spec: add spec for notation verify command#371
spec: add spec for notation verify command#371shizhMSFT merged 13 commits intonotaryproject:mainfrom
Conversation
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
yizha1
added
cli
yizha1
requested review from
FeynmanZhou,
dtzar,
gokarnm,
patrickzheng200,
priteshbandi,
rgnote and
shizhMSFT
Codecov Report
@@ Coverage Diff @@
## main #371 +/- ##
==========================================
+ Coverage 30.54% 30.70% +0.16%
==========================================
Files 25 26 +1
Lines 1614 1638 +24
==========================================
+ Hits 493 503 +10
- Misses 1108 1122 +14
Partials 13 13
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Signed-off-by: Yi Zha <zhayi@outlook.com>
priteshbandi
left a comment
priteshbandi
left a comment
There was a problem hiding this comment.
LGTM with below suggestions.
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
dtzar
left a comment
dtzar
left a comment
There was a problem hiding this comment.
Open to address these before or after merge, so mark for approve.
| notation verify registry.wabbit-networks.io/software/net-monitor:v1 | ||
| ``` | ||
|
|
||
| ### Verify signatures on an OCI artifact stored in a registry (Trust store and trust policy are configured properly) |
There was a problem hiding this comment.
This is confusing as to OCI artifact versus trust * configured versus not.
I'd consider removing the distinction of OCI artifact per section. Place the tag AND digest verification options for image & OCI artifact in the same properly configured section.
I'd then have a section on what the experience is like when trust store and policy is not configured. I'd imagine you wouldn't get a verification, but show some error message(s).
There was a problem hiding this comment.
I will create a new PR to address this comment and the error handling parts.
|
|
||
| # Configure trust policy by creating a JSON document named "trustpolicy.json" under directory "{NOTATION_CONFIG}" | ||
| # Example on Linux | ||
| cat <<EOF > $HOME/.config/notation/trustpolicy.json |
There was a problem hiding this comment.
This is going to vary based on the user's operating system. IMO we should consider if we can get a "bare bones" cli implementation which simply writes a template similar to what's there to the user's proper directory (i.e. notation policy create -n default) and possibly opens it up or lists where it is at. (i.e. notation policy list or notation policy open (optional --name default)
There was a problem hiding this comment.
I will create a new issue for a discussion regarding this request.
| Verify signatures associated with the artifact. | ||
|
|
||
| Usage: | ||
| notation verify [flags] <reference> |
There was a problem hiding this comment.
We should explain here and in the sign command that < reference > support can be a tag or a digest. When with a tag, we do a default tag to digest translation and we only sign/verify the digest, not the tag itself.
There was a problem hiding this comment.
I will create a new PR to address this
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
7 participants
No description provided.