feat: add notation certificate cleanup-test command

cmd/notation/cert/cleanupTest.go

@@ -0,0 +1,132 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+
+	"github.com/notaryproject/notation-go/config"
+	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation/v2/cmd/notation/internal/display"
+	"github.com/notaryproject/notation/v2/cmd/notation/internal/truststore"
+	"github.com/spf13/cobra"
+)
+
+type certCleanupTestOpts struct {
+	name      string
+	confirmed bool
+}
+
+func certCleanupTestCommand(opts *certCleanupTestOpts) *cobra.Command {
+	if opts == nil {
+		opts = &certCleanupTestOpts{}
+	}
+	command := &cobra.Command{
+		Use:   "cleanup-test [flags] <common_name>",
+		Short: `Clean up a test RSA key and its corresponding certificate that were generated using the "generate-test" command.`,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return errors.New("missing certificate common name")
+			}
+			if !truststore.IsValidFileName(args[0]) {
+				return errors.New("certificate common name must follow [a-zA-Z0-9_.-]+ format")
+			}
+			opts.name = args[0]
+			return nil
+		},
+		Long: `Clean up a test RSA key and its corresponding certificate that were generated using the "generate-test" command.
+
+Example - Clean up a test key and corresponding certificate named "wabbit-networks.io":
+  notation cert cleanup-test wabbit-networks.io
+`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cleanupTestCert(opts)
+		},
+	}
+	command.Flags().BoolVarP(&opts.confirmed, "yes", "y", false, "do not prompt for confirmation")
+	return command
+}
+
+func cleanupTestCert(opts *certCleanupTestOpts) error {
+	name := opts.name
+	relativeKeyPath, relativeCertPath := dir.LocalKeyPath(name)
+	certPath, _ := dir.ConfigFS().SysPath(relativeCertPath) // err is always nil
+	certFileName := filepath.Base(certPath)
+	keyPath, _ := dir.ConfigFS().SysPath(relativeKeyPath) // err is always nil
+	prompt := fmt.Sprintf(`The test key %s and its corresponding certificate will be cleaned up with the following changes:
+- Delete certificate %s.crt from trust store %s of type ca
+- Remove key %s from the key list
+- Delete key file: %s
+- Delete certificate file: %s
+
+Are you sure you want to continue?`, name, name, name, name, keyPath, certPath)
+	confirmed, err := display.AskForConfirmation(os.Stdin, prompt, opts.confirmed)
+	if err != nil {
+		return err
+	}
+	if !confirmed {
+		return nil
+	}
+
+	// 1. remove from trust store
+	err = truststore.DeleteCert("ca", name, certFileName, true)
+	if err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return fmt.Errorf("failed to delete certificate %s from trust store %s of type ca: %w", certFileName, name, err)
+		}
+		fmt.Printf("Certificate %s does not exist in trust store %s of type ca\n", certFileName, name)
+	}
+
+	// 2. remove key from signingkeys.json config
+	exec := func(s *config.SigningKeys) error {
+		_, err := s.Remove(name)
+		return err
+	}
+	err = config.LoadExecSaveSigningKeys(exec)
+	if err != nil {
+		var keyNotFoundError config.KeyNotFoundError
+		if !errors.As(err, &keyNotFoundError) {
+			return fmt.Errorf("failed to remove key %s from the key list: %w", name, err)
+		}
+		fmt.Printf("Key %s does not exist in the key list\n", name)
+	} else {
+		fmt.Printf("Successfully removed key %s from the key list\n", name)
+	}
+
+	// 3. delete key and certificate files from LocalKeyPath
+	err = os.Remove(keyPath)
+	if err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return fmt.Errorf("failed to delete key file %s: %w", keyPath, err)
+		}
+		fmt.Printf("Key file %s does not exist\n", keyPath)
+	} else {
+		fmt.Printf("Successfully deleted key file: %s\n", keyPath)
+	}
+	err = os.Remove(certPath)
+	if err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return fmt.Errorf("failed to delete certificate file %s: %w", certPath, err)
+		}
+		fmt.Printf("Certificate file %s does not exist\n", certPath)
+	} else {
+		fmt.Printf("Successfully deleted certificate file: %s\n", certPath)
+	}
+	fmt.Println("Cleanup completed successfully")
+	return nil
+}

