` An example of output messages for a successful verification: ```text -Successfully verified signature /tmp/my-blob.bin.sig.jws using policy `wabbit-networks-policy` +Successfully verified signature ./sigs/my-blob.bin.sig.jws using policy `wabbit-networks-policy` ``` An example of output messages for an unsuccessful verification: From 17d7e1e1dec5742a676bc87017618f0fe7dc1017 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Mon, 22 Jan 2024 10:19:23 +0800 Subject: [PATCH 66/88] fix: improve error message for plugin (#870) Signed-off-by: Junjie Gao Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- cmd/notation/plugin/install.go | 11 +++++++++++ cmd/notation/plugin/list.go | 6 ++++++ go.mod | 4 ++-- go.sum | 8 ++++---- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/cmd/notation/plugin/install.go b/cmd/notation/plugin/install.go index 6f32c7b0f..b7538fc16 100644 --- a/cmd/notation/plugin/install.go +++ b/cmd/notation/plugin/install.go @@ -25,6 +25,7 @@ import ( "net/url" "os" "path/filepath" + "runtime" "strings" "github.com/notaryproject/notation-go/dir" @@ -330,6 +331,16 @@ func installPluginWithOptions(ctx context.Context, opts plugin.CLIInstallOptions if errors.As(err, &errPluginDowngrade) { return fmt.Errorf("%w.\nIt is not recommended to install an older version. To force the installation, use the \"--force\" option", errPluginDowngrade) } + + var errExeFile *plugin.PluginExecutableFileError + if errors.As(err, &errExeFile) { + return fmt.Errorf("%w.\nPlease ensure that the plugin executable file is compatible with %s/%s and has appropriate permissions.", err, runtime.GOOS, runtime.GOARCH) + } + + var errMalformedPlugin *plugin.PluginMalformedError + if errors.As(err, &errMalformedPlugin) { + return fmt.Errorf("%w.\nPlease ensure that the plugin executable file is intact and compatible with %s/%s. Contact the plugin publisher for further assistance.", errMalformedPlugin, runtime.GOOS, runtime.GOARCH) + } return err } if existingPluginMetadata != nil { diff --git a/cmd/notation/plugin/list.go b/cmd/notation/plugin/list.go index e715ac233..bfc3ebffe 100644 --- a/cmd/notation/plugin/list.go +++ b/cmd/notation/plugin/list.go @@ -14,6 +14,7 @@ package plugin import ( + "errors" "fmt" "os" "text/tabwriter" @@ -44,6 +45,11 @@ func listPlugins(command *cobra.Command) error { mgr := plugin.NewCLIManager(dir.PluginFS()) pluginNames, err := mgr.List(command.Context()) if err != nil { + var errPluginDirWalk plugin.PluginDirectoryWalkError + if errors.As(err, &errPluginDirWalk) { + pluginDir, _ := dir.PluginFS().SysPath("") + return fmt.Errorf("%w.\nPlease ensure that the current user has permission to access the plugin directory: %s", errPluginDirWalk, pluginDir) + } return err } diff --git a/go.mod b/go.mod index 4d6690e1a..29464b47f 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/notaryproject/notation-core-go v1.0.1 - github.com/notaryproject/notation-go v1.0.2-0.20240112021749-b315de42f912 + github.com/notaryproject/notation-go v1.0.2-0.20240118131949-690448ee6711 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 @@ -25,7 +25,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.17.0 // indirect + golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.4.0 // indirect golang.org/x/sys v0.16.0 // indirect diff --git a/go.sum b/go.sum index 61c9d5122..80dac5c17 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.2-0.20240112021749-b315de42f912 h1:7abHy5FOfA4mq47/+0pIg/vjI2xfj9qH6cQ47Vc3arM= -github.com/notaryproject/notation-go v1.0.2-0.20240112021749-b315de42f912/go.mod h1:Sj9N0ZRdwIEHL8ewzMjKFEIcLCJhp0r8h6IoT48Q/8E= +github.com/notaryproject/notation-go v1.0.2-0.20240118131949-690448ee6711 h1:3mUupkKwYtGj1vRvuyI5q9X69BdQ2mdQk281MbfznJI= +github.com/notaryproject/notation-go v1.0.2-0.20240118131949-690448ee6711/go.mod h1:/ddbxt03OnWzfb/jZD6STe/gbuWhFaYLWCkq1BkgUCQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= @@ -51,8 +51,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= From 8e53eb00d5090a2e71dfa46a3171073d794c6918 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 15:55:03 +0000 Subject: [PATCH 67/88] build(deps): Bump actions/upload-artifact from 4.1.0 to 4.2.0 (#872) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6700aa923..0bc361eb0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -54,7 +54,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # tag=v4.1.0 + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # tag=v4.2.0 with: name: SARIF file path: results.sarif From b04cb09dc2007d6b194e9e8c927143b118a4d88c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 15:55:17 +0000 Subject: [PATCH 68/88] build(deps): Bump actions/cache from 3.3.3 to 4.0.0 (#873) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 35919c5b7..1f288d840 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -38,7 +38,7 @@ jobs: - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Cache Go modules - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 id: go-mod-cache with: path: ~/go/pkg/mod From 6d49323389ab0cd9bd0677c7bcafc7097ecf3517 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 15:55:34 +0000 Subject: [PATCH 69/88] build(deps): Bump github/codeql-action from 3.23.0 to 3.23.1 (#874) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 001b7ae15..92c3fb3b4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0bc361eb0..c327ed18a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 with: sarif_file: results.sarif From a5386604d7fe8947f52d7c42004085a026942335 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 25 Jan 2024 09:58:15 +0800 Subject: [PATCH 70/88] bump: bump up notation-go and notation-core-go including e2e tests (#875) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- test/e2e/go.mod | 2 +- test/e2e/go.sum | 6 +++--- test/e2e/plugin/go.mod | 8 ++++---- test/e2e/plugin/go.sum | 16 ++++++++-------- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index 29464b47f..6c7f48201 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/notaryproject/notation go 1.21 require ( - github.com/notaryproject/notation-core-go v1.0.1 - github.com/notaryproject/notation-go v1.0.2-0.20240118131949-690448ee6711 + github.com/notaryproject/notation-core-go v1.0.2 + github.com/notaryproject/notation-go v1.1.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/oras-project/oras-credentials-go v0.3.1 diff --git a/go.sum b/go.sum index 80dac5c17..dae31d65c 100644 --- a/go.sum +++ b/go.sum @@ -18,10 +18,10 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= -github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.2-0.20240118131949-690448ee6711 h1:3mUupkKwYtGj1vRvuyI5q9X69BdQ2mdQk281MbfznJI= -github.com/notaryproject/notation-go v1.0.2-0.20240118131949-690448ee6711/go.mod h1:/ddbxt03OnWzfb/jZD6STe/gbuWhFaYLWCkq1BkgUCQ= +github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= +github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= +github.com/notaryproject/notation-go v1.1.0 h1:7WBeH8FGoA+GkeUwmBIBnlJc/PpdYaUKfiXu6ZZeEeg= +github.com/notaryproject/notation-go v1.1.0/go.mod h1:ZSk34URQar5fnWflaFByzpDvuefgZKm/mp8Q2tQpBaw= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index a7f32d798..80d00fb34 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation/test/e2e go 1.20 require ( - github.com/notaryproject/notation-core-go v1.0.1 + github.com/notaryproject/notation-core-go v1.0.2 github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/opencontainers/image-spec v1.1.0-rc4 diff --git a/test/e2e/go.sum b/test/e2e/go.sum index d1f0f966d..46d26e0d0 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -12,8 +12,8 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9tRnGuw+ZVCB3FazXODD6JE1R8= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= -github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= -github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= +github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= +github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= @@ -31,7 +31,7 @@ github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4 github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index c39c68584..71a7b738d 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -4,8 +4,8 @@ go 1.20 require ( github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/notaryproject/notation-core-go v1.0.1 - github.com/notaryproject/notation-go v1.0.1 + github.com/notaryproject/notation-core-go v1.0.2 + github.com/notaryproject/notation-go v1.1.0 github.com/spf13/cobra v1.7.0 ) @@ -22,8 +22,8 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.17.0 // indirect - golang.org/x/mod v0.13.0 // indirect + golang.org/x/crypto v0.18.0 // indirect + golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.4.0 // indirect oras.land/oras-go/v2 v2.3.1 // indirect ) diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index db5dc77e5..d972c867e 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -20,10 +20,10 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= -github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.1 h1:D3fqG3eaBKVESRySV/Tg//MyTg2Q1nTKPh/t2q9LpSw= -github.com/notaryproject/notation-go v1.0.1/go.mod h1:VonyZsbocRQQNIDq/VPV5jKJOQwDH3gvfK4cXNpUA0U= +github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= +github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= +github.com/notaryproject/notation-go v1.1.0 h1:7WBeH8FGoA+GkeUwmBIBnlJc/PpdYaUKfiXu6ZZeEeg= +github.com/notaryproject/notation-go v1.1.0/go.mod h1:ZSk34URQar5fnWflaFByzpDvuefgZKm/mp8Q2tQpBaw= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= @@ -48,12 +48,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= -golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= From 4baf9350c81b4f02d73838d41f7085108667a3e1 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 25 Jan 2024 10:15:32 +0800 Subject: [PATCH 71/88] vote for version v1.1.0 Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- internal/version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/version/version.go b/internal/version/version.go index d0956a11d..2f7749b48 100644 --- a/internal/version/version.go +++ b/internal/version/version.go @@ -15,7 +15,7 @@ package version var ( // Version shows the current notation version, optionally with pre-release. - Version = "v1.0.0" + Version = "v1.1.0" // BuildMetadata stores the build metadata. // From a442153843a094dcc90bbe479086373011a69a44 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 17:04:00 +0000 Subject: [PATCH 72/88] build(deps): Bump actions/upload-artifact from 4.2.0 to 4.3.0 (#878) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c327ed18a..9271cb270 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -54,7 +54,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # tag=v4.2.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # tag=v4.3.0 with: name: SARIF file path: results.sarif From ddf2c5e3aaa0d9116c534b2aa7b1e0a6273bf6d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 17:04:05 +0000 Subject: [PATCH 73/88] build(deps): Bump codecov/codecov-action from 3.1.4 to 3.1.5 (#879) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1f288d840..ba01a3860 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,4 +59,4 @@ jobs: make e2e-covdata fi - name: Upload coverage to codecov.io - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 + uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # v3.1.5 From f238f4f9d05c7d2df012b21ea02fd24ffacfb82c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 17:04:29 +0000 Subject: [PATCH 74/88] build(deps): Bump github/codeql-action from 3.23.1 to 3.23.2 (#877) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 92c3fb3b4..2b8c8ae6d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9271cb270..81420b496 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 with: sarif_file: results.sarif From 3a0562b0f8c97c81002abea9875f3e9a5fa1b8be Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 2 Feb 2024 10:33:42 +0800 Subject: [PATCH 75/88] bump: bump up oras-go and image-spec (#881) Signed-off-by: Patrick Zheng Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- cmd/notation/login.go | 2 +- cmd/notation/logout.go | 2 +- cmd/notation/registry.go | 2 +- go.mod | 9 ++++----- go.sum | 16 ++++++++-------- internal/auth/credentials.go | 2 +- internal/cmd/options.go | 2 +- test/e2e/go.mod | 6 +++--- test/e2e/go.sum | 12 ++++++------ test/e2e/plugin/go.mod | 8 ++++---- test/e2e/plugin/go.sum | 16 ++++++++-------- 11 files changed, 38 insertions(+), 39 deletions(-) diff --git a/cmd/notation/login.go b/cmd/notation/login.go index 10d9e169f..e1a2bb49c 100644 --- a/cmd/notation/login.go +++ b/cmd/notation/login.go @@ -25,9 +25,9 @@ import ( "github.com/notaryproject/notation-go/log" "github.com/notaryproject/notation/internal/auth" "github.com/notaryproject/notation/internal/cmd" - credentials "github.com/oras-project/oras-credentials-go" "github.com/spf13/cobra" "golang.org/x/term" + "oras.land/oras-go/v2/registry/remote/credentials" ) const urlDocHowToAuthenticate = "https://notaryproject.dev/docs/how-to/registry-authentication/" diff --git