From a58fa654f7357c26cdbb9f2ec28f42bcbc211b16 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Mon, 17 Feb 2025 06:54:52 +0000 Subject: [PATCH 01/14] feat: add blob policy init command Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/cmd.go | 1 + cmd/notation/blob/policy/import.go | 20 ++++--- cmd/notation/blob/policy/init.go | 88 ++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+), 8 deletions(-) create mode 100644 cmd/notation/blob/policy/init.go diff --git a/cmd/notation/blob/policy/cmd.go b/cmd/notation/blob/policy/cmd.go index d6f2e9dea..cc3d3d820 100644 --- a/cmd/notation/blob/policy/cmd.go +++ b/cmd/notation/blob/policy/cmd.go @@ -29,6 +29,7 @@ func Cmd() *cobra.Command { command.AddCommand( importCmd(), showCmd(), + initCmd(), ) return command diff --git a/cmd/notation/blob/policy/import.go b/cmd/notation/blob/policy/import.go index 8bca4ce98..89b191fb3 100644 --- a/cmd/notation/blob/policy/import.go +++ b/cmd/notation/blob/policy/import.go @@ -64,19 +64,25 @@ func runImport(opts importOpts) error { if err != nil { return fmt.Errorf("failed to read blob trust policy file: %w", err) } - var doc trustpolicy.BlobDocument if err = json.Unmarshal(policyJSON, &doc); err != nil { return fmt.Errorf("failed to parse blob trust policy configuration: %w", err) } - if err = doc.Validate(); err != nil { + if err := doc.Validate(); err != nil { return fmt.Errorf("failed to validate blob trust policy: %w", err) } + if err := writeBlobTrustPolicy(policyJSON, opts.force); err != nil { + return err + } + _, err = fmt.Fprintln(os.Stdout, "Successfully imported blob trust policy file.") + return err +} +func writeBlobTrustPolicy(policyJSON []byte, force bool) error { // optional confirmation - if !opts.force { - if _, err = trustpolicy.LoadBlobDocument(); err == nil { - confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "The blob trust policy file already exists, do you want to overwrite it?", opts.force) + if !force { + if _, err := trustpolicy.LoadBlobDocument(); err == nil { + confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "The blob trust policy file already exists, do you want to overwrite it?", force) if err != nil { return err } @@ -96,7 +102,5 @@ func runImport(opts importOpts) error { if err = osutil.WriteFile(policyPath, policyJSON); err != nil { return fmt.Errorf("failed to write blob trust policy file: %w", err) } - - _, err = fmt.Fprintln(os.Stdout, "Successfully imported blob trust policy file.") - return err + return nil } diff --git a/cmd/notation/blob/policy/init.go b/cmd/notation/blob/policy/init.go new file mode 100644 index 000000000..1fd1f1d9c --- /dev/null +++ b/cmd/notation/blob/policy/init.go @@ -0,0 +1,88 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package policy + +import ( + "encoding/json" + "fmt" + "os" + + "github.com/notaryproject/notation-go/verifier/trustpolicy" + "github.com/spf13/cobra" +) + +type initOpts struct { + trustStore string + trustedIdentity string + force bool +} + +func initCmd() *cobra.Command { + opts := initOpts{} + command := &cobra.Command{ + Use: "init [flags]", + Short: "Init blob trust policy file", + Long: `Init blob trust policy file. + +Example - init a blob trust file with trust store and trust policy: + notation blob policy init --trust-store : --trusted policy file "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder" +`, + Args: cobra.ExactArgs(0), + RunE: func(cmd *cobra.Command, args []string) error { + return runInit(opts) + }, + } + + command.Flags().StringVar(&opts.trustStore, "trust-store", "", "trust store in format :") + command.Flags().StringVar(&opts.trustedIdentity, "trusted-identity", "", "trust identity (e.g. \"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io\")") + command.Flags().BoolVar(&opts.force, "force", false, "override the existing blob trust policy configuration without prompt") + command.MarkFlagRequired("trust-store") + command.MarkFlagRequired("trusted-identity") + + return command +} + +func runInit(opts initOpts) error { + blobPolicy := trustpolicy.BlobDocument{ + Version: "1.0", + TrustPolicies: []trustpolicy.BlobTrustPolicy{ + { + Name: "default-policy", + SignatureVerification: trustpolicy.SignatureVerification{ + VerificationLevel: "strict", + }, + TrustStores: []string{opts.trustStore}, + TrustedIdentities: []string{opts.trustedIdentity}, + GlobalPolicy: true, + }, + }, + } + + // Validate the policy + if err := blobPolicy.Validate(); err != nil { + return fmt.Errorf("invalid blob policy: %w", err) + } + + policyJson, err := json.MarshalIndent(blobPolicy, "", " ") + if err != nil { + return fmt.Errorf("failed to marshal blob trust policy: %w", err) + } + + if err := writeBlobTrustPolicy(policyJson, opts.force); err != nil { + return err + } + + _, err = fmt.Fprintln(os.Stdout, "Successfully initialized blob trust policy file.") + return err +} From 53a1aa1924a53b7036fdfb19498788b35fbe3e87 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Thu, 27 Feb 2025 06:41:02 +0000 Subject: [PATCH 02/14] fix: update Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/import.go | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/cmd/notation/blob/policy/import.go b/cmd/notation/blob/policy/import.go index 278c080ca..fe95842fd 100644 --- a/cmd/notation/blob/policy/import.go +++ b/cmd/notation/blob/policy/import.go @@ -64,6 +64,7 @@ func runImport(opts importOpts) error { if err != nil { return fmt.Errorf("failed to read blob trust policy file: %w", err) } + var doc trustpolicy.BlobDocument if err = json.Unmarshal(policyJSON, &doc); err != nil { return fmt.Errorf("failed to parse blob trust policy configuration: %w", err) @@ -71,14 +72,7 @@ func runImport(opts importOpts) error { if err = doc.Validate(); err != nil { return fmt.Errorf("failed to validate blob trust policy configuration: %w", err) } - if err := writeBlobTrustPolicy(policyJSON, opts.force); err != nil { - return err - } - _, err = fmt.Fprintln(os.Stdout, "Successfully imported blob trust policy file.") - return err -} -func writeBlobTrustPolicy(policyJSON []byte, force bool) error { // optional confirmation if _, err = trustpolicy.LoadBlobDocument(); err == nil { if !opts.force { From f52583d1ead4cc78be0f72eaa8265ed4213b3479 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Thu, 27 Feb 2025 07:53:46 +0000 Subject: [PATCH 03/14] test: E2E Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/import.go | 11 ++-- cmd/notation/blob/policy/init.go | 54 ++++++++++++++----- cmd/notation/blob/policy/show.go | 20 ++++--- test/e2e/suite/command/blob/policy.go | 77 +++++++++++++++++++++++++++ 4 files changed, 138 insertions(+), 24 deletions(-) diff --git a/cmd/notation/blob/policy/import.go b/cmd/notation/blob/policy/import.go index fe95842fd..a958d65a3 100644 --- a/cmd/notation/blob/policy/import.go +++ b/cmd/notation/blob/policy/import.go @@ -21,11 +21,13 @@ import ( "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/verifier/trustpolicy" "github.com/notaryproject/notation/cmd/notation/internal/cmdutil" + "github.com/notaryproject/notation/cmd/notation/internal/option" "github.com/notaryproject/notation/internal/osutil" "github.com/spf13/cobra" ) type importOpts struct { + option.Common filePath string force bool } @@ -49,6 +51,9 @@ Example - Import blob trust policy and override existing configuration without p } return nil }, + PreRun: func(cmd *cobra.Command, args []string) { + opts.Common.Parse(cmd) + }, RunE: func(cmd *cobra.Command, args []string) error { opts.filePath = args[0] return runImport(opts) @@ -84,11 +89,10 @@ func runImport(opts importOpts) error { return nil } } else { - fmt.Fprintln(os.Stderr, "Warning: existing blob trust policy configuration will be overwritten") + opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten") } } - // write policyPath, err := dir.ConfigFS().SysPath(dir.PathBlobTrustPolicy) if err != nil { return fmt.Errorf("failed to obtain path of blob trust policy configuration: %w", err) @@ -97,6 +101,5 @@ func runImport(opts importOpts) error { return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } - _, err = fmt.Fprintf(os.Stdout, "Successfully imported blob trust policy configuration to %s.\n", policyPath) - return err + return opts.Printer.Printf("Successfully imported blob trust policy configuration to %s.\n", policyPath) } diff --git a/cmd/notation/blob/policy/init.go b/cmd/notation/blob/policy/init.go index 1fd1f1d9c..d452b6104 100644 --- a/cmd/notation/blob/policy/init.go +++ b/cmd/notation/blob/policy/init.go @@ -18,11 +18,17 @@ import ( "fmt" "os" + "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/verifier/trustpolicy" + "github.com/notaryproject/notation/cmd/notation/internal/cmdutil" + "github.com/notaryproject/notation/cmd/notation/internal/option" + "github.com/notaryproject/notation/internal/osutil" "github.com/spf13/cobra" ) type initOpts struct { + option.Common + name string trustStore string trustedIdentity string force bool @@ -36,29 +42,33 @@ func initCmd() *cobra.Command { Long: `Init blob trust policy file. Example - init a blob trust file with trust store and trust policy: - notation blob policy init --trust-store : --trusted policy file "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder" + notation blob policy init --trust-store : --trusted-policy file "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder" `, Args: cobra.ExactArgs(0), + PreRun: func(cmd *cobra.Command, args []string) { + opts.Common.Parse(cmd) + }, RunE: func(cmd *cobra.Command, args []string) error { - return runInit(opts) + return runInit(&opts) }, } - command.Flags().StringVar(&opts.trustStore, "trust-store", "", "trust store in format :") - command.Flags().StringVar(&opts.trustedIdentity, "trusted-identity", "", "trust identity (e.g. \"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io\")") + command.Flags().StringVarP(&opts.name, "name", "n", "", "name of the blob trust policy") + command.Flags().StringVarP(&opts.trustStore, "trust-store", "s", "", "trust store in format :") + command.Flags().StringVarP(&opts.trustedIdentity, "trusted-identity", "i", "", "trusted identity (e.g. \"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io\")") command.Flags().BoolVar(&opts.force, "force", false, "override the existing blob trust policy configuration without prompt") + command.MarkFlagRequired("name") command.MarkFlagRequired("trust-store") command.MarkFlagRequired("trusted-identity") - return command } -func runInit(opts initOpts) error { +func runInit(opts *initOpts) error { blobPolicy := trustpolicy.BlobDocument{ Version: "1.0", TrustPolicies: []trustpolicy.BlobTrustPolicy{ { - Name: "default-policy", + Name: opts.name, SignatureVerification: trustpolicy.SignatureVerification{ VerificationLevel: "strict", }, @@ -69,20 +79,36 @@ func runInit(opts initOpts) error { }, } - // Validate the policy if err := blobPolicy.Validate(); err != nil { return fmt.Errorf("invalid blob policy: %w", err) } - - policyJson, err := json.MarshalIndent(blobPolicy, "", " ") + policyJSON, err := json.MarshalIndent(blobPolicy, "", " ") if err != nil { return fmt.Errorf("failed to marshal blob trust policy: %w", err) } - if err := writeBlobTrustPolicy(policyJson, opts.force); err != nil { - return err + // optional confirmation + if _, err = trustpolicy.LoadBlobDocument(); err == nil { + if !opts.force { + confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "The blob trust policy configuration already exists, do you want to overwrite it?", opts.force) + if err != nil { + return err + } + if !confirmed { + return nil + } + } else { + opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten") + } + } + + policyPath, err := dir.ConfigFS().SysPath(dir.PathBlobTrustPolicy) + if err != nil { + return fmt.Errorf("failed to obtain path of blob trust policy configuration: %w", err) + } + if err = osutil.WriteFile(policyPath, policyJSON); err != nil { + return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } - _, err = fmt.Fprintln(os.Stdout, "Successfully initialized blob trust policy file.") - return err + return opts.Printer.Printf("Successfully initialized blob trust policy file to %s.