From b910a8a1114648a207b5676aa8d3e6e0d57b261c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 12 Oct 2022 11:02:39 +0800 Subject: [PATCH 01/15] updated dependency Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 11 +++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index bab4cc5c6..a55dac5f2 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,8 @@ go 1.19 require ( github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f github.com/docker/docker-credential-helpers v0.7.0 - github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921054535-009c09a9628e - github.com/notaryproject/notation-go v0.10.0-alpha.3.0.20220927020950-2bcfd343f974 + github.com/notaryproject/notation-core-go v0.1.0-alpha.4 + github.com/notaryproject/notation-go v0.11.0-alpha.4 github.com/opencontainers/go-digest v1.0.0 github.com/spf13/cobra v1.5.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 7c8e219c0..47134c266 100644 --- a/go.sum +++ b/go.sum @@ -3,14 +3,15 @@ github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f h1:3N github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f/go.mod h1:28YO/VJk9/64+sTGNuYaBjWxrXTPrj0C0XmgTIOjxX4= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921054535-009c09a9628e h1:n3wJRhIVbEGg497rtKV3IMaZJv2hFKYHCOtNIOAyLYw= -github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921054535-009c09a9628e/go.mod h1:mM4M9wPdu0CGgh8f3wOcu0XMiXwEKWQurjBG4nmqQ4g= -github.com/notaryproject/notation-go v0.10.0-alpha.3.0.20220927020950-2bcfd343f974 h1:aJ5p4zydKHoyXVK62H50fmj5czcxXpSG5a24EgoZH5E= -github.com/notaryproject/notation-go v0.10.0-alpha.3.0.20220927020950-2bcfd343f974/go.mod h1:TeQIoxMetPFqJSDzcHnGZ6x9kKzglfSmgxYrWt9/viA= +github.com/notaryproject/notation-core-go v0.1.0-alpha.4 h1:0OhA2PjwT0TAouHOrU4K+8H9YM6E/e4/ocoq+JiHeOw= +github.com/notaryproject/notation-core-go v0.1.0-alpha.4/go.mod h1:s8DZptmN1rZS0tBLTPt/w+d4o6eAcGWTYYJlXaJhQ4U= +github.com/notaryproject/notation-go v0.11.0-alpha.4 h1:PNptLtrhW0jyw10hUWU+KNzvzeuBBZmg+/1IUaGYE10= +github.com/notaryproject/notation-go v0.11.0-alpha.4/go.mod h1:4xYTcW4wfsXkXw3piUA53uSW82RwdXyipSEtiiRVrCw= github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU= github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -24,6 +25,8 @@ github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83 h1:g8vDfnNOPcGzg6mnlBGc0J5t5lAJkaepXqbc9qFRnFs= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64 h1:UiNENfZ8gDvpiWw7IpOMQ27spWmThO1RwwdQVbJahJM= From 5841b856bd27e1af2feee8997877556e7428bbef Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 26 Oct 2022 12:20:24 +0800 Subject: [PATCH 02/15] updated notation sign command based on spec Signed-off-by: Patrick Zheng --- cmd/notation/main.go | 2 +- cmd/notation/manifest.go | 75 +++++++++++++++++++-------------------- cmd/notation/sign.go | 15 ++++---- cmd/notation/sign_test.go | 43 ++++++---------------- internal/cmd/flags.go | 2 +- specs/commandline/sign.md | 7 ++-- 6 files changed, 57 insertions(+), 87 deletions(-) diff --git a/cmd/notation/main.go b/cmd/notation/main.go index 2a95e25f3..ac121613c 100644 --- a/cmd/notation/main.go +++ b/cmd/notation/main.go @@ -23,7 +23,7 @@ func main() { pluginCommand(), loginCommand(nil), logoutCommand(nil)) - cmd.PersistentFlags().Bool(flagPlainHTTP.Name, false, flagPlainHTTP.Usage) + if err := cmd.Execute(); err != nil { log.Fatal(err) } diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index f701b2b8d..87f28acde 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -3,33 +3,30 @@ package main import ( "context" "errors" - "io" - "math" - "os" "github.com/notaryproject/notation-go" - "github.com/opencontainers/go-digest" "oras.land/oras-go/v2/registry" ) -func