a/cmd/notation/logout.go b/cmd/notation/logout.go index d368848a7..6a89c4889 100644 --- a/cmd/notation/logout.go +++ b/cmd/notation/logout.go @@ -20,8 +20,8 @@ import ( "github.com/notaryproject/notation/internal/auth" "github.com/notaryproject/notation/internal/cmd" - credentials "github.com/oras-project/oras-credentials-go" "github.com/spf13/cobra" + "oras.land/oras-go/v2/registry/remote/credentials" ) type logoutOpts struct { diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index fe82b6c6e..d4c748a36 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -25,10 +25,10 @@ import ( notationauth "github.com/notaryproject/notation/internal/auth" "github.com/notaryproject/notation/internal/httputil" "github.com/notaryproject/notation/pkg/configutil" - credentials "github.com/oras-project/oras-credentials-go" "oras.land/oras-go/v2/registry" "oras.land/oras-go/v2/registry/remote" "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials" ) // inputType denotes the user input type diff --git a/go.mod b/go.mod index 6c7f48201..2345d44f8 100644 --- a/go.mod +++ b/go.mod @@ -4,15 +4,14 @@ go 1.21 require ( github.com/notaryproject/notation-core-go v1.0.2 - github.com/notaryproject/notation-go v1.1.0 + github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb github.com/opencontainers/go-digest v1.0.0 - github.com/opencontainers/image-spec v1.1.0-rc5 - github.com/oras-project/oras-credentials-go v0.3.1 + github.com/opencontainers/image-spec v1.1.0-rc6 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 golang.org/x/term v0.16.0 - oras.land/oras-go/v2 v2.3.1 + oras.land/oras-go/v2 v2.4.0 ) require ( @@ -27,6 +26,6 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/sync v0.4.0 // indirect + golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.16.0 // indirect ) diff --git a/go.sum b/go.sum index dae31d65c..5a6676d37 100644 --- a/go.sum +++ b/go.sum @@ -20,12 +20,12 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= -github.com/notaryproject/notation-go v1.1.0 h1:7WBeH8FGoA+GkeUwmBIBnlJc/PpdYaUKfiXu6ZZeEeg= -github.com/notaryproject/notation-go v1.1.0/go.mod h1:ZSk34URQar5fnWflaFByzpDvuefgZKm/mp8Q2tQpBaw= +github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb h1:OVkHyQD0O8hTsuDPzdpgdteHDN9ormV5M3/pi9ka4II= +github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb/go.mod h1:v0e8Y7gEzTtx7aNw3tG6da7atr59JRdePVMMkTGNXzA= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= -github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= +github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/oras-project/oras-credentials-go v0.3.1 h1:sfGqZ8sjPifEaOtjHOQTPr8D+Tql4bpw58Dd9wjmm9w= github.com/oras-project/oras-credentials-go v0.3.1/go.mod h1:fFCebDQo0Do+gnM96uV9YUnRay0pwuRQupypvofsp4s= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -65,8 +65,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= -golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= +golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -100,5 +100,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.3.1 h1:lUC6q8RkeRReANEERLfH86iwGn55lbSWP20egdFHVec= -oras.land/oras-go/v2 v2.3.1/go.mod h1:5AQXVEu1X/FKp1F9DMOb5ZItZBOa0y5dha0yCm4NR9c= +oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= +oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= diff --git a/internal/auth/credentials.go b/internal/auth/credentials.go index d5de0ae37..9f04a6eeb 100644 --- a/internal/auth/credentials.go +++ b/internal/auth/credentials.go @@ -17,7 +17,7 @@ import ( "fmt" "github.com/notaryproject/notation-go/dir" - credentials "github.com/oras-project/oras-credentials-go" + "oras.land/oras-go/v2/registry/remote/credentials" ) // NewCredentialsStore returns a new credentials store from the settings in the diff --git a/internal/cmd/options.go b/internal/cmd/options.go index 614aa7d86..789dc5cf4 100644 --- a/internal/cmd/options.go +++ b/internal/cmd/options.go @@ -18,10 +18,10 @@ import ( "github.com/notaryproject/notation-go/log" "github.com/notaryproject/notation/internal/trace" - credentialstrace "github.com/oras-project/oras-credentials-go/trace" "github.com/sirupsen/logrus" "github.com/spf13/cobra" "github.com/spf13/pflag" + credentialstrace "oras.land/oras-go/v2/registry/remote/credentials/trace" ) // SignerFlagOpts cmd opts for using cmd.GetSigner diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 