-
Notifications
You must be signed in to change notification settings - Fork 92
Open
Labels
Milestone
Description
What is the areas you experience the issue in?
Notation CLI
What is not working as expected?
notation verify command returned too general error message which was extremely hard for users to figure out the reason behind it unless users specify --debug flag.
notation verify localhost:5000/nginx:latest
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:latest) because resolved digest may not point to the same signed artifact, as tags are mutable.
Error: signature verification failed: artifact "localhost:5000/nginx@sha256:bfb112db4075460ec042ce13e0b9c3ebd982f93ae0be155496d050bb70006750" has no applicable trust policy
What did you expect to happen?
With the default log level, the output messages should include the specific reason of a failure
How can we reproduce it?
Reproduced steps:
-
notation sign an image
localhost:5000/nginx:latest -
The
registryScopeswas set to*for verifying all the images. ThetrustStoresandtrustedIdentitiesdidn't include the certificates used for signing, see an example below:
{
"version": "1.0",
"trustPolicies": [
{
"name": "trust-policy-example",
"registryScopes": [ "*" ],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:trusted" ],
"trustedIdentities": [
"x509.subject: O=MyOrg,ST=MyState,C=MyCountry"
]
}
]
}
- Run
notation verifycommand
notation verify localhost:5000/nginx:latest
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:latest) because resolved digest may not point to the same signed artifact, as tags are mutable.
Error: signature verification failed: artifact "localhost:5000/nginx@sha256:bfb112db4075460ec042ce13e0b9c3ebd982f93ae0be155496d050bb70006750" has no applicable trust policy
Describe your environment
WSL
What is the version of your Notation CLI or Notation Library?
v1.0.0-rc.3
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
In Progress