\n", policyPath) } diff --git a/cmd/notation/blob/policy/show.go b/cmd/notation/blob/policy/show.go index bfbac475e..a8215ef77 100644 --- a/cmd/notation/blob/policy/show.go +++ b/cmd/notation/blob/policy/show.go @@ -18,14 +18,19 @@ import ( "errors" "fmt" "io/fs" - "os" "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/verifier/trustpolicy" + "github.com/notaryproject/notation/cmd/notation/internal/option" "github.com/spf13/cobra" ) +type showOpts struct { + option.Common +} + func showCmd() *cobra.Command { + opts := showOpts{} command := &cobra.Command{ Use: "show [flags]", Short: "Show blob trust policy configuration", @@ -38,14 +43,17 @@ Example - Save current blob trust policy configuration to a file: notation blob policy show > my_policy.json `, Args: cobra.ExactArgs(0), + PreRun: func(cmd *cobra.Command, args []string) { + opts.Common.Parse(cmd) + }, RunE: func(cmd *cobra.Command, args []string) error { - return runShow() + return runShow(&opts) }, } return command } -func runShow() error { +func runShow(opts *showOpts) error { policyJSON, err := fs.ReadFile(dir.ConfigFS(), dir.PathBlobTrustPolicy) if err != nil { if errors.Is(err, fs.ErrNotExist) { @@ -58,12 +66,12 @@ func runShow() error { err = doc.Validate() } if err != nil { - fmt.Fprintf(os.Stderr, "Existing blob trust policy configuration is invalid, you may update or create a new one via `notation blob policy import `. See https://github.com/notaryproject/specifications/blob/8cf800c60b7315a43f0adbcae463d848a353b412/specs/trust-store-trust-policy.md#trust-policy-for-blobs for a blob trust policy example.\n") - os.Stdout.Write(policyJSON) + opts.Printer.PrintErrorf("Existing blob trust policy configuration is invalid, you may update or create a new one via `notation blob policy import `. See https://github.com/notaryproject/specifications/blob/8cf800c60b7315a43f0adbcae463d848a353b412/specs/trust-store-trust-policy.md#trust-policy-for-blobs for a blob trust policy example.\n") + opts.Printer.Write(policyJSON) return err } // show policy content - _, err = os.Stdout.Write(policyJSON) + opts.Printer.Write(policyJSON) return err } diff --git a/test/e2e/suite/command/blob/policy.go b/test/e2e/suite/command/blob/policy.go index 8c203a710..70e915344 100644 --- a/test/e2e/suite/command/blob/policy.go +++ b/test/e2e/suite/command/blob/policy.go @@ -222,4 +222,81 @@ var _ = Describe("blob trust policy maintainer", func() { }) }) }) + + When("initializing trust policy", func() { + Context("without existing policy", func() { + opts := Opts() + + It("should fail when no name flag is provided", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure(). + Exec("blob", "policy", "init", "--trust-store", "ca:example-store", "--trusted-identity", "x509.subject: CN=example"). + MatchErrKeyWords("required flag(s)", "name", "not set") + }) + }) + + It("should fail when no trust-store flag is provided", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure(). + Exec("blob", "policy", "init", "--name", "example-policy", "--trusted-identity", "x509.subject: CN=example"). + MatchErrKeyWords("required flag(s)", "trust-store", "not set") + }) + }) + + It("should fail when no trusted-identity flag is provided", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure(). + Exec("blob", "policy", "init", "--name", "example-policy", "--trust-store", "ca:example-store"). + MatchErrKeyWords("required flag(s)", "trusted-identity", "not set") + }) + }) + + It("should successfully initialize policy when all required flags are provided", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("blob", "policy", "init", + "--name", "example-policy", + "--trust-store", "ca:example-store", + "--trusted-identity", "x509.subject: C=example,ST=example,O=example"). + MatchKeyWords("Successfully initialized blob trust policy file") + + // Verify the policy was created + notation.Exec("blob", "policy", "show"). + MatchKeyWords("example-policy"). + MatchKeyWords("ca:example-store"). + MatchKeyWords("x509.subject: C=example,ST=example,O=example") + }) + }) + }) + + Context("with existing policy", func() { + opts := Opts(AddBlobTrustPolicyOption(validBlobTrustPolicyName)) + + It("should canceled when trying to initialize with existing policy", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("blob", "policy", "init", + "--name", "new-policy", + "--trust-store", "ca:new-store", + "--trusted-identity", "x509.subject: C=example,ST=example,O=example"). + MatchKeyWords("The blob trust policy configuration already exists") + }) + }) + + It("should successfully initialize policy with force flag when policy exists", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("blob", "policy", "init", + "--name", "new-policy", + "--trust-store", "ca:new-store", + "--trusted-identity", "x509.subject: C=example,ST=example,O=example", + "--force"). + MatchKeyWords("Successfully initialized blob trust policy file") + + // Verify the new policy was created and replaced the old one + notation.Exec("blob", "policy", "show"). + MatchKeyWords("new-policy"). + MatchKeyWords("ca:new-store"). + MatchKeyWords("x509.subject: C=example,ST=example,O=example") + }) + }) + }) + }) }) From 9082f7263c7777c2c96d48eed654941676f4ece5 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Thu, 27 Feb 2025 08:09:33 +0000 Subject: [PATCH 04/14] test: E2E Signed-off-by: Junjie Gao --- test/e2e/suite/command/blob/policy.go | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/test/e2e/suite/command/blob/policy.go b/test/e2e/suite/command/blob/policy.go index 70e915344..65717212c 100644 --- a/test/e2e/suite/command/blob/policy.go +++ b/test/e2e/suite/command/blob/policy.go @@ -251,6 +251,38 @@ var _ = Describe("blob trust policy maintainer", func() { }) }) + It("should fail when invalid trusted-identity format is provided", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure(). + Exec("blob", "policy", "init", + "--name", "example-policy", + "--trust-store", "ca:example-store", + "--trusted-identity", "invalid"). + MatchErrKeyWords("invalid blob policy") + }) + }) + + It("should fail when directory doesn't have write permission", func() { + Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + // Create the notation config directory if it doesn't exist + configDir := vhost.AbsolutePath(NotationDirName) + err := os.MkdirAll(configDir, 0755) + Expect(err).NotTo(HaveOccurred()) + + // Remove write permissions from the directory + err = os.Chmod(configDir, 0500) // r-x for owner, no write + Expect(err).NotTo(HaveOccurred()) + defer os.Chmod(configDir, 0755) // Restore permissions after test + + notation.ExpectFailure(). + Exec("blob", "policy", "init", + "--name", "example-policy", + "--trust-store", "ca:example-store", + "--trusted-identity", "x509.subject: C=example,ST=example,O=example"). + MatchErrKeyWords("failed to write blob trust policy configuration") + }) + }) + It("should successfully initialize policy when all required flags are provided", func() { Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("blob", "policy", "init", From 47191c62399e0eae8c5758f589ae375a3f6b321a Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Tue, 4 Mar 2025 04:40:49 +0000 Subject: [PATCH 05/14] fix: update Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/init.go | 30 ++++++++++++++------------- test/e2e/run.sh | 2 +- test/e2e/suite/command/blob/policy.go | 20 ++++++++++++------ 3 files changed, 31 insertions(+), 21 deletions(-) diff --git a/cmd/notation/blob/policy/init.go b/cmd/notation/blob/policy/init.go index d452b6104..95d411ef1 100644 --- a/cmd/notation/blob/policy/init.go +++ b/cmd/notation/blob/policy/init.go @@ -28,21 +28,22 @@ import ( type initOpts struct { option.Common - name string - trustStore string - trustedIdentity string - force bool + name string + trustStores []string + trustedIdentities []string + force bool + global bool } func initCmd() *cobra.Command { opts := initOpts{} command := &cobra.Command{ Use: "init [flags]", - Short: "Init blob trust policy file", - Long: `Init blob trust policy file. + Short: "Initialize blob trust policy configuration", + Long: `Initialize blob trust policy configuration. -Example - init a blob trust file with trust store and trust policy: - notation blob policy init --trust-store : --trusted-policy file "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder" +Example - init a blob trust policy configuration with a trust store and a trusted identity: + notation blob policy init --name examplePolicy --trust-store : --trusted-policy file "x509.subject: C=US, ST=WA, O=acme-rockets.io" `, Args: cobra.ExactArgs(0), PreRun: func(cmd *cobra.Command, args []string) { @@ -54,9 +55,10 @@ Example - init a blob trust file with trust store and trust policy: } command.Flags().StringVarP(&opts.name, "name", "n", "", "name of the blob trust policy") - command.Flags().StringVarP(&opts.trustStore, "trust-store", "s", "", "trust store in format :") - command.Flags().StringVarP(&opts.trustedIdentity, "trusted-identity", "i", "", "trusted identity (e.g. \"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io\")") - command.Flags().BoolVar(&opts.force, "force", false, "override the existing blob trust policy configuration without prompt") + command.Flags().StringArrayVar(&opts.trustStores, "trust-store", nil, "trust store in the format \":\"") + command.Flags().StringArrayVar(&opts.trustedIdentities, "trusted-identity", nil, "trusted identity, use the format \"x509.subject:\" for x509 CA scheme and \"\" for x509 signingAuthority scheme") + command.Flags().BoolVar(&opts.force, "force", false, "override the existing blob trust policy configuration, never prompt (default --force=false)") + command.Flags().BoolVar(&opts.global, "global", false, "set the policy as the global policy (default --global=false)") command.MarkFlagRequired("name") command.MarkFlagRequired("trust-store") command.MarkFlagRequired("trusted-identity") @@ -72,9 +74,9 @@ func runInit(opts *initOpts) error { SignatureVerification: trustpolicy.SignatureVerification{ VerificationLevel: "strict", }, - TrustStores: []string{opts.trustStore}, - TrustedIdentities: []string{opts.trustedIdentity}, - GlobalPolicy: true, + TrustStores: opts.trustStores, + TrustedIdentities: opts.trustedIdentities, + GlobalPolicy: opts.global, }, }, } diff --git a/test/e2e/run.sh b/test/e2e/run.sh index 239d6a219..2bfa14250 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -127,4 +127,4 @@ export NOTATION_E2E_BLOB_TRUST_POLICY_PATH=$CWD/testdata/blob/trustpolicies export NOTATION_E2E_TEST_DATA_PATH=$CWD/testdata # run tests -ginkgo -r -p -v +ginkgo -r -p -v --focus "initializing trust policy" diff --git a/test/e2e/suite/command/blob/policy.go b/test/e2e/suite/command/blob/policy.go index 65717212c..b0317859f 100644 --- a/test/e2e/suite/command/blob/policy.go +++ b/test/e2e/suite/command/blob/policy.go @@ -287,15 +287,23 @@ var _ = Describe("blob trust policy maintainer", func() { Host(opts, func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("blob", "policy", "init", "--name", "example-policy", + "--global", "--trust-store", "ca:example-store", - "--trusted-identity", "x509.subject: C=example,ST=example,O=example"). + "--trust-store", "ca:example-store2", + "--trusted-identity", "x509.subject: C=example,ST=example,O=example", + "--trusted-identity", "x509.subject: C=example2,ST=example,O=example"). MatchKeyWords("Successfully initialized blob trust policy file") // Verify the policy was created notation.Exec("blob", "policy", "show"). - MatchKeyWords("example-policy"). - MatchKeyWords("ca:example-store"). - MatchKeyWords("x509.subject: C=example,ST=example,O=example") + MatchKeyWords( + "example-policy", + "ca:example-store", + "ca:example-store2", + "x509.subject: C=example,ST=example,O=example", + "x509.subject: C=example2,ST=example,O=example", + `"globalPolicy": true`, + ) }) }) }) @@ -318,7 +326,7 @@ var _ = Describe("blob trust policy maintainer", func() { notation.Exec("blob", "policy", "init", "--name", "new-policy", "--trust-store", "ca:new-store", - "--trusted-identity", "x509.subject: C=example,ST=example,O=example", + "--trusted-identity", "x509.subject: C=example, ST=example, O=example", "--force"). MatchKeyWords("Successfully initialized blob trust policy file") @@ -326,7 +334,7 @@ var _ = Describe("blob trust policy maintainer", func() { notation.Exec("blob", "policy", "show"). MatchKeyWords("new-policy"). MatchKeyWords("ca:new-store"). - MatchKeyWords("x509.subject: C=example,ST=example,O=example") + MatchKeyWords("x509.subject: C=example, ST=example, O=example") }) }) }) From ecb23f4d94a0f5b559b449f7fe029d2f61cbe030 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Tue, 4 Mar 2025 05:03:44 +0000 Subject: [PATCH 06/14] fix: update Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/import.go | 4 ++-- cmd/notation/blob/policy/init.go | 10 +++++----- cmd/notation/policy/import.go | 2 +- test/e2e/run.sh | 2 +- test/e2e/suite/command/blob/policy.go | 28 +++++++++++++++++++-------- 5 files changed, 29 insertions(+), 17 deletions(-) diff --git a/cmd/notation/blob/policy/import.go b/cmd/notation/blob/policy/import.go index a958d65a3..33b841e21 100644 --- a/cmd/notation/blob/policy/import.go +++ b/cmd/notation/blob/policy/import.go @@ -89,7 +89,7 @@ func runImport(opts importOpts) error { return nil } } else { - opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten") + opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten\n") } } @@ -101,5 +101,5 @@ func runImport(opts importOpts) error { return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } - return opts.Printer.Printf("Successfully imported blob trust policy configuration to %s.\n", policyPath) + return opts.Printer.Printf("Successfully imported blob trust policy configuration to %s\n", policyPath) } diff --git a/cmd/notation/blob/policy/init.go b/cmd/notation/blob/policy/init.go index 95d411ef1..5c713ad4f 100644 --- a/cmd/notation/blob/policy/init.go +++ b/cmd/notation/blob/policy/init.go @@ -38,12 +38,12 @@ type initOpts struct { func initCmd() *cobra.Command { opts := initOpts{} command := &cobra.Command{ - Use: "init [flags]", + Use: `init [flags] --name --trust-store ":" --trusted-identity ""`, Short: "Initialize blob trust policy configuration", Long: `Initialize blob trust policy configuration. Example - init a blob trust policy configuration with a trust store and a trusted identity: - notation blob policy init --name examplePolicy --trust-store : --trusted-policy file "x509.subject: C=US, ST=WA, O=acme-rockets.io" + notation blob policy init --name examplePolicy --trust-store ca:exampleStore --trusted-identity "x509.subject: C=US, ST=WA, O=acme-rockets.io" `, Args: cobra.ExactArgs(0), PreRun: func(cmd *cobra.Command, args []string) { @@ -72,7 +72,7 @@ func runInit(opts *initOpts) error { { Name: opts.name, SignatureVerification: trustpolicy.SignatureVerification{ - VerificationLevel: "strict", + VerificationLevel: trustpolicy.LevelStrict.Name, }, TrustStores: opts.trustStores, TrustedIdentities: opts.trustedIdentities, @@ -100,7 +100,7 @@ func runInit(opts *initOpts) error { return nil } } else { - opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten") + opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten\n") } } @@ -112,5 +112,5 @@ func runInit(opts *initOpts) error { return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } - return opts.Printer.Printf("Successfully initialized blob trust policy file to %s.\n", policyPath) + return opts.Printer.Printf("Successfully initialized blob trust policy file to %s\n", policyPath) } diff --git a/cmd/notation/policy/import.go b/cmd/notation/policy/import.go index f0c91f417..231ce36c0 100644 --- a/cmd/notation/policy/import.go +++ b/cmd/notation/policy/import.go @@ -108,7 +108,7 @@ func runImport(command *cobra.Command, opts importOpts) error { fmt.Fprintln(os.Stdout, "Deleted old trust policy configuration trustpolicy.json.") } - _, err = fmt.Fprintf(os.Stdout, "Successfully imported OCI trust policy configuration to %s.\n", policyPath) + _, err = fmt.Fprintf(os.Stdout, "Successfully imported OCI trust policy configuration to %s\n", policyPath) return err } diff --git a/test/e2e/run.sh b/test/e2e/run.sh index 2bfa14250..239d6a219 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -127,4 +127,4 @@ export NOTATION_E2E_BLOB_TRUST_POLICY_PATH=$CWD/testdata/blob/trustpolicies export NOTATION_E2E_TEST_DATA_PATH=$CWD/testdata # run tests -ginkgo -r -p -v --focus "initializing trust policy" +ginkgo -r -p -v diff --git a/test/e2e/suite/command/blob/policy.go b/test/e2e/suite/command/blob/policy.go index b0317859f..ad5c9f976 100644 --- a/test/e2e/suite/command/blob/policy.go +++ b/test/e2e/suite/command/blob/policy.go @@ -296,14 +296,26 @@ var _ = Describe("blob trust policy maintainer", func() { // Verify the policy was created notation.Exec("blob", "policy", "show"). - MatchKeyWords( - "example-policy", - "ca:example-store", - "ca:example-store2", - "x509.subject: C=example,ST=example,O=example", - "x509.subject: C=example2,ST=example,O=example", - `"globalPolicy": true`, - ) + MatchContent(`{ + "version": "1.0", + "trustPolicies": [ + { + "name": "example-policy", + "signatureVerification": { + "level": "strict" + }, + "trustStores": [ + "ca:example-store", + "ca:example-store2" + ], + "trustedIdentities": [ + "x509.subject: C=example,ST=example,O=example", + "x509.subject: C=example2,ST=example,O=example" + ], + "globalPolicy": true + } + ] +}`) }) }) }) From fa8d628a7f9c439000c1ff79bfb81347f6a14171 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Tue, 4 Mar 2025 05:13:00 +0000 Subject: [PATCH 07/14] fix: restore file Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/import.go | 11 ++++------- cmd/notation/blob/policy/show.go | 20 ++++++-------------- cmd/notation/policy/import.go | 2 +- 3 files changed, 11 insertions(+), 22 deletions(-) diff --git a/cmd/notation/blob/policy/import.go b/cmd/notation/blob/policy/import.go index 33b841e21..fe95842fd 100644 --- a/cmd/notation/blob/policy/import.go +++ b/cmd/notation/blob/policy/import.go @@ -21,13 +21,11 @@ import ( "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/verifier/trustpolicy" "github.com/notaryproject/notation/cmd/notation/internal/cmdutil" - "github.com/notaryproject/notation/cmd/notation/internal/option" "github.com/notaryproject/notation/internal/osutil" "github.com/spf13/cobra" ) type importOpts struct { - option.Common filePath string force bool } @@ -51,9 +49,6 @@ Example - Import blob trust policy and override existing configuration without p } return nil }, - PreRun: func(cmd *cobra.Command, args []string) { - opts.Common.Parse(cmd) - }, RunE: func(cmd *cobra.Command, args []string) error { opts.filePath = args[0] return runImport(opts) @@ -89,10 +84,11 @@ func runImport(opts importOpts) error { return nil } } else { - opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten\n") + fmt.Fprintln(os.Stderr, "Warning: existing blob trust policy configuration will be overwritten") } } + // write policyPath, err := dir.ConfigFS().SysPath(dir.PathBlobTrustPolicy) if err != nil { return fmt.Errorf("failed to obtain path of blob trust policy configuration: %w", err) @@ -101,5 +97,6 @@ func runImport(opts importOpts) error { return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } - return opts.Printer.Printf("Successfully imported blob trust policy configuration to %s\n", policyPath) + _, err = fmt.Fprintf(os.Stdout, "Successfully imported blob trust policy configuration to %s.\n", policyPath) + return err } diff --git a/cmd/notation/blob/policy/show.go b/cmd/notation/blob/policy/show.go index a8215ef77..bfbac475e 100644 --- a/cmd/notation/blob/policy/show.go +++ b/cmd/notation/blob/policy/show.go @@ -18,19 +18,14 @@ import ( "errors" "fmt" "io/fs" + "os" "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/verifier/trustpolicy" - "github.com/notaryproject/notation/cmd/notation/internal/option" "github.com/spf13/cobra" ) -type showOpts struct { - option.Common -} - func showCmd() *cobra.Command { - opts := showOpts{} command := &cobra.Command{ Use: "show [flags]", Short: "Show blob trust policy configuration", @@ -43,17 +38,14 @@ Example - Save current blob trust policy configuration to a file: notation blob policy show > my_policy.json `, Args: cobra.ExactArgs(0), - PreRun: func(cmd *cobra.Command, args []string) { - opts.Common.Parse(cmd) - }, RunE: func(cmd *cobra.Command, args []string) error { - return runShow(&opts) + return runShow() }, } return command } -func runShow(opts *showOpts) error { +func runShow() error { policyJSON, err := fs.ReadFile(dir.ConfigFS(), dir.PathBlobTrustPolicy) if err != nil { if errors.Is(err, fs.ErrNotExist) { @@ -66,12 +58,12 @@ func runShow(opts *showOpts) error { err = doc.Validate() } if err != nil { - opts.Printer.PrintErrorf("Existing blob trust policy configuration is invalid, you may update or create a new one via `notation blob policy import `. See https://github.com/notaryproject/specifications/blob/8cf800c60b7315a43f0adbcae463d848a353b412/specs/trust-store-trust-policy.md#trust-policy-for-blobs for a blob trust policy example.\n") - opts.Printer.Write(policyJSON) + fmt.Fprintf(os.Stderr, "Existing blob trust policy configuration is invalid, you may update or create a new one via `notation blob policy import `. See https://github.com/notaryproject/specifications/blob/8cf800c60b7315a43f0adbcae463d848a353b412/specs/trust-store-trust-policy.md#trust-policy-for-blobs for a blob trust policy example.\n") + os.Stdout.Write(policyJSON) return err } // show policy content - opts.Printer.Write(policyJSON) + _, err = os.Stdout.Write(policyJSON) return err } diff --git a/cmd/notation/policy/import.go b/cmd/notation/policy/import.go index 231ce36c0..f0c91f417 100644 --- a/cmd/notation/policy/import.go +++ b/cmd/notation/policy/import.go @@ -108,7 +108,7 @@ func runImport(command *cobra.Command, opts importOpts) error { fmt.Fprintln(os.Stdout, "Deleted old trust policy configuration trustpolicy.json.") } - _, err = fmt.Fprintf(os.Stdout, "Successfully imported OCI trust policy configuration to %s\n", policyPath) + _, err = fmt.Fprintf(os.Stdout, "Successfully imported OCI trust policy configuration to %s.\n", policyPath) return err } From c4e26ef56fefc8e249b9ace68dfae49e3a0177af Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Tue, 4 Mar 2025 05:16:01 +0000 Subject: [PATCH 08/14] fix: update Signed-off-by: Junjie Gao --- test/e2e/suite/command/blob/policy.