80d00fb34..450b1352a 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -6,8 +6,8 @@ require ( github.com/notaryproject/notation-core-go v1.0.2 github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 - github.com/opencontainers/image-spec v1.1.0-rc4 - oras.land/oras-go/v2 v2.2.1 + github.com/opencontainers/image-spec v1.1.0-rc6 + oras.land/oras-go/v2 v2.4.0 ) require ( @@ -20,7 +20,7 @@ require ( github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/net v0.17.0 // indirect - golang.org/x/sync v0.3.0 // indirect + golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/tools v0.9.3 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 46d26e0d0..930892729 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -20,8 +20,8 @@ github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= -github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= +github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -35,8 +35,8 @@ golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= +golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= @@ -49,5 +49,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.2.1 h1:3VJTYqy5KfelEF9c2jo1MLSpr+TM3mX8K42wzZcd6qE= -oras.land/oras-go/v2 v2.2.1/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ= +oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= +oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 71a7b738d..465f6c3ce 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -5,7 +5,7 @@ go 1.20 require ( github.com/golang-jwt/jwt v3.2.2+incompatible github.com/notaryproject/notation-core-go v1.0.2 - github.com/notaryproject/notation-go v1.1.0 + github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb github.com/spf13/cobra v1.7.0 ) @@ -18,12 +18,12 @@ require ( github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc5 // indirect + github.com/opencontainers/image-spec v1.1.0-rc6 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/sync v0.4.0 // indirect - oras.land/oras-go/v2 v2.3.1 // indirect + golang.org/x/sync v0.6.0 // indirect + oras.land/oras-go/v2 v2.4.0 // indirect ) diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index d972c867e..2ebbff354 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -22,12 +22,12 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= -github.com/notaryproject/notation-go v1.1.0 h1:7WBeH8FGoA+GkeUwmBIBnlJc/PpdYaUKfiXu6ZZeEeg= -github.com/notaryproject/notation-go v1.1.0/go.mod h1:ZSk34URQar5fnWflaFByzpDvuefgZKm/mp8Q2tQpBaw= +github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb h1:OVkHyQD0O8hTsuDPzdpgdteHDN9ormV5M3/pi9ka4II= +github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb/go.mod h1:v0e8Y7gEzTtx7aNw3tG6da7atr59JRdePVMMkTGNXzA= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= -github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= +github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -62,8 +62,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= -golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= +golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -92,5 +92,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.3.1 h1:lUC6q8RkeRReANEERLfH86iwGn55lbSWP20egdFHVec= -oras.land/oras-go/v2 v2.3.1/go.mod h1:5AQXVEu1X/FKp1F9DMOb5ZItZBOa0y5dha0yCm4NR9c= +oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= +oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= From bbb40877d62b37b756e1f4858eba84b406b8e196 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 18:58:55 +0000 Subject: [PATCH 76/88] build(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 (#883) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2b8c8ae6d..009fa2905 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 + uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 + uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 81420b496..6e82c231f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 + uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 with: sarif_file: results.sarif From f8e613dd8a39d8c0345d8b01b84f95aa3153888b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 19:00:08 +0000 Subject: [PATCH 77/88] build(deps): Bump codecov/codecov-action from 3.1.5 to 4.0.1 (#884) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ba01a3860..80c90c01b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,4 +59,4 @@ jobs: make e2e-covdata fi - name: Upload coverage to