cmd/notation/cert/cleanup_test.go

@@ -0,0 +1,47 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestCertCleanupCommand(t *testing.T) {
+	opts := &certCleanupTestOpts{}
+	cmd := certCleanupTestCommand(opts)
+	expected := &certCleanupTestOpts{
+		name: "name",
+	}
+	if err := cmd.ParseFlags([]string{
+		"name"}); err != nil {
+		t.Fatalf("Parse Flag failed: %v", err)
+	}
+	if err := cmd.Args(cmd, cmd.Flags().Args()); err != nil {
+		t.Fatalf("Parse Args failed: %v", err)
+	}
+	if !reflect.DeepEqual(*expected, *opts) {
+		t.Fatalf("Expect cert generate-test opts: %v, got: %v", expected, opts)
+	}
+}
+
+func TestCertCleanupTestCommand_MissingArgs(t *testing.T) {
+	cmd := certCleanupTestCommand(nil)
+	if err := cmd.ParseFlags(nil); err != nil {
+		t.Fatalf("Parse Flag failed: %v", err)
+	}
+	if err := cmd.Args(cmd, cmd.Flags().Args()); err == nil {
+		t.Fatal("Parse Args expected error, but ok")
+	}
+}

cmd/notation/cert/cmd.go

@@ -11,6 +11,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// Package cert provides implementation of the `notation certificate` command
 package cert
 
 import "github.com/spf13/cobra"
@@ -29,6 +30,7 @@ func Cmd() *cobra.Command {
 		certShowCommand(nil),
 		certDeleteCommand(nil),
 		certGenerateTestCommand(nil),
+		certCleanupTestCommand(nil),
 	)
 
 	return command

cmd/notation/cert/generateTest.go

@@ -138,7 +138,7 @@ func generateTestCert(opts *certGenerateTestOpts) error {
 	// write out
 	fmt.Printf("%s: added to the key list\n", name)
 	if opts.isDefault {
-		fmt.Printf("%s: mark as default signing key\n", name)
+		fmt.Printf("%s: marked as default signing key\n", name)
 	}
 	return nil
 }

cmd/notation/internal/sign/sign_test.go

@@ -177,7 +177,7 @@ func TestGetSignerFailed(t *testing.T) {
 
 	t.Run("key not found", func(t *testing.T) {
 		dir.UserConfigDir = "./testdata/valid_signingkeys"
-		expectedErrMsg := `signing key not found`
+		expectedErrMsg := `signing key test2 not found`
 		opts := &flag.SignerFlagOpts{
 			Key: "test2",
 		}

cmd/notation/internal/truststore/truststore.go

@@ -190,7 +190,7 @@ func DeleteCert(storeType, namedStore, cert string, confirmed bool) error {
 		return err
 	}
 	// write out on success
-	fmt.Printf("Successfully deleted %s\n", cert)
+	fmt.Printf("Successfully deleted %s from trust store %s of type %s\n", cert, namedStore, storeType)
 	return nil
 }
 

go.mod

@@ -3,10 +3,10 @@ module github.com/notaryproject/notation/v2
 go 1.24.0
 
 require (
-	github.com/notaryproject/notation-core-go v1.2.0
-	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604
+	github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a
+	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
-	github.com/notaryproject/tspclient-go v1.0.0
+	github.com/notaryproject/tspclient-go v1.0.1-0.20250306063739-4f55b14d9f01
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/sirupsen/logrus v1.9.3

go.sum

@@ -36,14 +36,14 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/notaryproject/notation-core-go v1.2.0 h1:WElMG9X0YXJhBd0A4VOxLNalTLrTjvqtIAj7JHr5X08=
-github.com/notaryproject/notation-core-go v1.2.0/go.mod h1:+y3L1dOs2/ZwJIU5Imo7BBvZ/M3CFjXkydGGdK09EtA=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604 h1:uw65pHgN+NXAqHssmlRJUkcl515AQgMIOdC6tbBHHXE=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604/go.mod h1:NXYZyzIawUSyv+C0Gs8bBYJ1q8a1gy78GEss8fPNZmY=
+github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a h1:xagHqXDQKyG4hYCzf2yrMxNGdUf1FELEYojY7dZEgP0=
+github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a/go.mod h1:26/FuY/XSwyGiafPFDOeUJBz+sPsWDpK+Ei4TWtcmTc=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892 h1:2bD9p585QwuFQry03o19yHZzeBJOCSuol6LR64KIfto=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892/go.mod h1:NXYZyzIawUSyv+C0Gs8bBYJ1q8a1gy78GEss8fPNZmY=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
-github.com/notaryproject/tspclient-go v1.0.0 h1:AwQ4x0gX8IHnyiZB1tggpn5NFqHpTEm1SDX8YNv4Dg4=
-github.com/notaryproject/tspclient-go v1.0.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/notaryproject/tspclient-go v1.0.1-0.20250306063739-4f55b14d9f01 h1:Ay72jBeHKqBFk6TbJWywfwzefN3Ei7Py2OzCiWU/7nk=
+github.com/notaryproject/tspclient-go v1.0.1-0.20250306063739-4f55b14d9f01/go.mod h1:3ZJPmpmdwufY23BkS+JPNktOVb5DXJ8Ik5zxvN7h670=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=

specs/cmd/certificate.md

@@ -148,7 +148,7 @@ Usage:
   notation certificate cleanup-test [flags] <common_name>
 