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/test/e2e/suite/command/blob/policy.go b/test/e2e/suite/command/blob/policy.go index ad5c9f976..90295e284 100644 --- a/test/e2e/suite/command/blob/policy.go +++ b/test/e2e/suite/command/blob/policy.go @@ -344,9 +344,11 @@ var _ = Describe("blob trust policy maintainer", func() { // Verify the new policy was created and replaced the old one notation.Exec("blob", "policy", "show"). - MatchKeyWords("new-policy"). - MatchKeyWords("ca:new-store"). - MatchKeyWords("x509.subject: C=example, ST=example, O=example") + MatchKeyWords( + "new-policy", + "ca:new-store", + "x509.subject: C=example, ST=example, O=example", + ) }) }) }) From 20e0a81fd7681064aac6599d024986c71392a997 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Tue, 4 Mar 2025 05:57:55 +0000 Subject: [PATCH 09/14] fix: update Signed-off-by: Junjie Gao --- test/e2e/suite/scenario/blob.go | 86 +++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 test/e2e/suite/scenario/blob.go diff --git a/test/e2e/suite/scenario/blob.go b/test/e2e/suite/scenario/blob.go new file mode 100644 index 000000000..7c01b52b6 --- /dev/null +++ b/test/e2e/suite/scenario/blob.go @@ -0,0 +1,86 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package scenario_test + +import ( + "os" + "path/filepath" + + . "github.com/notaryproject/notation/test/e2e/internal/notation" + "github.com/notaryproject/notation/test/e2e/internal/utils" + . "github.com/notaryproject/notation/test/e2e/suite/common" + . "github.com/onsi/ginkgo/v2" +) + +var _ = Describe("notation blob", Serial, func() { + It("signing and verifying with policy init command", func() { + Host(Opts(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + workDir := vhost.AbsolutePath() + + // create a file to be signed + content := "hello, world" + blobPath := filepath.Join(workDir, "hello.txt") + if err := os.WriteFile(blobPath, []byte(content), 0644); err != nil { + Fail(err.Error()) + } + + // generate a testing key pair + notation.Exec("cert", "generate-test", "--default", "testcert"). + MatchKeyWords( + "Successfully added testcert.crt to named store testcert of type ca", + "testcert: added to the key list", + ) + + // sign the file + notation.WithWorkDir(workDir).Exec("blob", "sign", blobPath). + MatchKeyWords(SignSuccessfully) + + // policy init + notation.Exec("blob", "policy", "init", + "--name", "testpolicy", + "--trust-store", "ca:testcert", + "--trusted-identity", "x509.subject: CN=testcert,O=Notary,L=Seattle,ST=WA,C=US"). + MatchKeyWords( + "Successfully initialized blob trust policy file to", + ) + + notation.Exec("blob", "policy", "show"). + MatchContent(`{ + "version": "1.0", + "trustPolicies": [ + { + "name": "testpolicy", + "signatureVerification": { + "level": "strict" + }, + "trustStores": [ + "ca:testcert" + ], + "trustedIdentities": [ + "x509.subject: CN=testcert,O=Notary,L=Seattle,ST=WA,C=US" + ] + } + ] +}`) + + // verify the blob signature hello.txt.jws.sig + sigPath := blobPath + ".jws.sig" + notation.Exec("blob", "verify", + "--signature", sigPath, + "--policy-name", "testpolicy", + blobPath). + MatchKeyWords(VerifySuccessfully) + }) + }) +}) From 805f380b44bb79867d0866d70a795281cc31e9a6 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Tue, 4 Mar 2025 06:11:25 +0000 Subject: [PATCH 10/14] fix: update Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/init.go | 11 +++++------ cmd/notation/internal/option/signer.go | 0 2 files changed, 5 insertions(+), 6 deletions(-) create mode 100644 cmd/notation/internal/option/signer.go diff --git a/cmd/notation/blob/policy/init.go b/cmd/notation/blob/policy/init.go index 5c713ad4f..d150c4d1a 100644 --- a/cmd/notation/blob/policy/init.go +++ b/cmd/notation/blob/policy/init.go @@ -80,17 +80,12 @@ func runInit(opts *initOpts) error { }, }, } - if err := blobPolicy.Validate(); err != nil { return fmt.Errorf("invalid blob policy: %w", err) } - policyJSON, err := json.MarshalIndent(blobPolicy, "", " ") - if err != nil { - return fmt.Errorf("failed to marshal blob trust policy: %w", err) - } // optional confirmation - if _, err = trustpolicy.LoadBlobDocument(); err == nil { + if _, err := trustpolicy.LoadBlobDocument(); err == nil { if !opts.force { confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "The blob trust policy configuration already exists, do you want to overwrite it?", opts.force) if err != nil { @@ -108,6 +103,10 @@ func runInit(opts *initOpts) error { if err != nil { return fmt.Errorf("failed to obtain path of blob trust policy configuration: %w", err) } + policyJSON, err := json.MarshalIndent(blobPolicy, "", " ") + if err != nil { + return fmt.Errorf("failed to marshal blob trust policy: %w", err) + } if err = osutil.WriteFile(policyPath, policyJSON); err != nil { return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } diff --git a/cmd/notation/internal/option/signer.go b/cmd/notation/internal/option/signer.go new file mode 100644 index 000000000..e69de29bb From 28fbb5e80ad16dce1fdbbf72641e222fa07f70b4 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Tue, 4 Mar 2025 06:13:48 +0000 Subject: [PATCH 11/14] fix: update Signed-off-by: Junjie Gao --- cmd/notation/internal/option/signer.go | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cmd/notation/internal/option/signer.go diff --git a/cmd/notation/internal/option/signer.go b/cmd/notation/internal/option/signer.go deleted file mode 100644 index e69de29bb..000000000 From b044bcf52fdc699fce0fc10d664bea4224840e81 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Mon, 10 Mar 2025 06:41:59 +0000 Subject: [PATCH 12/14] fix: update Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/init.