codecov.io - uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # v3.1.5 + uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1 From ecbea19bebea4eb09837f8ffc68f0101a32371d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 09:31:45 +0000 Subject: [PATCH 78/88] build(deps): Bump golang.org/x/term from 0.16.0 to 0.17.0 (#886) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 10 ++++------ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 2345d44f8..1e18db03b 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - golang.org/x/term v0.16.0 + golang.org/x/term v0.17.0 oras.land/oras-go/v2 v2.4.0 ) @@ -27,5 +27,5 @@ require ( golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect ) diff --git a/go.sum b/go.sum index 5a6676d37..56b642b58 100644 --- a/go.sum +++ b/go.sum @@ -26,8 +26,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= -github.com/oras-project/oras-credentials-go v0.3.1 h1:sfGqZ8sjPifEaOtjHOQTPr8D+Tql4bpw58Dd9wjmm9w= -github.com/oras-project/oras-credentials-go v0.3.1/go.mod h1:fFCebDQo0Do+gnM96uV9YUnRay0pwuRQupypvofsp4s= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -76,15 +74,15 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= From b1ab3302cd943fee4e78121dc88491302365265f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 09:32:33 +0000 Subject: [PATCH 79/88] build(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 (#887) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6e82c231f..6d3400dbf 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -54,7 +54,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # tag=v4.3.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1 with: name: SARIF file path: results.sarif From 194cab7f992ff3edeaec32a92e670110a3fe9b6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 06:45:33 +0000 Subject: [PATCH 80/88] build(deps): Bump codecov/codecov-action from 4.0.1 to 4.0.2 (#896) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 80c90c01b..dd84d84ca 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,4 +59,4 @@ jobs: make e2e-covdata fi - name: Upload coverage to codecov.io - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1 + uses: codecov/codecov-action@0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1 # v4.0.2 From eae0fe3e04c0b589036e583bbc919fcd1f0e53b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 06:45:46 +0000 Subject: [PATCH 81/88] build(deps): Bump github/codeql-action from 3.24.0 to 3.24.5 (#895) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 009fa2905..97fdf76c5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,8 +49,8 @@ jobs: go-version: ${{ matrix.go-version }} check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 + uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 + uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6d3400dbf..8ad552e43 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,6 +61,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 + uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 with: sarif_file: results.sarif From a22d8fd34ff6cf1753565045576e776412edb8fd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 06:46:06 +0000 Subject: [PATCH 82/88] build(deps): Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 (#891) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1e18db03b..2f677354b 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/notaryproject/notation-core-go v1.0.2 github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb github.com/opencontainers/go-digest v1.0.0 - github.com/opencontainers/image-spec v1.1.0-rc6 + github.com/opencontainers/image-spec v1.1.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 56b642b58..1de953474 100644 --- a/go.sum +++ b/go.sum @@ -24,8 +24,8 @@ github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb h1:OVk github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb/go.mod h1:v0e8Y7gEzTtx7aNw3tG6da7atr59JRdePVMMkTGNXzA= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= -github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= From 8e0ce16804b51d5c3516c3382283a9a978b59b14 Mon Sep 17 00:00:00 2001 From: rgnote <5878554+rgnote@users.noreply.github.com> Date: Thu, 29 Feb 2024 11:08:08 -0800 Subject: [PATCH 83/88] remove overwrite option in sign command Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 2545ffac0..06df8a975 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -84,7 +84,6 @@ Flags: --plugin string signing plugin name. This is mutually exclusive with the --key flag --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") - --force skip user confirmation and force overwrite the existing blob signature file -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload -d, --debug debug mode -v, --verbose verbose mode @@ -204,14 +203,7 @@ Signature file written to /tmp/xyz/sigs/my-blob.bin.sig.jws ```console $ notation blob sign ./relative/path/my-blob.bin Successfully signed ./relative/path/my-blob.bin -Signature file written to ./relative/path/my-blob.bin.sig.jws -``` - -### Sign a blob and skip user confirmations when overwriting existing signature -```console -$ notation blob sign --force /tmp/my-blob.bin -Successfully signed /tmp/my-blob.bin -Signature file overwritten to /tmp/my-blob.bin.sig.jws +Signature file written to /absolute/path/to/cwd/my-blob.bin.sig.jws ``` ### Sign a blob with a plugin From 1b9e88b12b2defb2daeaba2692ae009cb15f6f1b Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:01:32 -0800 Subject: [PATCH 84/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 06df8a975..7ffa93441 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -189,7 +189,7 @@ An example for a successful signing: ```console $ notation blob sign /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature file written to /tmp/my-blob.bin.sig.jws +Signature file written to /absolute/path/to/cwd/my-blob.bin.sig.jws ``` ### Sign a blob by generating the signature in a particular directory From a2ebf5cf28f3e2d45f408fc848f70ea16bf31827 Mon Sep 17 00:00:00 2001 From: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:01:41 -0800 Subject: [PATCH 85/88] Update specs/commandline/blob.md Co-authored-by: Shiwei Zhang Signed-off-by: Rakesh Gariganti <5878554+rgnote@users.noreply.github.com> Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- specs/commandline/blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/commandline/blob.md b/specs/commandline/blob.md index 7ffa93441..1fdb76ec6 100644 --- a/specs/commandline/blob.md +++ b/specs/commandline/blob.md @@ -221,7 +221,7 @@ notation blob sign --plugin --id /tmp/my-blob.bin # Use option "--signature-format" to set the signature format to COSE. $ notation blob sign --signature-format cose /tmp/my-blob.bin Successfully signed /tmp/my-blob.bin -Signature file written to /tmp/my-blob.bin.sig.cose +Signature file written to /absolute/path/to/cwd/my-blob.bin.sig.cose ``` ### Sign a blob using the default signing key From 7815b82f6f03aad4d8d8fe7b5ccf65afaeb91242 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 17:48:35 +0000 Subject: [PATCH 86/88] build(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 (#898) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dd84d84ca..261e64208 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,4 +59,4 @@ jobs: make e2e-covdata fi - name: Upload coverage to codecov.io - uses: codecov/codecov-action@0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1 # v4.0.2 + uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0 From 58dd756a507a2b9d68d88fdbc94f4f42940306ad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 17:48:41 +0000 Subject: [PATCH 87/88] build(deps): Bump actions/cache from 4.0.0 to 4.0.1 (#900) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 261e64208..ad756860a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -38,7 +38,7 @@ jobs: - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Cache Go modules - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 id: go-mod-cache with: path: ~/go/pkg/mod From 778245a225246da3ab8f52473f9f85c3f7de9b8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 17:48:46 +0000 Subject: [PATCH 88/88] build(deps): Bump actions/add-to-project from 0.5.0 to 0.6.0 (#901) Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com> --- .github/workflows/add-to-project.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index ae1bc3921..599648f3d 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -24,7 +24,7 @@ jobs: name: Add issue to project runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0 + - uses: actions/add-to-project@0609a2702eefb44781da00f8e04901d6e5cd2b92 # v0.6.0 with: project-url: https://github.com/orgs/notaryproject/projects/10 github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}