Implement generate signature plugin workflow#42
Implement generate signature plugin workflow#42SteveLasker merged 59 commits intonotaryproject:mainfrom
Conversation
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v2...v3) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v2...v3.0.1) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
|
Plugin spec updated with latest changes in notaryproject/specifications#155 |
notation.go
Outdated
| // Sign signs the artifact described by its descriptor, | ||
| // and returns the signature. | ||
| Sign(ctx context.Context, desc Descriptor, opts SignOptions) ([]byte, error) | ||
| Sign(ctx context.Context, desc signature.Descriptor, opts SignOptions) ([]byte, error) |
There was a problem hiding this comment.
I think Descriptor should be maintained at the notation level, regardless how plugin protocol works.
There was a problem hiding this comment.
Any particular reason? The descriptor is part of the signing spec, so IMO it should be in the spec package.
There was a problem hiding this comment.
Then we have the Signer interface to be spec specific, and probably we need to put the Signer into the specs/v1 folder. LoL.
There was a problem hiding this comment.
Signer is not part of the spec, it's just an interface defined by notation-go, so I would put it in /spec. As we have removed the version subfolders from /spec, then we have no conflict here anymore.
There was a problem hiding this comment.
There are two protocols here. One is at the Signer interface level, another is at the spec level. We probably need a design doc here.
There was a problem hiding this comment.
IMO types which are inputs and outputs of Sign/Verify methods in top level package should also be in the same package, Descriptor should remain at notation level.
I think spec package is not required, Notation implements one major version of Notary V2 specifications, which can introduce non breaking changes. Breaking changes can be introduced in a new major version of specification and corresponding new major version of Notation.
An exception is the plugin contract spec versioning, which is independent of other versioning, but we need not reflect this in package naming, consumers do not directly interact with plugin contract version.
We should also put most types under internal package, and selectively move then out as publicly visible types as appropriate for Notation CLI and other consumers . Are we planning to use pkg folder for public library types? I was looking at Go lang project layout standard, but not sure how widely it's adopted.
There was a problem hiding this comment.
There are two protocols here. One is at the
Signerinterface level, another is at the spec level. We probably need a design doc here.
Can you clarify @shizhMSFT? I didn't understand why two interfaces are required, are you referring to the low level Signer interface to be added in notation-core-go.
There was a problem hiding this comment.
I think spec package is not required, Notation implements one major version of Notary V2 specifications, which can introduce non breaking changes. Breaking changes can be introduced in a new major version of specification and corresponding new major version of Notation.
I will not tire of repeating that mixing the notation-go module versioning with the Notary versioning is an artificial restriction that will limit notation-go capacity to improve its API. What if in a couple of months, or even years, we find that part of the API is too easy to misuse or has security vulnerabilities? What if we think there is a much better way to implement the Notary spec? We won't be able to react properly if we can't bump the major version of nottion-go.
About having the spec package or putting everything at the root of the module, I think there is value on having a clear separation for types which are defined in the Notary spec and types that are invented by notation-go. I'm not a maintainer of this library, so if you don't see it then I can remove it.
An exception is the plugin contract spec versioning, which is independent of other versioning, but we need not reflect this in package naming, consumers do not directly interact with plugin contract version.
We should also put most types under internal package, and selectively move then out as publicly visible types as appropriate for Notation CLI and other consumers
spec/plugin package is intended for plugin authors consumption, if we move those types into internal they will have to reimplement the whole plugin spec. I can assure you that all types and methods in spec are relevant for consumers, as I'm implementing the notation-azure-kv plugin and notation cli in parallel and I'm just exporting what's necessary.
Are we planning to use pkg folder for public library types? I was looking at Go lang project layout standard, but not sure how widely it's adopted.
Having a package named pkg is not idiomatic, it used to be long time ago, and the current best practice is to place packages at the module root, or stack them with care.
There was a problem hiding this comment.
I will not tire of repeating that mixing the
notation-gomodule versioning with the Notary versioning is an artificial restriction that will limitnotation-gocapacity to improve its API. What if in a couple of months, or even years, we find that part of the API is too easy to misuse or has security vulnerabilities?
I agree with the concern, I don't think we have thought enough about versioning of the multiple things (plugins, signature, trust policy) and which ones may reflect in package structure. For example, trust policy document has its own version property, so that policy language in trustPolicy.json can be independently revised without impacting anything else. We'll be making a round of refactoring to get it in line with intended separation between notation, notation-go and notation-core-go, we'll also wait for the rest of the specs to be completed. I'll track this as one of the items in a refactoring issue, and an independent issue to clarify versioning. Do you have few examples of projects that expose a spec and spec version to consumers as part of package structure, /image-spec was one, but that's quite stable.
There was a problem hiding this comment.
Do you have few examples of projects that expose a spec and spec version to consumers as part of package structure, /image-spec was one, but that's quite stable.
To name a few big ones:
- azure-go-sdk use it all around.
- aws-sdk-go is more stable but also uses it.
- google/go.
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
This reverts commit c9afb7c. Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
gokarnm
left a comment
gokarnm
left a comment
There was a problem hiding this comment.
Added some comments, will cover the rest of changes in another pass.
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
notation.go
Outdated
| // Sign signs the artifact described by its descriptor, | ||
| // and returns the signature. | ||
| Sign(ctx context.Context, desc Descriptor, opts SignOptions) ([]byte, error) | ||
| Sign(ctx context.Context, desc signature.Descriptor, opts SignOptions) ([]byte, error) |
There was a problem hiding this comment.
There are two protocols here. One is at the Signer interface level, another is at the spec level. We probably need a design doc here.
|
@gokarnm , is your requested change resolved? |
|
@SteveLasker on the call yesterday @gokarnm said the changes he made are fine with the code he reviewed so far but wants a couple changes after the PR is merged and he will file issues to track. He only reviewed 1/2 of the PR and will review the rest today. |
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
gokarnm
left a comment
gokarnm
left a comment
There was a problem hiding this comment.
Mostly superficial comments around naming and error messages.
For organizing packages and types, IMO we should not have a spec top level package. I'd keep public methods and corresponding input/output types (e.g. Descriptor) in the same package. Any private types should be moved to internal package, any public plugin types should move to plugin package.
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Co-authored-by: Milind Gokarn <milind81@gmail.com> Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
|
Thanks everyone for the feedback. I've finally removed the |
SteveLasker
left a comment
SteveLasker
left a comment
There was a problem hiding this comment.
LGTM
Great work @qmuntal
6 participants
This PR contains the following changes:
describe-keycommandgenerate-signaturerequest to includekeySpec,hashAlgorithmandconfigMapgenerate-signatureworkflow supportspec/v1/pluginandspec/v1/signaturepackage. These contains the Go types as defined in the notary spec. Having this in its own package will help decoupling the spec itself with the crypto-related code and also plugin authors who want to implement thegenerate-envelopeworkflow.This PR still doesn't implement:
generate-signatureworkflow@SteveLasker @shizhMSFT @gokarnm @jaredpar