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cmd/notation/blob/policy/init.go b/cmd/notation/blob/policy/init.go index d150c4d1a..422797fb6 100644 --- a/cmd/notation/blob/policy/init.go +++ b/cmd/notation/blob/policy/init.go @@ -20,14 +20,14 @@ import ( "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/verifier/trustpolicy" - "github.com/notaryproject/notation/cmd/notation/internal/cmdutil" - "github.com/notaryproject/notation/cmd/notation/internal/option" + "github.com/notaryproject/notation/cmd/notation/internal/display" + "github.com/notaryproject/notation/cmd/notation/internal/display/output" "github.com/notaryproject/notation/internal/osutil" "github.com/spf13/cobra" ) type initOpts struct { - option.Common + printer *output.Printer name string trustStores []string trustedIdentities []string @@ -47,7 +47,7 @@ Example - init a blob trust policy configuration with a trust store and a truste `, Args: cobra.ExactArgs(0), PreRun: func(cmd *cobra.Command, args []string) { - opts.Common.Parse(cmd) + opts.printer = output.NewPrinter(cmd.OutOrStdout(), cmd.OutOrStderr()) }, RunE: func(cmd *cobra.Command, args []string) error { return runInit(&opts) @@ -87,7 +87,7 @@ func runInit(opts *initOpts) error { // optional confirmation if _, err := trustpolicy.LoadBlobDocument(); err == nil { if !opts.force { - confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "The blob trust policy configuration already exists, do you want to overwrite it?", opts.force) + confirmed, err := display.AskForConfirmation(os.Stdin, "The blob trust policy configuration already exists, do you want to overwrite it?", opts.force) if err != nil { return err } @@ -95,7 +95,7 @@ func runInit(opts *initOpts) error { return nil } } else { - opts.Printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten\n") + opts.printer.PrintErrorf("Warning: existing blob trust policy configuration will be overwritten\n") } } @@ -111,5 +111,5 @@ func runInit(opts *initOpts) error { return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } - return opts.Printer.Printf("Successfully initialized blob trust policy file to %s\n", policyPath) + return opts.printer.Printf("Successfully initialized blob trust policy file to %s\n", policyPath) } From d96c033fdb964b3d6e801ea771ecbe701dfbf1c9 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Mon, 10 Mar 2025 06:42:46 +0000 Subject: [PATCH 13/14] fix: update Signed-off-by: Junjie Gao --- cmd/notation/blob/policy/init.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/notation/blob/policy/init.go b/cmd/notation/blob/policy/init.go index 422797fb6..27e50d487 100644 --- a/cmd/notation/blob/policy/init.go +++ b/cmd/notation/blob/policy/init.go @@ -111,5 +111,5 @@ func runInit(opts *initOpts) error { return fmt.Errorf("failed to write blob trust policy configuration: %w", err) } - return opts.printer.Printf("Successfully initialized blob trust policy file to %s\n", policyPath) + return opts.printer.Printf("Successfully initialized blob trust policy file to %s.\n", policyPath) } From 4f1c92a4a7d92ab250f1e1ba29456fd7ef544f6e Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Mon, 10 Mar 2025 06:44:02 +0000 Subject: [PATCH 14/14] fix: update spec Signed-off-by: Junjie Gao --- specs/proposals/blob-signing.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/specs/proposals/blob-signing.md b/specs/proposals/blob-signing.md index ebdb71f8a..f72f44919 100644 --- a/specs/proposals/blob-signing.md +++ b/specs/proposals/blob-signing.md @@ -72,7 +72,7 @@ For file-based distribution, such as SBOMs or release artifacts shared via a web - Set up trust policy for blobs with a new command `notation blob policy init`. This command streamlines the process, eliminating the need for users to consult documentation for the correct trust policy format and preventing the accidental use of policies intended for OCI artifact verification. ```shell - notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trust-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" + notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trusted-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" ``` Show the policies configured for verifying blobs: @@ -243,7 +243,7 @@ For registry-based distribution, such as using an OCI-compliant container regist - Set up the trust policy: ```shell - notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trust-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" + notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trusted-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" ``` - Download the blob and signature using ORAS tool: @@ -279,19 +279,19 @@ The following commands are available for managing blob trust poliies: - Initialize blob trust policy configuration: ```shell - notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trust-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" + notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trusted-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" ``` - Initialize the blob trust policy configuration and set the policy specified by the `--name` flag as the global policy. ```shell - notation blob policy init --global --name "myBlobPolicy" --trust-store "ca:myCACerts" --trust-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" + notation blob policy init --global --name "myBlobPolicy" --trust-store "ca:myCACerts" --trusted-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" ``` - Overwrite an existing policy with a prompt: ```shell - notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trust-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" + notation blob policy init --name "myBlobPolicy" --trust-store "ca:myCACerts" --trusted-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" ``` If the blob policy named `myBlobPolicy` has already been initialized before, running this command will prompt the user to confirm whether they want to overwrite the existing blob policy. @@ -299,7 +299,7 @@ The following commands are available for managing blob trust poliies: - Overwrite an existing policy with a prompt using the flag `--force`: ```shell - notation blob policy init --force --name "myBlobPolicy" --trust-store "ca:myCACerts" --trust-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" + notation blob policy init --force --name "myBlobPolicy" --trust-store "ca:myCACerts" --trusted-identity "x509.subject:C=US,ST=WA,O=wabbit-network.io" ``` - Show the blob policy: