feat: use new verify workflow#373
Conversation
cmd/notation/verify.go
Outdated
| reference string | ||
| SecureFlagOpts | ||
| reference string | ||
| config string |
There was a problem hiding this comment.
| config string | |
| pluginConfig []string |
There was a problem hiding this comment.
The reason for using string instead of slice is to be consistent with sign and key commands, https://github.com/notaryproject/notation/blob/main/cmd/notation/sign.go#L27 so that I can utilize https://github.com/notaryproject/notation/blob/main/internal/cmd/flags.go#L91 to parse the configs.
cmd/notation/verify.go
Outdated
| command.Flags().StringSliceVar(&opts.certFiles, cmd.PflagCertFile.Name, []string{}, "certificate files for verification") | ||
| command.Flags().BoolVar(&opts.pull, "pull", true, "pull remote signatures before verification") | ||
| opts.ApplyFlags(command.Flags()) | ||
| command.Flags().StringVarP(&opts.config, "config", "c", "", "list of comma-separated {key}={value} pairs that are passed as is to the plugin") |
internal/ioutil/print.go
Outdated
| tw := newTabWriter(w) | ||
|
|
||
| if resultErr == nil { | ||
| fmt.Fprintf(tw, "%s\n", digest) |
There was a problem hiding this comment.
| fmt.Fprintf(tw, "%s\n", digest) | |
| fmt.Fprintf(tw, "Signature verification succeeded for %s\n", digest) |
There was a problem hiding this comment.
Depending upon the enforcement level in the trust policy configuration, the signature verification might succeed but some validations might have failed(where the enforcement level is logged). In such cases, we want to display the failed validations as warnings.
The signature that passed signature verification would be last signature in SignatureVerificationOutcome array.
There was a problem hiding this comment.
right, I was thinking to print out the digest for failed signatures with the error for user experience. But seems the returned outcome doesn't contain it. Please correct me if I miss something.
internal/ioutil/print.go
Outdated
| func printOutcomes(tw *tabwriter.Writer, outcomes []*verification.SignatureVerificationOutcome) { | ||
| if len(outcomes) == 1 { | ||
| fmt.Println("1 signature failed verification, error is listed as below:") | ||
| } else { | ||
| fmt.Printf("%d signatures failed verification, errors are listed as below:\n", len(outcomes)) | ||
| } | ||
|
|
||
| for _, outcome := range outcomes { | ||
| // TODO: print out the signature digest once the outcome contains it. | ||
| fmt.Printf("%s\n\n", outcome.Error.Error()) | ||
| } |
There was a problem hiding this comment.
IMO this error message is not really helpful and should only be printed in debug level.
In non-debug mode, we should display some generic message like:
Signature verification failed for all the xx signatures associated with ${reference}.
In debug mode
Signature verification failed for all the xx signatures associated with ${reference}. ` The failure reasons for each signature are as follows:
1. ${signature-reference}: ${error message}
2. ${signature-reference}: ${error message}
There was a problem hiding this comment.
@yizha1 Could you help check if you need to update the spec?
There was a problem hiding this comment.
I can update verify CLI spec for this accordingly
Signed-off-by: Binbin Li <libinbin@microsoft.com>
Signed-off-by: Binbin Li <libinbin@microsoft.com>
Codecov Report
@@ Coverage Diff @@
## main #373 +/- ##
==========================================
+ Coverage 32.03% 32.28% +0.24%
==========================================
Files 26 26
Lines 1670 1623 -47
==========================================
- Hits 535 524 -11
+ Misses 1122 1086 -36
Partials 13 13
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Signed-off-by: Binbin Li <libinbin@microsoft.com>
internal/ioutil/print.go
Outdated
| func printOutcomes(tw *tabwriter.Writer, outcomes []*verification.SignatureVerificationOutcome) { | ||
| if len(outcomes) == 1 { | ||
| fmt.Println("1 signature failed verification, error is listed as below:") | ||
| } else { | ||
| fmt.Printf("%d signatures failed verification, errors are listed as below:\n", len(outcomes)) | ||
| } | ||
|
|
||
| for _, outcome := range outcomes { | ||
| // TODO: print out the signature digest once the outcome contains it. | ||
| fmt.Printf("%s\n\n", outcome.Error.Error()) | ||
| } |
Signed-off-by: Binbin Li <libinbin@microsoft.com>
| Short: "Verify OCI artifacts", | ||
| Long: `Verify OCI artifacts | ||
|
|
||
| Prerequisite: a trusted certificate needs to be generated or added using the command "notation cert". |
There was a problem hiding this comment.
