From 14a0eb5ebbbfe1d37a19b64447d14cb4a7b97c25 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 27 Apr 2022 17:34:37 +0200 Subject: [PATCH 01/16] support plugin keys Signed-off-by: qmuntal --- cmd/notation/key.go | 10 +++++----- cmd/notation/plugin.go | 2 +- go.mod | 2 ++ go.sum | 4 ++-- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/cmd/notation/key.go b/cmd/notation/key.go index 5cbfe3eaf..6f3d0e5d6 100644 --- a/cmd/notation/key.go +++ b/cmd/notation/key.go @@ -43,15 +43,15 @@ var ( Usage: "key name", Required: true, }, + &cli.StringFlag{ + Name: "id", + Usage: "key id (required if --plugin is set)", + }, &cli.StringFlag{ Name: "plugin", Aliases: []string{"p"}, Usage: "signing plugin name", }, - &cli.StringFlag{ - Name: "id", - Usage: "key id (required if --plugin is set)", - }, keyDefaultFlag, }, Action: addKey, @@ -125,7 +125,7 @@ func addExternalKey(ctx *cli.Context, pluginName, keyName string) (config.KeySui if id == "" { return config.KeySuite{}, errors.New("missing key id") } - mgr := manager.NewManager() + mgr := manager.New(config.PluginsPath) p, err := mgr.Get(ctx.Context, pluginName) if err != nil { return config.KeySuite{}, err diff --git a/cmd/notation/plugin.go b/cmd/notation/plugin.go index 26554448c..bcaf0bfe0 100644 --- a/cmd/notation/plugin.go +++ b/cmd/notation/plugin.go @@ -26,7 +26,7 @@ var ( ) func listPlugins(ctx *cli.Context) error { - mgr := manager.NewManager() + mgr := manager.New(config.PluginsPath) plugins, err := mgr.List(ctx.Context) if err != nil { return err diff --git a/go.mod b/go.mod index 554a53806..12ce04477 100644 --- a/go.mod +++ b/go.mod @@ -25,3 +25,5 @@ require ( golang.org/x/sys v0.0.0-20211019181941-9d821ace8654 // indirect gotest.tools/v3 v3.0.3 // indirect ) + +replace github.com/notaryproject/notation-go => github.com/qmuntal/notation-go v0.7.0-alpha.1.0.20220518080859-07fe9b874982 diff --git a/go.sum b/go.sum index ba8e80660..2f7f43e31 100644 --- a/go.sum +++ b/go.sum @@ -73,8 +73,6 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= -github.com/notaryproject/notation-go v0.8.0-alpha.1.0.20220504164459-182873bded16 h1:pcT6WLHGv1iZ7Z/kflT2NJbuNIqLxuDj2qSfjxE5N3M= -github.com/notaryproject/notation-go v0.8.0-alpha.1.0.20220504164459-182873bded16/go.mod h1:KtNtijh22iUsC3y7KTzllwPoDKV7mJANYz/RunvOhqs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= @@ -98,6 +96,8 @@ github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= +github.com/qmuntal/notation-go v0.7.0-alpha.1.0.20220518080859-07fe9b874982 h1:oow9r9GCNWhintF+M7UQP2x6SEsIGt2VoTEVaMnxFog= +github.com/qmuntal/notation-go v0.7.0-alpha.1.0.20220518080859-07fe9b874982/go.mod h1:KtNtijh22iUsC3y7KTzllwPoDKV7mJANYz/RunvOhqs= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= From d1972ff199e503b0c58907609e186a40ce48f215 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Fri, 29 Apr 2022 17:41:01 +0200 Subject: [PATCH 02/16] update plugins branch Signed-off-by: qmuntal --- cmd/notation/plugin.go | 1 + pkg/signature/jws.go | 3 +++ 2 files changed, 4 insertions(+) diff --git a/cmd/notation/plugin.go b/cmd/notation/plugin.go index bcaf0bfe0..5477ef840 100644 --- a/cmd/notation/plugin.go +++ b/cmd/notation/plugin.go @@ -5,6 +5,7 @@ import ( "github.com/notaryproject/notation-go/plugin/manager" "github.com/notaryproject/notation/internal/ioutil" + "github.com/notaryproject/notation/pkg/config" "github.com/urfave/cli/v2" ) diff --git a/pkg/signature/jws.go b/pkg/signature/jws.go index 53368804a..f2212456b 100644 --- a/pkg/signature/jws.go +++ b/pkg/signature/jws.go @@ -24,6 +24,9 @@ func NewSignerFromFiles(keyPath, certPath string) (*jws.Signer, error) { if err != nil { return nil, err } + if len(cert.Certificate) == 0 { + return nil, errors.New("missing signer certificate chain") + } // parse cert certs := make([]*x509.Certificate, len(cert.Certificate)) From 28dccb23647fe1a5b7cb1345434c06ce30489fad Mon Sep 17 00:00:00 2001 From: qmuntal Date: Tue, 3 May 2022 15:55:10 +0200 Subject: [PATCH 03/16] implement plugin signing Signed-off-by: qmuntal --- cmd/notation/sign.go | 8 ++++++++ internal/cmd/signer.go | 40 +++++++++++++++++----------------------- 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 134c12301..155aef2e0 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/crypto/timestamp" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/osutil" "github.com/notaryproject/notation/pkg/config" @@ -94,7 +95,14 @@ func prepareSigningContent(ctx *cli.Context) (notation.Descriptor, notation.Sign "identity": identity, } } + var tsa timestamp.Timestamper + if endpoint := ctx.String(cmd.FlagTimestamp.Name); endpoint != "" { + if tsa, err = timestamp.NewHTTPTimestamper(nil, endpoint); err != nil { + return notation.Descriptor{}, notation.SignOptions{}, err + } + } return manifestDesc, notation.SignOptions{ Expiry: cmd.GetExpiry(ctx), + TSA: tsa, }, nil } diff --git a/internal/cmd/signer.go b/internal/cmd/signer.go index be315f7f7..472e1c444 100644 --- a/internal/cmd/signer.go +++ b/internal/cmd/signer.go @@ -5,7 +5,8 @@ import ( "time" "github.com/notaryproject/notation-go" - "github.com/notaryproject/notation-go/crypto/timestamp" + "github.com/notaryproject/notation-go/plugin/manager" + "github.com/notaryproject/notation-go/signature/jws" "github.com/notaryproject/notation/pkg/config" "github.com/notaryproject/notation/pkg/signature" "github.com/urfave/cli/v2" @@ -14,33 +15,26 @@ import ( // GetSigner returns a signer according to the CLI context. func GetSigner(ctx *cli.Context) (notation.Signer, error) { // read paths of the signing key and its corresponding cert. - var keyPath, certPath string - if path := ctx.String(FlagKeyFile.Name); path != "" { - keyPath = path - certPath = ctx.String(FlagCertFile.Name) - } else { - key, err := config.ResolveKey(ctx.String(FlagKey.Name)) - if err != nil { - return nil, err - } - if key.X509KeyPair == nil { - return nil, errors.New("invalid key type") - } - keyPath = key.KeyPath - certPath = key.CertificatePath + if keyPath := ctx.String(FlagKeyFile.Name); keyPath != "" { + certPath := ctx.String(FlagCertFile.Name) + return signature.NewSignerFromFiles(keyPath, certPath) } - - // construct signer - signer, err := signature.NewSignerFromFiles(keyPath, certPath) + key, err := config.ResolveKey(ctx.String(FlagKey.Name)) if err != nil { return nil, err } - if endpoint := ctx.String(FlagTimestamp.Name); endpoint != "" { - if signer.TSA, err = timestamp.NewHTTPTimestamper(nil, endpoint); err != nil { - return nil, err - } + if key.X509KeyPair != nil { + return signature.NewSignerFromFiles(key.X509KeyPair.KeyPath, key.X509KeyPair.CertificatePath) + } + if key.ExternalKey != nil { + return &jws.PluginSigner{ + Runner: manager.NewManager(), + PluginName: key.PluginName, + KeyID: key.ExternalKey.ID, + KeyName: key.Name, + }, nil } - return signer, nil + return nil, errors.New("unsupported key") } // GetExpiry returns the signature expiry according to the CLI context. From 564ff97fef909f1703db6a3839756ad215973653 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 4 May 2022 13:08:49 +0200 Subject: [PATCH 04/16] pass PluginConfig Signed-off-by: qmuntal --- internal/cmd/signer.go | 9 +++++---- pkg/config/config.go | 5 +++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/internal/cmd/signer.go b/internal/cmd/signer.go index 472e1c444..4275820ab 100644 --- a/internal/cmd/signer.go +++ b/internal/cmd/signer.go @@ -28,10 +28,11 @@ func GetSigner(ctx *cli.Context) (notation.Signer, error) { } if key.ExternalKey != nil { return &jws.PluginSigner{ - Runner: manager.NewManager(), - PluginName: key.PluginName, - KeyID: key.ExternalKey.ID, - KeyName: key.Name, + Runner: manager.NewManager(), + PluginName: key.PluginName, + KeyID: key.ExternalKey.ID, + KeyName: key.Name, + PluginConfig: key.PluginConfig, }, nil } return nil, errors.New("unsupported key") diff --git a/pkg/config/config.go b/pkg/config/config.go index 459fa7880..fc1bf1873 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -15,8 +15,9 @@ type X509KeyPair struct { // ExternalKey contains the necessary information to delegate // the signing operation to the named plugin. type ExternalKey struct { - ID string `json:"id,omitempty"` - PluginName string `json:"pluginName,omitempty"` + ID string `json:"id,omitempty"` + PluginName string `json:"pluginName,omitempty"` + PluginConfig map[string]string `json:"pluginConfig,omitempty"` } // KeySuite is a named key suite. From 9391bfce282614e68a17789fc1705daa49ebeb18 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Mon, 9 May 2022 13:21:41 +0200 Subject: [PATCH 05/16] bump notation-go Signed-off-by: qmuntal --- cmd/docker-notation/docker/manifest.go | 14 +++++------ cmd/docker-notation/pull.go | 9 ++++--- cmd/docker-notation/push.go | 26 ++++++++++---------- cmd/docker-notation/sign.go | 2 +- cmd/notation/key.go | 2 +- cmd/notation/list.go | 3 ++- cmd/notation/manifest.go | 24 +++++++++--------- cmd/notation/plugin.go | 2 +- cmd/notation/pull.go | 4 +-- cmd/notation/push.go | 17 +++++++------ cmd/notation/sign.go | 7 +++--- cmd/notation/verify.go | 3 ++- internal/cmd/signer.go | 8 ++++-- pkg/config/path.go | 7 ++++++ pkg/registry/interface.go | 6 ++--- pkg/registry/repository.go | 34 +++++++++++++------------- 16 files changed, 92 insertions(+), 76 deletions(-) diff --git a/cmd/docker-notation/docker/manifest.go b/cmd/docker-notation/docker/manifest.go index d625298fe..f81b8af43 100644 --- a/cmd/docker-notation/docker/manifest.go +++ b/cmd/docker-notation/docker/manifest.go @@ -5,7 +5,7 @@ import ( "os/exec" "github.com/distribution/distribution/v3/manifest/schema2" - "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/notaryproject/notation/pkg/docker" "github.com/opencontainers/go-digest" "oras.land/oras-go/v2/registry" @@ -31,23 +31,23 @@ func GenerateManifest(reference string) ([]byte, error) { } // GenerateManifestDescriptor generate manifest descriptor from docker save -func GenerateManifestDescriptor(reference string) (notation.Descriptor, error) { +func GenerateManifestDescriptor(reference string) (signature.Descriptor, error) { manifest, err := GenerateManifest(reference) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } - return notation.Descriptor{ + return signature.Descriptor{ MediaType: schema2.MediaTypeManifest, - Digest: digest.FromBytes(manifest), + Digest: digest.FromBytes(manifest).String(), Size: int64(len(manifest)), }, nil } // GetManifestDescriptor get manifest descriptor from remote registry -func GetManifestDescriptor(ctx context.Context, ref registry.Reference) (notation.Descriptor, error) { +func GetManifestDescriptor(ctx context.Context, ref registry.Reference) (signature.Descriptor, error) { client, err := getRepositoryClient(ref) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } return client.GetManifestDescriptor(ctx, ref.ReferenceOrDefault()) } diff --git a/cmd/docker-notation/pull.go b/cmd/docker-notation/pull.go index 1277210cc..d3ac63691 100644 --- a/cmd/docker-notation/pull.go +++ b/cmd/docker-notation/pull.go @@ -7,6 +7,7 @@ import ( "os" "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/notaryproject/notation/cmd/docker-notation/docker" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" @@ -53,7 +54,7 @@ func verifyRemoteImage(ctx context.Context, ref string) (string, error) { fmt.Printf("%s: digest: %v size: %v\n", manifestRef.ReferenceOrDefault(), manifestDesc.Digest, manifestDesc.Size) fmt.Println("Looking up for signatures") - sigDigests, err := downloadSignatures(ctx, ref, manifestDesc.Digest) + sigDigests, err := downloadSignatures(ctx, ref, digest.Digest(manifestDesc.Digest)) if err != nil { return "", err } @@ -73,7 +74,7 @@ func verifyRemoteImage(ctx context.Context, ref string) (string, error) { fmt.Println("The image is originated from:", originRef) } - manifestRef.Reference = manifestDesc.Digest.String() + manifestRef.Reference = manifestDesc.Digest return manifestRef.String(), nil } @@ -100,12 +101,12 @@ func verifySignatures( ctx context.Context, verifier notation.Verifier, sigDigests []digest.Digest, - desc notation.Descriptor, + desc signature.Descriptor, ) (digest.Digest, string, error) { var opts notation.VerifyOptions var lastErr error for _, sigDigest := range sigDigests { - path := config.SignaturePath(desc.Digest, sigDigest) + path := config.SignaturePath(digest.Digest(desc.Digest), sigDigest) sig, err := os.ReadFile(path) if err != nil { return "", "", err diff --git a/cmd/docker-notation/push.go b/cmd/docker-notation/push.go index 593704675..378be5cd0 100644 --- a/cmd/docker-notation/push.go +++ b/cmd/docker-notation/push.go @@ -11,7 +11,7 @@ import ( "strings" "github.com/distribution/distribution/v3/manifest/schema2" - "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/notaryproject/notation/cmd/docker-notation/docker" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" @@ -33,7 +33,7 @@ func pushImage(ctx *cli.Context) error { } fmt.Println("Pushing signature") - sigDigests, err := cache.SignatureDigests(desc.Digest) + sigDigests, err := cache.SignatureDigests(digest.Digest(desc.Digest)) if err != nil { return err } @@ -46,7 +46,7 @@ func pushImage(ctx *cli.Context) error { return err } pushSignature := func(sigDigest digest.Digest) error { - sigPath := config.SignaturePath(desc.Digest, sigDigest) + sigPath := config.SignaturePath(digest.Digest(desc.Digest), sigDigest) sig, err := os.ReadFile(sigPath) if err != nil { return err @@ -73,46 +73,46 @@ func pushImage(ctx *cli.Context) error { return nil } -func pushImageAndGetDescriptor(ctx *cli.Context) (notation.Descriptor, error) { +func pushImageAndGetDescriptor(ctx *cli.Context) (signature.Descriptor, error) { args := append([]string{"push"}, ctx.Args().Slice()...) cmd := exec.Command("docker", args...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr stdout, err := cmd.StdoutPipe() if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } scanner := bufio.NewScanner(io.TeeReader(stdout, os.Stdout)) if err := cmd.Start(); err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } var lastLine string for scanner.Scan() { lastLine = scanner.Text() } if err := scanner.Err(); err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } if err := cmd.Wait(); err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } parts := strings.Split(lastLine, " ") if len(parts) != 5 { - return notation.Descriptor{}, fmt.Errorf("invalid docker pull result: %s", lastLine) + return signature.Descriptor{}, fmt.Errorf("invalid docker pull result: %s", lastLine) } digest, err := digest.Parse(parts[2]) if err != nil { - return notation.Descriptor{}, fmt.Errorf("invalid digest: %s", lastLine) + return signature.Descriptor{}, fmt.Errorf("invalid digest: %s", lastLine) } size, err := strconv.ParseInt(parts[4], 10, 64) if err != nil { - return notation.Descriptor{}, fmt.Errorf("invalid size: %s", lastLine) + return signature.Descriptor{}, fmt.Errorf("invalid size: %s", lastLine) } - return notation.Descriptor{ + return signature.Descriptor{ MediaType: schema2.MediaTypeManifest, - Digest: digest, + Digest: digest.String(), Size: size, }, nil } diff --git a/cmd/docker-notation/sign.go b/cmd/docker-notation/sign.go index fa135a368..85648b5d6 100644 --- a/cmd/docker-notation/sign.go +++ b/cmd/docker-notation/sign.go @@ -60,7 +60,7 @@ func signImage(ctx *cli.Context) error { if err != nil { return err } - sigPath := config.SignaturePath(desc.Digest, digest.FromBytes(sig)) + sigPath := config.SignaturePath(digest.Digest(desc.Digest), digest.FromBytes(sig)) if err := osutil.WriteFile(sigPath, sig); err != nil { return err } diff --git a/cmd/notation/key.go b/cmd/notation/key.go index 6f3d0e5d6..7ae7a1ee9 100644 --- a/cmd/notation/key.go +++ b/cmd/notation/key.go @@ -125,7 +125,7 @@ func addExternalKey(ctx *cli.Context, pluginName, keyName string) (config.KeySui if id == "" { return config.KeySuite{}, errors.New("missing key id") } - mgr := manager.New(config.PluginsPath) + mgr := manager.New(config.PluginDirPath) p, err := mgr.Get(ctx.Context, pluginName) if err != nil { return config.KeySuite{}, err diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 10c90cb8d..27f478834 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" + "github.com/opencontainers/go-digest" "github.com/urfave/cli/v2" ) @@ -38,7 +39,7 @@ func runList(ctx *cli.Context) error { return err } - sigDigests, err := sigRepo.Lookup(ctx.Context, manifestDesc.Digest) + sigDigests, err := sigRepo.Lookup(ctx.Context, digest.Digest(manifestDesc.Digest)) if err != nil { return fmt.Errorf("lookup signature failure: %v", err) } diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index 6e275779a..c20faf13e 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -6,21 +6,21 @@ import ( "math" "os" - "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/opencontainers/go-digest" "github.com/urfave/cli/v2" "oras.land/oras-go/v2/registry" ) -func getManifestDescriptorFromContext(ctx *cli.Context) (notation.Descriptor, error) { +func getManifestDescriptorFromContext(ctx *cli.Context) (signature.Descriptor, error) { ref := ctx.Args().First() if ref == "" { - return notation.Descriptor{}, errors.New("missing reference") + return signature.Descriptor{}, errors.New("missing reference") } return getManifestDescriptorFromContextWithReference(ctx, ref) } -func getManifestDescriptorFromContextWithReference(ctx *cli.Context, ref string) (notation.Descriptor, error) { +func getManifestDescriptorFromContextWithReference(ctx *cli.Context, ref string) (signature.Descriptor, error) { if ctx.Bool(flagLocal.Name) { mediaType := ctx.String(flagMediaType.Name) if ref == "-" { @@ -32,36 +32,36 @@ func getManifestDescriptorFromContextWithReference(ctx *cli.Context, ref string) return getManifestDescriptorFromReference(ctx, ref) } -func getManifestDescriptorFromReference(ctx *cli.Context, reference string) (notation.Descriptor, error) { +func getManifestDescriptorFromReference(ctx *cli.Context, reference string) (signature.Descriptor, error) { ref, err := registry.ParseReference(reference) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } repo := getRepositoryClient(ctx, ref) return repo.GetManifestDescriptor(ctx.Context, ref.ReferenceOrDefault()) } -func getManifestDescriptorFromFile(path, mediaType string) (notation.Descriptor, error) { +func getManifestDescriptorFromFile(path, mediaType string) (signature.Descriptor, error) { file, err := os.Open(path) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } defer file.Close() return getManifestDescriptorFromReader(file, mediaType) } -func getManifestDescriptorFromReader(r io.Reader, mediaType string) (notation.Descriptor, error) { +func getManifestDescriptorFromReader(r io.Reader, mediaType string) (signature.Descriptor, error) { lr := &io.LimitedReader{ R: r, N: math.MaxInt64, } digest, err := digest.SHA256.FromReader(lr) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } - return notation.Descriptor{ + return signature.Descriptor{ MediaType: mediaType, - Digest: digest, + Digest: digest.String(), Size: math.MaxInt64 - lr.N, }, nil } diff --git a/cmd/notation/plugin.go b/cmd/notation/plugin.go index 5477ef840..47153ab74 100644 --- a/cmd/notation/plugin.go +++ b/cmd/notation/plugin.go @@ -27,7 +27,7 @@ var ( ) func listPlugins(ctx *cli.Context) error { - mgr := manager.New(config.PluginsPath) + mgr := manager.New(config.PluginDirPath) plugins, err := mgr.List(ctx.Context) if err != nil { return err diff --git a/cmd/notation/pull.go b/cmd/notation/pull.go index 6635cf730..3c4e5eee4 100644 --- a/cmd/notation/pull.go +++ b/cmd/notation/pull.go @@ -53,7 +53,7 @@ func runPull(ctx *cli.Context) error { return err } - sigDigests, err := sigRepo.Lookup(ctx.Context, manifestDesc.Digest) + sigDigests, err := sigRepo.Lookup(ctx.Context, digest.Digest(manifestDesc.Digest)) if err != nil { return fmt.Errorf("lookup signature failure: %v", err) } @@ -69,7 +69,7 @@ func runPull(ctx *cli.Context) error { if err := osutil.WriteFile(outputPath, sig); err != nil { return fmt.Errorf("fail to write signature: %v: %v", sigDigest, err) } - } else if err := cache.PullSignature(ctx.Context, sigRepo, manifestDesc.Digest, sigDigest); err != nil { + } else if err := cache.PullSignature(ctx.Context, sigRepo, digest.Digest(manifestDesc.Digest), sigDigest); err != nil { return err } diff --git a/cmd/notation/push.go b/cmd/notation/push.go index 5e58b8806..efc776f47 100644 --- a/cmd/notation/push.go +++ b/cmd/notation/push.go @@ -5,9 +5,10 @@ import ( "fmt" "os" - "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" + "github.com/opencontainers/go-digest" "github.com/urfave/cli/v2" ) @@ -36,12 +37,12 @@ func runPush(ctx *cli.Context) error { } sigPaths := ctx.StringSlice(flagSignature.Name) if len(sigPaths) == 0 { - sigDigests, err := cache.SignatureDigests(manifestDesc.Digest) + sigDigests, err := cache.SignatureDigests(digest.Digest(manifestDesc.Digest)) if err != nil { return err } for _, sigDigest := range sigDigests { - sigPaths = append(sigPaths, config.SignaturePath(manifestDesc.Digest, sigDigest)) + sigPaths = append(sigPaths, config.SignaturePath(digest.Digest(manifestDesc.Digest), sigDigest)) } } @@ -71,25 +72,25 @@ func runPush(ctx *cli.Context) error { return nil } -func pushSignature(ctx *cli.Context, ref string, sig []byte) (notation.Descriptor, error) { +func pushSignature(ctx *cli.Context, ref string, sig []byte) (signature.Descriptor, error) { // initialize sigRepo, err := getSignatureRepository(ctx, ref) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } manifestDesc, err := getManifestDescriptorFromReference(ctx, ref) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } // core process sigDesc, err := sigRepo.Put(ctx.Context, sig) if err != nil { - return notation.Descriptor{}, fmt.Errorf("push signature failure: %v", err) + return signature.Descriptor{}, fmt.Errorf("push signature failure: %v", err) } desc, err := sigRepo.Link(ctx.Context, manifestDesc, sigDesc) if err != nil { - return notation.Descriptor{}, fmt.Errorf("link signature failure: %v", err) + return signature.Descriptor{}, fmt.Errorf("link signature failure: %v", err) } return desc, nil diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 155aef2e0..3e661fa14 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -5,6 +5,7 @@ import ( "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/crypto/timestamp" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/osutil" "github.com/notaryproject/notation/pkg/config" @@ -85,10 +86,10 @@ func runSign(ctx *cli.Context) error { return nil } -func prepareSigningContent(ctx *cli.Context) (notation.Descriptor, notation.SignOptions, error) { +func prepareSigningContent(ctx *cli.Context) (signature.Descriptor, notation.SignOptions, error) { manifestDesc, err := getManifestDescriptorFromContext(ctx) if err != nil { - return notation.Descriptor{}, notation.SignOptions{}, err + return signature.Descriptor{}, notation.SignOptions{}, err } if identity := ctx.String(cmd.FlagReference.Name); identity != "" { manifestDesc.Annotations = map[string]string{ @@ -98,7 +99,7 @@ func prepareSigningContent(ctx *cli.Context) (notation.Descriptor, notation.Sign var tsa timestamp.Timestamper if endpoint := ctx.String(cmd.FlagTimestamp.Name); endpoint != "" { if tsa, err = timestamp.NewHTTPTimestamper(nil, endpoint); err != nil { - return notation.Descriptor{}, notation.SignOptions{}, err + return signature.Descriptor{}, notation.SignOptions{}, err } } return manifestDesc, notation.SignOptions{ diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 5b9642407..210ad51ac 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -7,6 +7,7 @@ import ( "os" "github.com/notaryproject/notation-go" + sigspec "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/slices" "github.com/notaryproject/notation/pkg/cache" @@ -84,7 +85,7 @@ func runVerify(ctx *cli.Context) error { return nil } -func verifySignatures(ctx context.Context, verifier notation.Verifier, manifestDesc notation.Descriptor, sigPaths []string) error { +func verifySignatures(ctx context.Context, verifier notation.Verifier, manifestDesc sigspec.Descriptor, sigPaths []string) error { if len(sigPaths) == 0 { return errors.New("verification failure: no signatures found") } diff --git a/internal/cmd/signer.go b/internal/cmd/signer.go index 4275820ab..cdf465a59 100644 --- a/internal/cmd/signer.go +++ b/internal/cmd/signer.go @@ -27,9 +27,13 @@ func GetSigner(ctx *cli.Context) (notation.Signer, error) { return signature.NewSignerFromFiles(key.X509KeyPair.KeyPath, key.X509KeyPair.CertificatePath) } if key.ExternalKey != nil { + mgr := manager.New(config.PluginDirPath) + runner, err := mgr.Runner(key.PluginName) + if err != nil { + return nil, err + } return &jws.PluginSigner{ - Runner: manager.NewManager(), - PluginName: key.PluginName, + Runner: runner, KeyID: key.ExternalKey.ID, KeyName: key.Name, PluginConfig: key.PluginConfig, diff --git a/pkg/config/path.go b/pkg/config/path.go index 8926d1f0a..d8ff41747 100644 --- a/pkg/config/path.go +++ b/pkg/config/path.go @@ -31,6 +31,9 @@ const ( // CertificateExtension defines the extension of the certificate files CertificateExtension = ".crt" + + // PluginStoreDirName is the name of the plugin store directory + PluginStoreDirName = "plugins" ) var ( @@ -45,6 +48,9 @@ var ( // CertificateStoreDirPath is the path of the certificate store CertificateStoreDirPath string + + // PluginDirPath is the path of the plugin store + PluginDirPath string ) // init initialize the essential file paths @@ -66,6 +72,7 @@ func init() { SignatureStoreDirPath = filepath.Join(cacheDir, SignatureStoreDirName) KeyStoreDirPath = filepath.Join(configDir, KeyStoreDirName) CertificateStoreDirPath = filepath.Join(configDir, CertificateStoreDirName) + PluginDirPath = filepath.Join(configDir, PluginStoreDirName) } // SignatureRootPath returns the root path of signatures for a manifest diff --git a/pkg/registry/interface.go b/pkg/registry/interface.go index 4b22b0d6e..71c97b65e 100644 --- a/pkg/registry/interface.go +++ b/pkg/registry/interface.go @@ -3,7 +3,7 @@ package registry import ( "context" - "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/opencontainers/go-digest" ) @@ -16,8 +16,8 @@ type SignatureRepository interface { Get(ctx context.Context, signatureDigest digest.Digest) ([]byte, error) // Put uploads the signature to the registry - Put(ctx context.Context, signature []byte) (notation.Descriptor, error) + Put(ctx context.Context, signature []byte) (signature.Descriptor, error) // Link creates an signature artifact linking the manifest and the signature - Link(ctx context.Context, manifest, signature notation.Descriptor) (notation.Descriptor, error) + Link(ctx context.Context, manifest, signature signature.Descriptor) (signature.Descriptor, error) } diff --git a/pkg/registry/repository.go b/pkg/registry/repository.go index 7bb19c956..c2f4fd4c1 100644 --- a/pkg/registry/repository.go +++ b/pkg/registry/repository.go @@ -6,7 +6,7 @@ import ( "encoding/json" "fmt" - "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/spec/v1/signature" "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1" @@ -36,10 +36,10 @@ func NewRepositoryClient(client remote.Client, ref registry.Reference, plainHTTP } // GetManifestDescriptor returns signature manifest information by tag or digest. -func (c *RepositoryClient) GetManifestDescriptor(ctx context.Context, ref string) (notation.Descriptor, error) { +func (c *RepositoryClient) GetManifestDescriptor(ctx context.Context, ref string) (signature.Descriptor, error) { desc, err := c.Repository.Resolve(ctx, ref) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } return notationDescriptorFromOCI(desc), nil } @@ -83,32 +83,32 @@ func (c *RepositoryClient) Get(ctx context.Context, signatureDigest digest.Diges } // Put uploads the signature to the registry -func (c *RepositoryClient) Put(ctx context.Context, signature []byte) (notation.Descriptor, error) { +func (c *RepositoryClient) Put(ctx context.Context, sig []byte) (signature.Descriptor, error) { desc := ocispec.Descriptor{ MediaType: MediaTypeNotationSignature, - Digest: digest.FromBytes(signature), - Size: int64(len(signature)), + Digest: digest.FromBytes(sig), + Size: int64(len(sig)), } - if err := c.Repository.Blobs().Push(ctx, desc, bytes.NewReader(signature)); err != nil { - return notation.Descriptor{}, err + if err := c.Repository.Blobs().Push(ctx, desc, bytes.NewReader(sig)); err != nil { + return signature.Descriptor{}, err } return notationDescriptorFromOCI(desc), nil } // Link creates an signature artifact linking the manifest and the signature -func (c *RepositoryClient) Link(ctx context.Context, manifest, signature notation.Descriptor) (notation.Descriptor, error) { +func (c *RepositoryClient) Link(ctx context.Context, manifest, sig signature.Descriptor) (signature.Descriptor, error) { // generate artifact manifest artifact := artifactspec.Manifest{ MediaType: artifactspec.MediaTypeArtifactManifest, ArtifactType: ArtifactTypeNotation, Blobs: []artifactspec.Descriptor{ - artifactDescriptorFromNotation(signature), + artifactDescriptorFromNotation(sig), }, Subject: artifactDescriptorFromNotation(manifest), } artifactJSON, err := json.Marshal(artifact) if err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } // upload manifest @@ -118,7 +118,7 @@ func (c *RepositoryClient) Link(ctx context.Context, manifest, signature notatio Size: int64(len(artifactJSON)), } if err := c.Repository.Manifests().Push(ctx, desc, bytes.NewReader(artifactJSON)); err != nil { - return notation.Descriptor{}, err + return signature.Descriptor{}, err } return notationDescriptorFromOCI(desc), nil } @@ -149,18 +149,18 @@ func (c *RepositoryClient) getArtifactManifest(ctx context.Context, manifestDige return manifest, nil } -func artifactDescriptorFromNotation(desc notation.Descriptor) artifactspec.Descriptor { +func artifactDescriptorFromNotation(desc signature.Descriptor) artifactspec.Descriptor { return artifactspec.Descriptor{ MediaType: desc.MediaType, - Digest: desc.Digest, + Digest: digest.Digest(desc.Digest), Size: desc.Size, } } -func notationDescriptorFromOCI(desc ocispec.Descriptor) notation.Descriptor { - return notation.Descriptor{ +func notationDescriptorFromOCI(desc ocispec.Descriptor) signature.Descriptor { + return signature.Descriptor{ MediaType: desc.MediaType, - Digest: desc.Digest, + Digest: desc.Digest.String(), Size: desc.Size, } } From e6ce0507d4645662e962826571fb81313762bfb3 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 11 May 2022 09:45:07 +0200 Subject: [PATCH 06/16] upgrade notation-go Signed-off-by: qmuntal --- internal/cmd/signer.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/cmd/signer.go b/internal/cmd/signer.go index cdf465a59..eedf36664 100644 --- a/internal/cmd/signer.go +++ b/internal/cmd/signer.go @@ -35,7 +35,6 @@ func GetSigner(ctx *cli.Context) (notation.Signer, error) { return &jws.PluginSigner{ Runner: runner, KeyID: key.ExternalKey.ID, - KeyName: key.Name, PluginConfig: key.PluginConfig, }, nil } From 1b938abef8c6d570e138e822287e22c472c9f1da Mon Sep 17 00:00:00 2001 From: qmuntal Date: Fri, 13 May 2022 16:37:14 +0200 Subject: [PATCH 07/16] upgrade notation-go Signed-off-by: qmuntal --- cmd/docker-notation/docker/manifest.go | 2 +- cmd/docker-notation/pull.go | 2 +- cmd/docker-notation/push.go | 2 +- cmd/notation/manifest.go | 2 +- cmd/notation/push.go | 2 +- cmd/notation/sign.go | 2 +- cmd/notation/verify.go | 2 +- pkg/registry/interface.go | 2 +- pkg/registry/repository.go | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/cmd/docker-notation/docker/manifest.go b/cmd/docker-notation/docker/manifest.go index f81b8af43..a90269c77 100644 --- a/cmd/docker-notation/docker/manifest.go +++ b/cmd/docker-notation/docker/manifest.go @@ -5,7 +5,7 @@ import ( "os/exec" "github.com/distribution/distribution/v3/manifest/schema2" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/pkg/docker" "github.com/opencontainers/go-digest" "oras.land/oras-go/v2/registry" diff --git a/cmd/docker-notation/pull.go b/cmd/docker-notation/pull.go index d3ac63691..df8410e49 100644 --- a/cmd/docker-notation/pull.go +++ b/cmd/docker-notation/pull.go @@ -7,7 +7,7 @@ import ( "os" "github.com/notaryproject/notation-go" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/cmd/docker-notation/docker" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" diff --git a/cmd/docker-notation/push.go b/cmd/docker-notation/push.go index 378be5cd0..17f12beac 100644 --- a/cmd/docker-notation/push.go +++ b/cmd/docker-notation/push.go @@ -11,7 +11,7 @@ import ( "strings" "github.com/distribution/distribution/v3/manifest/schema2" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/cmd/docker-notation/docker" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index c20faf13e..c1b7f8c06 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -6,7 +6,7 @@ import ( "math" "os" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/opencontainers/go-digest" "github.com/urfave/cli/v2" "oras.land/oras-go/v2/registry" diff --git a/cmd/notation/push.go b/cmd/notation/push.go index efc776f47..50f5fbf8d 100644 --- a/cmd/notation/push.go +++ b/cmd/notation/push.go @@ -5,7 +5,7 @@ import ( "fmt" "os" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" "github.com/opencontainers/go-digest" diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 3e661fa14..0165373bd 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -5,7 +5,7 @@ import ( "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/crypto/timestamp" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/osutil" "github.com/notaryproject/notation/pkg/config" diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 210ad51ac..cc4f2dfcf 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -7,7 +7,7 @@ import ( "os" "github.com/notaryproject/notation-go" - sigspec "github.com/notaryproject/notation-go/spec/v1/signature" + sigspec "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/slices" "github.com/notaryproject/notation/pkg/cache" diff --git a/pkg/registry/interface.go b/pkg/registry/interface.go index 71c97b65e..3bea85798 100644 --- a/pkg/registry/interface.go +++ b/pkg/registry/interface.go @@ -3,7 +3,7 @@ package registry import ( "context" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/opencontainers/go-digest" ) diff --git a/pkg/registry/repository.go b/pkg/registry/repository.go index c2f4fd4c1..281e3161a 100644 --- a/pkg/registry/repository.go +++ b/pkg/registry/repository.go @@ -6,7 +6,7 @@ import ( "encoding/json" "fmt" - "github.com/notaryproject/notation-go/spec/v1/signature" + "github.com/notaryproject/notation-go/spec/signature" "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1" From 4bb64ce02c3f6772b530ed67c63d1e2f6e502a66 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 10:28:40 +0200 Subject: [PATCH 08/16] bump notation-go Signed-off-by: qmuntal --- cmd/docker-notation/docker/manifest.go | 14 +++++++------- cmd/docker-notation/pull.go | 5 ++--- cmd/docker-notation/push.go | 22 +++++++++++----------- cmd/notation/manifest.go | 24 ++++++++++++------------ cmd/notation/push.go | 12 ++++++------ cmd/notation/sign.go | 7 +++---- cmd/notation/verify.go | 3 +-- pkg/registry/interface.go | 6 +++--- pkg/registry/repository.go | 26 +++++++++++++------------- 9 files changed, 58 insertions(+), 61 deletions(-) diff --git a/cmd/docker-notation/docker/manifest.go b/cmd/docker-notation/docker/manifest.go index a90269c77..d625298fe 100644 --- a/cmd/docker-notation/docker/manifest.go +++ b/cmd/docker-notation/docker/manifest.go @@ -5,7 +5,7 @@ import ( "os/exec" "github.com/distribution/distribution/v3/manifest/schema2" - "github.com/notaryproject/notation-go/spec/signature" + "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/pkg/docker" "github.com/opencontainers/go-digest" "oras.land/oras-go/v2/registry" @@ -31,23 +31,23 @@ func GenerateManifest(reference string) ([]byte, error) { } // GenerateManifestDescriptor generate manifest descriptor from docker save -func GenerateManifestDescriptor(reference string) (signature.Descriptor, error) { +func GenerateManifestDescriptor(reference string) (notation.Descriptor, error) { manifest, err := GenerateManifest(reference) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } - return signature.Descriptor{ + return notation.Descriptor{ MediaType: schema2.MediaTypeManifest, - Digest: digest.FromBytes(manifest).String(), + Digest: digest.FromBytes(manifest), Size: int64(len(manifest)), }, nil } // GetManifestDescriptor get manifest descriptor from remote registry -func GetManifestDescriptor(ctx context.Context, ref registry.Reference) (signature.Descriptor, error) { +func GetManifestDescriptor(ctx context.Context, ref registry.Reference) (notation.Descriptor, error) { client, err := getRepositoryClient(ref) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } return client.GetManifestDescriptor(ctx, ref.ReferenceOrDefault()) } diff --git a/cmd/docker-notation/pull.go b/cmd/docker-notation/pull.go index df8410e49..783346408 100644 --- a/cmd/docker-notation/pull.go +++ b/cmd/docker-notation/pull.go @@ -7,7 +7,6 @@ import ( "os" "github.com/notaryproject/notation-go" - "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/cmd/docker-notation/docker" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" @@ -74,7 +73,7 @@ func verifyRemoteImage(ctx context.Context, ref string) (string, error) { fmt.Println("The image is originated from:", originRef) } - manifestRef.Reference = manifestDesc.Digest + manifestRef.Reference = manifestDesc.Digest.String() return manifestRef.String(), nil } @@ -101,7 +100,7 @@ func verifySignatures( ctx context.Context, verifier notation.Verifier, sigDigests []digest.Digest, - desc signature.Descriptor, + desc notation.Descriptor, ) (digest.Digest, string, error) { var opts notation.VerifyOptions var lastErr error diff --git a/cmd/docker-notation/push.go b/cmd/docker-notation/push.go index 17f12beac..f49d16460 100644 --- a/cmd/docker-notation/push.go +++ b/cmd/docker-notation/push.go @@ -11,7 +11,7 @@ import ( "strings" "github.com/distribution/distribution/v3/manifest/schema2" - "github.com/notaryproject/notation-go/spec/signature" + "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/cmd/docker-notation/docker" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" @@ -73,46 +73,46 @@ func pushImage(ctx *cli.Context) error { return nil } -func pushImageAndGetDescriptor(ctx *cli.Context) (signature.Descriptor, error) { +func pushImageAndGetDescriptor(ctx *cli.Context) (notation.Descriptor, error) { args := append([]string{"push"}, ctx.Args().Slice()...) cmd := exec.Command("docker", args...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr stdout, err := cmd.StdoutPipe() if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } scanner := bufio.NewScanner(io.TeeReader(stdout, os.Stdout)) if err := cmd.Start(); err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } var lastLine string for scanner.Scan() { lastLine = scanner.Text() } if err := scanner.Err(); err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } if err := cmd.Wait(); err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } parts := strings.Split(lastLine, " ") if len(parts) != 5 { - return signature.Descriptor{}, fmt.Errorf("invalid docker pull result: %s", lastLine) + return notation.Descriptor{}, fmt.Errorf("invalid docker pull result: %s", lastLine) } digest, err := digest.Parse(parts[2]) if err != nil { - return signature.Descriptor{}, fmt.Errorf("invalid digest: %s", lastLine) + return notation.Descriptor{}, fmt.Errorf("invalid digest: %s", lastLine) } size, err := strconv.ParseInt(parts[4], 10, 64) if err != nil { - return signature.Descriptor{}, fmt.Errorf("invalid size: %s", lastLine) + return notation.Descriptor{}, fmt.Errorf("invalid size: %s", lastLine) } - return signature.Descriptor{ + return notation.Descriptor{ MediaType: schema2.MediaTypeManifest, - Digest: digest.String(), + Digest: digest, Size: size, }, nil } diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index c1b7f8c06..6e275779a 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -6,21 +6,21 @@ import ( "math" "os" - "github.com/notaryproject/notation-go/spec/signature" + "github.com/notaryproject/notation-go" "github.com/opencontainers/go-digest" "github.com/urfave/cli/v2" "oras.land/oras-go/v2/registry" ) -func getManifestDescriptorFromContext(ctx *cli.Context) (signature.Descriptor, error) { +func getManifestDescriptorFromContext(ctx *cli.Context) (notation.Descriptor, error) { ref := ctx.Args().First() if ref == "" { - return signature.Descriptor{}, errors.New("missing reference") + return notation.Descriptor{}, errors.New("missing reference") } return getManifestDescriptorFromContextWithReference(ctx, ref) } -func getManifestDescriptorFromContextWithReference(ctx *cli.Context, ref string) (signature.Descriptor, error) { +func getManifestDescriptorFromContextWithReference(ctx *cli.Context, ref string) (notation.Descriptor, error) { if ctx.Bool(flagLocal.Name) { mediaType := ctx.String(flagMediaType.Name) if ref == "-" { @@ -32,36 +32,36 @@ func getManifestDescriptorFromContextWithReference(ctx *cli.Context, ref string) return getManifestDescriptorFromReference(ctx, ref) } -func getManifestDescriptorFromReference(ctx *cli.Context, reference string) (signature.Descriptor, error) { +func getManifestDescriptorFromReference(ctx *cli.Context, reference string) (notation.Descriptor, error) { ref, err := registry.ParseReference(reference) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } repo := getRepositoryClient(ctx, ref) return repo.GetManifestDescriptor(ctx.Context, ref.ReferenceOrDefault()) } -func getManifestDescriptorFromFile(path, mediaType string) (signature.Descriptor, error) { +func getManifestDescriptorFromFile(path, mediaType string) (notation.Descriptor, error) { file, err := os.Open(path) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } defer file.Close() return getManifestDescriptorFromReader(file, mediaType) } -func getManifestDescriptorFromReader(r io.Reader, mediaType string) (signature.Descriptor, error) { +func getManifestDescriptorFromReader(r io.Reader, mediaType string) (notation.Descriptor, error) { lr := &io.LimitedReader{ R: r, N: math.MaxInt64, } digest, err := digest.SHA256.FromReader(lr) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } - return signature.Descriptor{ + return notation.Descriptor{ MediaType: mediaType, - Digest: digest.String(), + Digest: digest, Size: math.MaxInt64 - lr.N, }, nil } diff --git a/cmd/notation/push.go b/cmd/notation/push.go index 50f5fbf8d..a2fa92572 100644 --- a/cmd/notation/push.go +++ b/cmd/notation/push.go @@ -5,7 +5,7 @@ import ( "fmt" "os" - "github.com/notaryproject/notation-go/spec/signature" + "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" "github.com/opencontainers/go-digest" @@ -72,25 +72,25 @@ func runPush(ctx *cli.Context) error { return nil } -func pushSignature(ctx *cli.Context, ref string, sig []byte) (signature.Descriptor, error) { +func pushSignature(ctx *cli.Context, ref string, sig []byte) (notation.Descriptor, error) { // initialize sigRepo, err := getSignatureRepository(ctx, ref) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } manifestDesc, err := getManifestDescriptorFromReference(ctx, ref) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } // core process sigDesc, err := sigRepo.Put(ctx.Context, sig) if err != nil { - return signature.Descriptor{}, fmt.Errorf("push signature failure: %v", err) + return notation.Descriptor{}, fmt.Errorf("push