 Flags:
-  -h, --help       help for generate-test
+  -h, --help       help for cleanup-test
   -y, --yes        do not prompt for confirmation
 ```
 

test/e2e/go.mod

@@ -4,7 +4,7 @@ go 1.24.0
 
 require (
 	github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a
-	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604
+	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892
 	github.com/onsi/ginkgo/v2 v2.23.3
 	github.com/onsi/gomega v1.36.3
 	github.com/opencontainers/image-spec v1.1.1
@@ -17,11 +17,13 @@ require (
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
+	github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect
 	github.com/notaryproject/tspclient-go v1.0.1-0.20250306063739-4f55b14d9f01 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/veraison/go-cose v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect

test/e2e/go.sum

@@ -12,8 +12,10 @@ github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/Z
 github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a h1:xagHqXDQKyG4hYCzf2yrMxNGdUf1FELEYojY7dZEgP0=
 github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a/go.mod h1:26/FuY/XSwyGiafPFDOeUJBz+sPsWDpK+Ei4TWtcmTc=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604 h1:uw65pHgN+NXAqHssmlRJUkcl515AQgMIOdC6tbBHHXE=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604/go.mod h1:NXYZyzIawUSyv+C0Gs8bBYJ1q8a1gy78GEss8fPNZmY=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892 h1:2bD9p585QwuFQry03o19yHZzeBJOCSuol6LR64KIfto=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892/go.mod h1:NXYZyzIawUSyv+C0Gs8bBYJ1q8a1gy78GEss8fPNZmY=
+github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
+github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v1.0.1-0.20250306063739-4f55b14d9f01 h1:Ay72jBeHKqBFk6TbJWywfwzefN3Ei7Py2OzCiWU/7nk=
 github.com/notaryproject/tspclient-go v1.0.1-0.20250306063739-4f55b14d9f01/go.mod h1:3ZJPmpmdwufY23BkS+JPNktOVb5DXJ8Ik5zxvN7h670=
 github.com/onsi/ginkgo/v2 v2.23.3 h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
@@ -34,6 +36,8 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
 golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=

test/e2e/plugin/go.mod

@@ -5,7 +5,7 @@ go 1.24.0
 require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a
-	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604
+	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
 	github.com/spf13/cobra v1.9.1
 )

test/e2e/plugin/go.sum

@@ -40,8 +40,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a h1:xagHqXDQKyG4hYCzf2yrMxNGdUf1FELEYojY7dZEgP0=
 github.com/notaryproject/notation-core-go v1.2.1-0.20250304022306-ea37e4e6c39a/go.mod h1:26/FuY/XSwyGiafPFDOeUJBz+sPsWDpK+Ei4TWtcmTc=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604 h1:uw65pHgN+NXAqHssmlRJUkcl515AQgMIOdC6tbBHHXE=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250310060348-fdcf9cc47604/go.mod h1:NXYZyzIawUSyv+C0Gs8bBYJ1q8a1gy78GEss8fPNZmY=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892 h1:2bD9p585QwuFQry03o19yHZzeBJOCSuol6LR64KIfto=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250324062555-fcc1ce32f892/go.mod h1:NXYZyzIawUSyv+C0Gs8bBYJ1q8a1gy78GEss8fPNZmY=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v1.0.1-0.20250306063739-4f55b14d9f01 h1:Ay72jBeHKqBFk6TbJWywfwzefN3Ei7Py2OzCiWU/7nk=

test/e2e/suite/command/blob/sign.go

@@ -120,7 +120,7 @@ var _ = Describe("notation blob sign", func() {
 	It("with invalid key", func() {
 		HostWithBlob(BaseOptions(), func(notation *utils.ExecOpts, blobPath string, vhost *utils.VirtualHost) {
 			notation.ExpectFailure().Exec("blob", "sign", "--key", "invalid", blobPath).
-				MatchErrKeyWords("signing key not found")
+				MatchErrKeyWords("signing key invalid not found")
 		})
 	})