Do we need to delete it?
There was a problem hiding this comment.
I'll keep the Prerequisite comment.
cmd/notation/verify.go
Outdated
| Use: "verify [flags] <reference>", | ||
| Short: "Verifies OCI Artifacts", | ||
| Long: `Verifies OCI Artifacts: | ||
| notation verify [--config <key>=<value>,...] [--username <username>] [--password <password>] <reference>`, |
There was a problem hiding this comment.
| notation verify [--config <key>=<value>,...] [--username <username>] [--password <password>] <reference>`, | |
| notation verify [--pluginConfig <key>=<value>,...] [--username <username>] [--password <password>] <reference>`, |
cmd/notation/verify.go
Outdated
| command.Flags().StringSliceVar(&opts.certFiles, cmd.PflagCertFile.Name, []string{}, "certificate files for verification") | ||
| command.Flags().BoolVar(&opts.pull, "pull", true, "pull remote signatures before verification") | ||
| opts.ApplyFlags(command.Flags()) | ||
| command.Flags().StringVarP(&opts.pluginConfig, "config", "c", "", "list of comma-separated {key}={value} pairs that are passed as is to the plugin") |
There was a problem hiding this comment.
| command.Flags().StringVarP(&opts.pluginConfig, "config", "c", "", "list of comma-separated {key}={value} pairs that are passed as is to the plugin") | |
| command.Flags().StringVarP(&opts.pluginConfig, "pluginConfig", "pc", "", "list of comma-separated {key}={value} pairs that are passed as is to the plugin") |
There was a problem hiding this comment.
Actually Cobra doesn't support shorthand with more than one character.
|
|
||
| func printOutcomes(tw *tabwriter.Writer, outcomes []*verification.SignatureVerificationOutcome, digest string) { | ||
| fmt.Printf("Signature verification failed for all the %d signatures associated with digest: %s\n", len(outcomes), digest) | ||
|
|
There was a problem hiding this comment.
I understand that we are working on a spec to describe the CLI inputs and outputs, but we should print the error messages associated with the individual outcomes in the short-term to make this command more useful. Can you print the outcomes like below in the interim?
Signature verification failed for all the 3 signatures associated with digest: asdf....asdfasdf
Signature #1 : <Error>
Signature #2 : <Error>
Signature #3 : <Error>
There was a problem hiding this comment.
Good call, I'll add error messages.
| outcomes, err := verifier.Verify(ctx, ref.String()) | ||
|
|
||
| // write out. | ||
| return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref.Reference) |
There was a problem hiding this comment.
We should return the error from verifier.Verify() here so that CLI can throw a non-zero error code when signature verification fails.
Signed-off-by: Binbin Li <libinbin@microsoft.com>
cmd/notation/verify_test.go
Outdated
| "--plain-http", | ||
| "--pull=false", | ||
| "--media-type=mediaT"}); err != nil { | ||
| "--pluginConfig", expected.pluginConfig}); err != nil { |
There was a problem hiding this comment.
| "--pluginConfig", expected.pluginConfig}); err != nil { | |
| "--plugin-config", expected.pluginConfig}); err != nil { |
Can we use kebab-case everywhere for command input?
internal/ioutil/print.go
Outdated
|
|
||
| if resultErr == nil { | ||
| fmt.Fprintf(tw, "Signature verification succeeded for %s\n", digest) | ||
| // TODO: print out failed validations as warnings. |
There was a problem hiding this comment.
Can you please also add issue with TODO: #304
Would allow easier tracking.
Signed-off-by: Binbin Li <libinbin@microsoft.com>
Signed-off-by: Binbin Li <libinbin@microsoft.com>
Signed-off-by: Binbin Li <libinbin@microsoft.com>
8 participants
What?
Use the new verification workflow for the
verifycommand. Therefore, we have to make some updates to support it.signatures,certs,certFiles,pull,localandmediaType.configflag so that users can set up verification plugin configs.Signed-off-by: Binbin Li libinbin@microsoft.com