signature failure: %v", err) } desc, err := sigRepo.Link(ctx.Context, manifestDesc, sigDesc) if err != nil { - return signature.Descriptor{}, fmt.Errorf("link signature failure: %v", err) + return notation.Descriptor{}, fmt.Errorf("link signature failure: %v", err) } return desc, nil diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 0165373bd..155aef2e0 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -5,7 +5,6 @@ import ( "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/crypto/timestamp" - "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/osutil" "github.com/notaryproject/notation/pkg/config" @@ -86,10 +85,10 @@ func runSign(ctx *cli.Context) error { return nil } -func prepareSigningContent(ctx *cli.Context) (signature.Descriptor, notation.SignOptions, error) { +func prepareSigningContent(ctx *cli.Context) (notation.Descriptor, notation.SignOptions, error) { manifestDesc, err := getManifestDescriptorFromContext(ctx) if err != nil { - return signature.Descriptor{}, notation.SignOptions{}, err + return notation.Descriptor{}, notation.SignOptions{}, err } if identity := ctx.String(cmd.FlagReference.Name); identity != "" { manifestDesc.Annotations = map[string]string{ @@ -99,7 +98,7 @@ func prepareSigningContent(ctx *cli.Context) (signature.Descriptor, notation.Sig var tsa timestamp.Timestamper if endpoint := ctx.String(cmd.FlagTimestamp.Name); endpoint != "" { if tsa, err = timestamp.NewHTTPTimestamper(nil, endpoint); err != nil { - return signature.Descriptor{}, notation.SignOptions{}, err + return notation.Descriptor{}, notation.SignOptions{}, err } } return manifestDesc, notation.SignOptions{ diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index cc4f2dfcf..5b9642407 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -7,7 +7,6 @@ import ( "os" "github.com/notaryproject/notation-go" - sigspec "github.com/notaryproject/notation-go/spec/signature" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/slices" "github.com/notaryproject/notation/pkg/cache" @@ -85,7 +84,7 @@ func runVerify(ctx *cli.Context) error { return nil } -func verifySignatures(ctx context.Context, verifier notation.Verifier, manifestDesc sigspec.Descriptor, sigPaths []string) error { +func verifySignatures(ctx context.Context, verifier notation.Verifier, manifestDesc notation.Descriptor, sigPaths []string) error { if len(sigPaths) == 0 { return errors.New("verification failure: no signatures found") } diff --git a/pkg/registry/interface.go b/pkg/registry/interface.go index 3bea85798..4b22b0d6e 100644 --- a/pkg/registry/interface.go +++ b/pkg/registry/interface.go @@ -3,7 +3,7 @@ package registry import ( "context" - "github.com/notaryproject/notation-go/spec/signature" + "github.com/notaryproject/notation-go" "github.com/opencontainers/go-digest" ) @@ -16,8 +16,8 @@ type SignatureRepository interface { Get(ctx context.Context, signatureDigest digest.Digest) ([]byte, error) // Put uploads the signature to the registry - Put(ctx context.Context, signature []byte) (signature.Descriptor, error) + Put(ctx context.Context, signature []byte) (notation.Descriptor, error) // Link creates an signature artifact linking the manifest and the signature - Link(ctx context.Context, manifest, signature signature.Descriptor) (signature.Descriptor, error) + Link(ctx context.Context, manifest, signature notation.Descriptor) (notation.Descriptor, error) } diff --git a/pkg/registry/repository.go b/pkg/registry/repository.go index 281e3161a..730ff4892 100644 --- a/pkg/registry/repository.go +++ b/pkg/registry/repository.go @@ -6,7 +6,7 @@ import ( "encoding/json" "fmt" - "github.com/notaryproject/notation-go/spec/signature" + "github.com/notaryproject/notation-go" "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1" @@ -36,10 +36,10 @@ func NewRepositoryClient(client remote.Client, ref registry.Reference, plainHTTP } // GetManifestDescriptor returns signature manifest information by tag or digest. -func (c *RepositoryClient) GetManifestDescriptor(ctx context.Context, ref string) (signature.Descriptor, error) { +func (c *RepositoryClient) GetManifestDescriptor(ctx context.Context, ref string) (notation.Descriptor, error) { desc, err := c.Repository.Resolve(ctx, ref) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } return notationDescriptorFromOCI(desc), nil } @@ -83,20 +83,20 @@ func (c *RepositoryClient) Get(ctx context.Context, signatureDigest digest.Diges } // Put uploads the signature to the registry -func (c *RepositoryClient) Put(ctx context.Context, sig []byte) (signature.Descriptor, error) { +func (c *RepositoryClient) Put(ctx context.Context, sig []byte) (notation.Descriptor, error) { desc := ocispec.Descriptor{ MediaType: MediaTypeNotationSignature, Digest: digest.FromBytes(sig), Size: int64(len(sig)), } if err := c.Repository.Blobs().Push(ctx, desc, bytes.NewReader(sig)); err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } return notationDescriptorFromOCI(desc), nil } // Link creates an signature artifact linking the manifest and the signature -func (c *RepositoryClient) Link(ctx context.Context, manifest, sig signature.Descriptor) (signature.Descriptor, error) { +func (c *RepositoryClient) Link(ctx context.Context, manifest, sig notation.Descriptor) (notation.Descriptor, error) { // generate artifact manifest artifact := artifactspec.Manifest{ MediaType: artifactspec.MediaTypeArtifactManifest, @@ -108,7 +108,7 @@ func (c *RepositoryClient) Link(ctx context.Context, manifest, sig signature.Des } artifactJSON, err := json.Marshal(artifact) if err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } // upload manifest @@ -118,7 +118,7 @@ func (c *RepositoryClient) Link(ctx context.Context, manifest, sig signature.Des Size: int64(len(artifactJSON)), } if err := c.Repository.Manifests().Push(ctx, desc, bytes.NewReader(artifactJSON)); err != nil { - return signature.Descriptor{}, err + return notation.Descriptor{}, err } return notationDescriptorFromOCI(desc), nil } @@ -149,18 +149,18 @@ func (c *RepositoryClient) getArtifactManifest(ctx context.Context, manifestDige return manifest, nil } -func artifactDescriptorFromNotation(desc signature.Descriptor) artifactspec.Descriptor { +func artifactDescriptorFromNotation(desc notation.Descriptor) artifactspec.Descriptor { return artifactspec.Descriptor{ MediaType: desc.MediaType, - Digest: digest.Digest(desc.Digest), + Digest: desc.Digest, Size: desc.Size, } } -func notationDescriptorFromOCI(desc ocispec.Descriptor) signature.Descriptor { - return signature.Descriptor{ +func notationDescriptorFromOCI(desc ocispec.Descriptor) notation.Descriptor { + return notation.Descriptor{ MediaType: desc.MediaType, - Digest: desc.Digest.String(), + Digest: desc.Digest, Size: desc.Size, } } From 8e9821dda8514b548618cf299afd06ce7446191b Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 10:31:35 +0200 Subject: [PATCH 09/16] revert name change Signed-off-by: qmuntal --- pkg/registry/repository.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/registry/repository.go b/pkg/registry/repository.go index 730ff4892..7bb19c956 100644 --- a/pkg/registry/repository.go +++ b/pkg/registry/repository.go @@ -83,26 +83,26 @@ func (c *RepositoryClient) Get(ctx context.Context, signatureDigest digest.Diges } // Put uploads the signature to the registry -func (c *RepositoryClient) Put(ctx context.Context, sig []byte) (notation.Descriptor, error) { +func (c *RepositoryClient) Put(ctx context.Context, signature []byte) (notation.Descriptor, error) { desc := ocispec.Descriptor{ MediaType: MediaTypeNotationSignature, - Digest: digest.FromBytes(sig), - Size: int64(len(sig)), + Digest: digest.FromBytes(signature), + Size: int64(len(signature)), } - if err := c.Repository.Blobs().Push(ctx, desc, bytes.NewReader(sig)); err != nil { + if err := c.Repository.Blobs().Push(ctx, desc, bytes.NewReader(signature)); err != nil { return notation.Descriptor{}, err } return notationDescriptorFromOCI(desc), nil } // Link creates an signature artifact linking the manifest and the signature -func (c *RepositoryClient) Link(ctx context.Context, manifest, sig notation.Descriptor) (notation.Descriptor, error) { +func (c *RepositoryClient) Link(ctx context.Context, manifest, signature notation.Descriptor) (notation.Descriptor, error) { // generate artifact manifest artifact := artifactspec.Manifest{ MediaType: artifactspec.MediaTypeArtifactManifest, ArtifactType: ArtifactTypeNotation, Blobs: []artifactspec.Descriptor{ - artifactDescriptorFromNotation(sig), + artifactDescriptorFromNotation(signature), }, Subject: artifactDescriptorFromNotation(manifest), } From fa5499ac8bf728cce2d39b94a6922f902a6ca7b5 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 10:34:26 +0200 Subject: [PATCH 10/16] remove unnecessary casts Signed-off-by: qmuntal --- cmd/docker-notation/pull.go | 2 +- cmd/docker-notation/push.go | 2 +- cmd/notation/pull.go | 4 ++-- cmd/notation/push.go | 5 ++--- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/cmd/docker-notation/pull.go b/cmd/docker-notation/pull.go index 783346408..f1e8484f0 100644 --- a/cmd/docker-notation/pull.go +++ b/cmd/docker-notation/pull.go @@ -105,7 +105,7 @@ func verifySignatures( var opts notation.VerifyOptions var lastErr error for _, sigDigest := range sigDigests { - path := config.SignaturePath(digest.Digest(desc.Digest), sigDigest) + path := config.SignaturePath(desc.Digest, sigDigest) sig, err := os.ReadFile(path) if err != nil { return "", "", err diff --git a/cmd/docker-notation/push.go b/cmd/docker-notation/push.go index f49d16460..c8cc4205f 100644 --- a/cmd/docker-notation/push.go +++ b/cmd/docker-notation/push.go @@ -46,7 +46,7 @@ func pushImage(ctx *cli.Context) error { return err } pushSignature := func(sigDigest digest.Digest) error { - sigPath := config.SignaturePath(digest.Digest(desc.Digest), sigDigest) + sigPath := config.SignaturePath(desc.Digest, sigDigest) sig, err := os.ReadFile(sigPath) if err != nil { return err diff --git a/cmd/notation/pull.go b/cmd/notation/pull.go index 3c4e5eee4..6635cf730 100644 --- a/cmd/notation/pull.go +++ b/cmd/notation/pull.go @@ -53,7 +53,7 @@ func runPull(ctx *cli.Context) error { return err } - sigDigests, err := sigRepo.Lookup(ctx.Context, digest.Digest(manifestDesc.Digest)) + sigDigests, err := sigRepo.Lookup(ctx.Context, manifestDesc.Digest) if err != nil { return fmt.Errorf("lookup signature failure: %v", err) } @@ -69,7 +69,7 @@ func runPull(ctx *cli.Context) error { if err := osutil.WriteFile(outputPath, sig); err != nil { return fmt.Errorf("fail to write signature: %v: %v", sigDigest, err) } - } else if err := cache.PullSignature(ctx.Context, sigRepo, digest.Digest(manifestDesc.Digest), sigDigest); err != nil { + } else if err := cache.PullSignature(ctx.Context, sigRepo, manifestDesc.Digest, sigDigest); err != nil { return err } diff --git a/cmd/notation/push.go b/cmd/notation/push.go index a2fa92572..5e58b8806 100644 --- a/cmd/notation/push.go +++ b/cmd/notation/push.go @@ -8,7 +8,6 @@ import ( "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/pkg/cache" "github.com/notaryproject/notation/pkg/config" - "github.com/opencontainers/go-digest" "github.com/urfave/cli/v2" ) @@ -37,12 +36,12 @@ func runPush(ctx *cli.Context) error { } sigPaths := ctx.StringSlice(flagSignature.Name) if len(sigPaths) == 0 { - sigDigests, err := cache.SignatureDigests(digest.Digest(manifestDesc.Digest)) + sigDigests, err := cache.SignatureDigests(manifestDesc.Digest) if err != nil { return err } for _, sigDigest := range sigDigests { - sigPaths = append(sigPaths, config.SignaturePath(digest.Digest(manifestDesc.Digest), sigDigest)) + sigPaths = append(sigPaths, config.SignaturePath(manifestDesc.Digest, sigDigest)) } } From 948d27ae9bfb814c3aaf137ac61827a5914a54f8 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 10:36:23 +0200 Subject: [PATCH 11/16] remove unnecessary casts Signed-off-by: qmuntal --- cmd/docker-notation/pull.go | 2 +- cmd/docker-notation/push.go | 2 +- cmd/docker-notation/sign.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/docker-notation/pull.go b/cmd/docker-notation/pull.go index f1e8484f0..1277210cc 100644 --- a/cmd/docker-notation/pull.go +++ b/cmd/docker-notation/pull.go @@ -53,7 +53,7 @@ func verifyRemoteImage(ctx context.Context, ref string) (string, error) { fmt.Printf("%s: digest: %v size: %v\n", manifestRef.ReferenceOrDefault(), manifestDesc.Digest, manifestDesc.Size) fmt.Println("Looking up for signatures") - sigDigests, err := downloadSignatures(ctx, ref, digest.Digest(manifestDesc.Digest)) + sigDigests, err := downloadSignatures(ctx, ref, manifestDesc.Digest) if err != nil { return "", err } diff --git a/cmd/docker-notation/push.go b/cmd/docker-notation/push.go index c8cc4205f..593704675 100644 --- a/cmd/docker-notation/push.go +++ b/cmd/docker-notation/push.go @@ -33,7 +33,7 @@ func pushImage(ctx *cli.Context) error { } fmt.Println("Pushing signature") - sigDigests, err := cache.SignatureDigests(digest.Digest(desc.Digest)) + sigDigests, err := cache.SignatureDigests(desc.Digest) if err != nil { return err } diff --git a/cmd/docker-notation/sign.go b/cmd/docker-notation/sign.go index 85648b5d6..fa135a368 100644 --- a/cmd/docker-notation/sign.go +++ b/cmd/docker-notation/sign.go @@ -60,7 +60,7 @@ func signImage(ctx *cli.Context) error { if err != nil { return err } - sigPath := config.SignaturePath(digest.Digest(desc.Digest), digest.FromBytes(sig)) + sigPath := config.SignaturePath(desc.Digest, digest.FromBytes(sig)) if err := osutil.WriteFile(sigPath, sig); err != nil { return err } From 84b88499340c812bfde5102c4f5997e756f1ac09 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 10:37:55 +0200 Subject: [PATCH 12/16] simplify isDefaultKey Signed-off-by: qmuntal --- cmd/notation/cert_gen.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cmd/notation/cert_gen.go b/cmd/notation/cert_gen.go index ed96b9843..5a44871d9 100644 --- a/cmd/notation/cert_gen.go +++ b/cmd/notation/cert_gen.go @@ -63,8 +63,14 @@ func generateTestCert(ctx *cli.Context) error { if err != nil { return err } - isDefault := ctx.Bool(keyDefaultFlag.Name) - keySuite := config.KeySuite{Name: name, X509KeyPair: &config.X509KeyPair{KeyPath: keyPath, CertificatePath: certPath}} + isDefaultKey := ctx.Bool(keyDefaultFlag.Name) + keySuite := config.KeySuite{ + Name: name, + X509KeyPair: &config.X509KeyPair{ + KeyPath: keyPath, + CertificatePath: certPath, + }, + } err = addKeyCore(cfg, keySuite, ctx.Bool(keyDefaultFlag.Name)) if err != nil { return err @@ -81,7 +87,7 @@ func generateTestCert(ctx *cli.Context) error { // write out fmt.Printf("%s: added to the key list\n", name) - if isDefault { + if isDefaultKey { fmt.Printf("%s: marked as default\n", name) } if trust { From 0f87cdcbd6faf5f9e0714190e3f54041ce38c076 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 13:57:19 +0200 Subject: [PATCH 13/16] revert unnecessary change Signed-off-by: qmuntal --- cmd/notation/cert_gen.go | 4 ++-- cmd/notation/key.go | 8 ++++---- cmd/notation/list.go | 3 +-- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/cmd/notation/cert_gen.go b/cmd/notation/cert_gen.go index 5a44871d9..d27c434cc 100644 --- a/cmd/notation/cert_gen.go +++ b/cmd/notation/cert_gen.go @@ -63,7 +63,7 @@ func generateTestCert(ctx *cli.Context) error { if err != nil { return err } - isDefaultKey := ctx.Bool(keyDefaultFlag.Name) + isDefault := ctx.Bool(keyDefaultFlag.Name) keySuite := config.KeySuite{ Name: name, X509KeyPair: &config.X509KeyPair{ @@ -87,7 +87,7 @@ func generateTestCert(ctx *cli.Context) error { // write out fmt.Printf("%s: added to the key list\n", name) - if isDefaultKey { + if isDefault { fmt.Printf("%s: marked as default\n", name) } if trust { diff --git a/cmd/notation/key.go b/cmd/notation/key.go index 7ae7a1ee9..cdf199be4 100644 --- a/cmd/notation/key.go +++ b/cmd/notation/key.go @@ -43,15 +43,15 @@ var ( Usage: "key name", Required: true, }, - &cli.StringFlag{ - Name: "id", - Usage: "key id (required if --plugin is set)", - }, &cli.StringFlag{ Name: "plugin", Aliases: []string{"p"}, Usage: "signing plugin name", }, + &cli.StringFlag{ + Name: "id", + Usage: "key id (required if --plugin is set)", + }, keyDefaultFlag, }, Action: addKey, diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 27f478834..10c90cb8d 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -4,7 +4,6 @@ import ( "errors" "fmt" - "github.com/opencontainers/go-digest" "github.com/urfave/cli/v2" ) @@ -39,7 +38,7 @@ func runList(ctx *cli.Context) error { return err } - sigDigests, err := sigRepo.Lookup(ctx.Context, digest.Digest(manifestDesc.Digest)) + sigDigests, err := sigRepo.Lookup(ctx.Context, manifestDesc.Digest) if err != nil { return fmt.Errorf("lookup signature failure: %v", err) } From 5b0a6d14056dc985382d6904f738e1f03cf18d15 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 15:01:39 +0200 Subject: [PATCH 14/16] support config maps Signed-off-by: qmuntal --- cmd/notation/key.go | 14 ++++++++++++-- cmd/notation/sign.go | 10 ++++++++-- internal/cmd/flags.go | 31 +++++++++++++++++++++++++++++- internal/cmd/flags_test.go | 39 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 5 deletions(-) create mode 100644 internal/cmd/flags_test.go diff --git a/cmd/notation/key.go b/cmd/notation/key.go index cdf199be4..de2a45686 100644 --- a/cmd/notation/key.go +++ b/cmd/notation/key.go @@ -8,6 +8,7 @@ import ( "path/filepath" "github.com/notaryproject/notation-go/plugin/manager" + "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/ioutil" "github.com/notaryproject/notation/internal/slices" "github.com/notaryproject/notation/pkg/config" @@ -52,6 +53,7 @@ var ( Name: "id", Usage: "key id (required if --plugin is set)", }, + cmd.FlagPluginConfig, keyDefaultFlag, }, Action: addKey, @@ -133,9 +135,17 @@ func addExternalKey(ctx *cli.Context, pluginName, keyName string) (config.KeySui if p.Err != nil { return config.KeySuite{}, fmt.Errorf("invalid plugin: %w", p.Err) } + pluginConfig, err := cmd.ParseFlagPluginConfig(ctx.StringSlice(cmd.FlagPluginConfig.Name)) + if err != nil { + return config.KeySuite{}, err + } return config.KeySuite{ - Name: keyName, - ExternalKey: &config.ExternalKey{ID: id, PluginName: pluginName}, + Name: keyName, + ExternalKey: &config.ExternalKey{ + ID: id, + PluginName: pluginName, + PluginConfig: pluginConfig, + }, }, nil } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 155aef2e0..776ef99b1 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -38,6 +38,7 @@ var signCommand = &cli.Command{ flagPassword, flagPlainHTTP, flagMediaType, + cmd.FlagPluginConfig, }, Action: runSign, } @@ -101,8 +102,13 @@ func prepareSigningContent(ctx *cli.Context) (notation.Descriptor, notation.Sign return notation.Descriptor{}, notation.SignOptions{}, err } } + pluginConfig, err := cmd.ParseFlagPluginConfig(ctx.StringSlice(cmd.FlagPluginConfig.Name)) + if err != nil { + return notation.Descriptor{}, notation.SignOptions{}, err + } return manifestDesc, notation.SignOptions{ - Expiry: cmd.GetExpiry(ctx), - TSA: tsa, + Expiry: cmd.GetExpiry(ctx), + TSA: tsa, + PluginConfig: pluginConfig, }, nil } diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 9983113a7..a2f421c16 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -1,7 +1,12 @@ // Package cmd contains common flags and routines for all CLIs. package cmd -import "github.com/urfave/cli/v2" +import ( + "fmt" + "strings" + + "github.com/urfave/cli/v2" +) var ( FlagKey = &cli.StringFlag{ @@ -39,4 +44,28 @@ var ( Aliases: []string{"r"}, Usage: "original reference", } + + FlagPluginConfig = &cli.StringSliceFlag{ + Name: "pluginConfig", + Aliases: []string{"pc"}, + Usage: "list of command-separated {key}={value} pairs", + } ) + +func ParseFlagPluginConfig(pluginConfigSlice []string) (map[string]string, error) { + if len(pluginConfigSlice) == 0 { + return nil, nil + } + m := make(map[string]string, len(pluginConfigSlice)) + for _, c := range pluginConfigSlice { + if k, v, ok := strings.Cut(c, "="); ok { + if _, exist := m[k]; exist { + return nil, fmt.Errorf("duplicated --pluginConfig entry %s", k) + } + m[k] = v + } else { + return nil, fmt.Errorf("malformed --pluginConfig entry %q", c) + } + } + return m, nil +} diff --git a/internal/cmd/flags_test.go b/internal/cmd/flags_test.go new file mode 100644 index 000000000..326cf54c2 --- /dev/null +++ b/internal/cmd/flags_test.go @@ -0,0 +1,39 @@ +// Package cmd contains common flags and routines for all CLIs. +package cmd + +import ( + "reflect" + "testing" +) + +func TestParseFlagPluginConfig(t *testing.T) { + type args struct { + s []string + } + tests := []struct { + name string + args args + want map[string]string + wantErr bool + }{ + {"nil", args{nil}, nil, false}, + {"empty", args{[]string{}}, nil, false}, + {"single", args{[]string{"a=b"}}, map[string]string{"a": "b"}, false}, + {"multiple", args{[]string{"a=b", "c=d"}}, map[string]string{"a": "b", "c": "d"}, false}, + {"quoted", args{[]string{"a=b", "\"c\"=d"}}, map[string]string{"a": "b", "\"c\"": "d"}, false}, + {"duplicated", args{[]string{"a=b", "a=d"}}, nil, true}, + {"malformed", args{[]string{"a=b", "c:d"}}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := ParseFlagPluginConfig(tt.args.s) + if (err != nil) != tt.wantErr { + t.Errorf("ParseFlagPluginConfig() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("ParseFlagPluginConfig() = %v, want %v", got, tt.want) + } + }) + } +} From f6808c863f23b4fa7cd9443464ec39fc3c72f058 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Wed, 18 May 2022 22:53:57 +0200 Subject: [PATCH 15/16] switch to notaryproject/notation-go@main Signed-off-by: qmuntal --- go.mod | 4 +--- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 12ce04477..0a6e9cc6c 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.18 require ( github.com/distribution/distribution/v3 v3.0.0-20210804104954-38ab4c606ee3 github.com/docker/cli v20.10.14+incompatible - github.com/notaryproject/notation-go v0.8.0-alpha.1.0.20220504164459-182873bded16 + github.com/notaryproject/notation-go v0.8.0-alpha.1.0.20220518191708-407537596ed5 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.0.2 github.com/oras-project/artifacts-spec v1.0.0-draft.1.1 @@ -25,5 +25,3 @@ require ( golang.org/x/sys v0.0.0-20211019181941-9d821ace8654 // indirect gotest.tools/v3 v3.0.3 // indirect ) - -replace github.com/notaryproject/notation-go => github.com/qmuntal/notation-go v0.7.0-alpha.1.0.20220518080859-07fe9b874982 diff --git a/go.sum b/go.sum index 2f7f43e31..1c3f128ec 100644 --- a/go.sum +++ b/go.sum @@ -73,6 +73,8 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= +github.com/notaryproject/notation-go v0.8.0-alpha.1.0.20220518191708-407537596ed5 h1:gOayVV8HsSFN4BYLizWAMBtjoxSn944tjIxvwDgYmAY= +github.com/notaryproject/notation-go v0.8.0-alpha.1.0.20220518191708-407537596ed5/go.mod h1:KtNtijh22iUsC3y7KTzllwPoDKV7mJANYz/RunvOhqs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= @@ -96,8 +98,6 @@ github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= -github.com/qmuntal/notation-go v0.7.0-alpha.1.0.20220518080859-07fe9b874982 h1:oow9r9GCNWhintF+M7UQP2x6SEsIGt2VoTEVaMnxFog= -github.com/qmuntal/notation-go v0.7.0-alpha.1.0.20220518080859-07fe9b874982/go.mod h1:KtNtijh22iUsC3y7KTzllwPoDKV7mJANYz/RunvOhqs= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= From b1ebdd03115a6559215c4a7ea8342153fa7d6b23 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Thu, 19 May 2022 14:06:30 +0200 Subject: [PATCH 16/16] Apply suggestions from code review Co-authored-by: Milind Gokarn Signed-off-by: qmuntal --- internal/cmd/flags.go | 2 +- internal/cmd/signer.go | 8 ++++++-- pkg/signature/jws.go | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index a2f421c16..78ce8506c 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -48,7 +48,7 @@ var ( FlagPluginConfig = &cli.StringSliceFlag{ Name: "pluginConfig", Aliases: []string{"pc"}, - Usage: "list of command-separated {key}={value} pairs", + Usage: "list of comma-separated {key}={value} pairs that are passed as is to the plugin, refer plugin documentation to set appropriate values", } ) diff --git a/internal/cmd/signer.go b/internal/cmd/signer.go index eedf36664..025ff542b 100644 --- a/internal/cmd/signer.go +++ b/internal/cmd/signer.go @@ -14,11 +14,13 @@ import ( // GetSigner returns a signer according to the CLI context. func GetSigner(ctx *cli.Context) (notation.Signer, error) { - // read paths of the signing key and its corresponding cert. + // Construct a signer from key and cert file if provided as CLI arguments if keyPath := ctx.String(FlagKeyFile.Name); keyPath != "" { certPath := ctx.String(FlagCertFile.Name) return signature.NewSignerFromFiles(keyPath, certPath) } + // Construct a signer from preconfigured key pair in config.json + // if key name is provided as the CLI argument key, err := config.ResolveKey(ctx.String(FlagKey.Name)) if err != nil { return nil, err @@ -26,6 +28,8 @@ func GetSigner(ctx *cli.Context) (notation.Signer, error) { if key.X509KeyPair != nil { return signature.NewSignerFromFiles(key.X509KeyPair.KeyPath, key.X509KeyPair.CertificatePath) } + // Construct a plugin signer if key name provided as the CLI argument + // corresponds to an external key if key.ExternalKey != nil { mgr := manager.New(config.PluginDirPath) runner, err := mgr.Runner(key.PluginName) @@ -38,7 +42,7 @@ func GetSigner(ctx *cli.Context) (notation.Signer, error) { PluginConfig: key.PluginConfig, }, nil } - return nil, errors.New("unsupported key") + return nil, errors.New("unsupported key, either provide a local key and certificate file paths, or a key name in config.json, check [DOC_PLACEHOLDER] for details") } // GetExpiry returns the signature expiry according to the CLI context. diff --git a/pkg/signature/jws.go b/pkg/signature/jws.go index f2212456b..d73e99a78 100644 --- a/pkg/signature/jws.go +++ b/pkg/signature/jws.go @@ -25,7 +25,7 @@ func NewSignerFromFiles(keyPath, certPath string) (*jws.Signer, error) { return nil, err } if len(cert.Certificate) == 0 { - return nil, errors.New("missing signer certificate chain") + return nil, fmt.Errorf("%q does not contain a signer certificate chain", certPath) } // parse cert