getManifestDescriptorFromContext(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { +func getManifestDescriptorFromContext(ctx context.Context, opts *SecureFlagOpts, ref string) (notation.Descriptor, error) { if ref == "" { return notation.Descriptor{}, errors.New("missing reference") } - return getManifestDescriptorFromContextWithReference(ctx, opts, ref) + // return getManifestDescriptorFromContextWithReference(ctx, opts, ref) + return getManifestDescriptorFromReference(ctx, opts, ref) } -func getManifestDescriptorFromContextWithReference(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { - if opts.Local { - mediaType := opts.MediaType - if ref == "-" { - return getManifestDescriptorFromReader(os.Stdin, mediaType) - } - return getManifestDescriptorFromFile(ref, mediaType) - } +// func getManifestDescriptorFromContextWithReference(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { +// if opts.Local { +// mediaType := opts.MediaType +// if ref == "-" { +// return getManifestDescriptorFromReader(os.Stdin, mediaType) +// } +// return getManifestDescriptorFromFile(ref, mediaType) +// } - return getManifestDescriptorFromReference(ctx, &opts.SecureFlagOpts, ref) -} +// return getManifestDescriptorFromReference(ctx, &opts.SecureFlagOpts, ref) +// } func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpts, reference string) (notation.Descriptor, error) { ref, err := registry.ParseReference(reference) @@ -43,27 +40,27 @@ func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpt return repo.Resolve(ctx, ref.ReferenceOrDefault()) } -func getManifestDescriptorFromFile(path, mediaType string) (notation.Descriptor, error) { - file, err := os.Open(path) - if err != nil { - return notation.Descriptor{}, err - } - defer file.Close() - return getManifestDescriptorFromReader(file, mediaType) -} +// func getManifestDescriptorFromFile(path, mediaType string) (notation.Descriptor, error) { +// file, err := os.Open(path) +// if err != nil { +// return notation.Descriptor{}, err +// } +// defer file.Close() +// return getManifestDescriptorFromReader(file, mediaType) +// } -func getManifestDescriptorFromReader(r io.Reader, mediaType string) (notation.Descriptor, error) { - lr := &io.LimitedReader{ - R: r, - N: math.MaxInt64, - } - digest, err := digest.SHA256.FromReader(lr) - if err != nil { - return notation.Descriptor{}, err - } - return notation.Descriptor{ - MediaType: mediaType, - Digest: digest, - Size: math.MaxInt64 - lr.N, - }, nil -} +// func getManifestDescriptorFromReader(r io.Reader, mediaType string) (notation.Descriptor, error) { +// lr := &io.LimitedReader{ +// R: r, +// N: math.MaxInt64, +// } +// digest, err := digest.SHA256.FromReader(lr) +// if err != nil { +// return notation.Descriptor{}, err +// } +// return notation.Descriptor{ +// MediaType: mediaType, +// Digest: digest, +// Size: math.MaxInt64 - lr.N, +// }, nil +// } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index e955d7d3f..dc3473532 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -15,7 +15,7 @@ import ( type signOpts struct { cmd.SignerFlagOpts - RemoteFlagOpts + SecureFlagOpts timestamp string expiry time.Duration originReference string @@ -28,9 +28,9 @@ func signCommand(opts *signOpts) *cobra.Command { opts = &signOpts{} } command := &cobra.Command{ - Use: "sign [reference]", - Short: "Sign OCI artifacts", - Long: `Sign OCI artifacts + Use: "sign [flags] ", + Short: "Sign artifacts", + Long: `Sign artifacts Prerequisite: a signing key needs to be configured using the command "notation key". @@ -61,11 +61,8 @@ Example - Sign a container image using the image digest }, } opts.SignerFlagOpts.ApplyFlags(command.Flags()) - opts.RemoteFlagOpts.ApplyFlags(command.Flags()) - - cmd.SetPflagTimestamp(command.Flags(), &opts.timestamp) + opts.SecureFlagOpts.ApplyFlags(command.Flags()) cmd.SetPflagExpiry(command.Flags(), &opts.expiry) - cmd.SetPflagReference(command.Flags(), &opts.originReference) cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) return command @@ -103,7 +100,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.Descriptor, notation.SignOptions, error) { - manifestDesc, err := getManifestDescriptorFromContext(ctx, &opts.RemoteFlagOpts, opts.reference) + manifestDesc, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference) if err != nil { return notation.Descriptor{}, notation.SignOptions{}, err } diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index afe5ba345..bc6bef201 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -14,14 +14,9 @@ func TestSignCommand_BasicArgs(t *testing.T) { command := signCommand(opts) expected := &signOpts{ reference: "ref", - RemoteFlagOpts: RemoteFlagOpts{ - SecureFlagOpts: SecureFlagOpts{ - Username: "user", - Password: "password", - }, - CommonFlagOpts: CommonFlagOpts{ - MediaType: defaultMediaType, - }, + SecureFlagOpts: SecureFlagOpts{ + Username: "user", + Password: "password", }, SignerFlagOpts: cmd.SignerFlagOpts{ Key: "key", @@ -52,16 +47,10 @@ func TestSignCommand_MoreArgs(t *testing.T) { command := signCommand(opts) expected := &signOpts{ reference: "ref", - RemoteFlagOpts: RemoteFlagOpts{ - SecureFlagOpts: SecureFlagOpts{ - Username: "user", - Password: "password", - PlainHTTP: true, - }, - CommonFlagOpts: CommonFlagOpts{ - MediaType: "mediaT", - Local: true, - }, + SecureFlagOpts: SecureFlagOpts{ + Username: "user", + Password: "password", + PlainHTTP: true, }, SignerFlagOpts: cmd.SignerFlagOpts{ Key: "key", @@ -79,8 +68,6 @@ func TestSignCommand_MoreArgs(t *testing.T) { "--key-file", expected.KeyFile, "--cert-file", expected.CertFile, "--plain-http", - "--media-type", expected.MediaType, - "-l", "--envelope-type", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String()}); err != nil { t.Fatalf("Parse Flag failed: %v", err) @@ -98,33 +85,23 @@ func TestSignCommand_CorrectConfig(t *testing.T) { command := signCommand(opts) expected := &signOpts{ reference: "ref", - RemoteFlagOpts: RemoteFlagOpts{ - CommonFlagOpts: CommonFlagOpts{ - MediaType: "mediaT", - Local: true, - }, - }, SignerFlagOpts: cmd.SignerFlagOpts{ Key: "key", KeyFile: "keyfile", CertFile: "certfile", EnvelopeType: envelope.JWS, }, - expiry: 365 * 24 * time.Hour, - pluginConfig: "key0=val0,key1=val1,key2=val2", - originReference: "originref", + expiry: 365 * 24 * time.Hour, + pluginConfig: "key0=val0,key1=val1,key2=val2", } if err := command.ParseFlags([]string{ expected.reference, "--key", expected.Key, "--key-file", expected.KeyFile, "--cert-file", expected.CertFile, - "--media-type", expected.MediaType, - "-r", expected.originReference, - "--local", "--envelope-type", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String(), - "--pluginConfig", expected.pluginConfig}); err != nil { + "--plugin-config", expected.pluginConfig}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index a8f632f58..94db08571 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -73,7 +73,7 @@ var ( } PflagPluginConfig = &pflag.Flag{ - Name: "pluginConfig", + Name: "plugin-config", Shorthand: "c", Usage: "list of comma-separated {key}={value} pairs that are passed as is to the plugin, refer plugin documentation to set appropriate values", } diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 02280ad03..e45a8bbf3 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -12,20 +12,19 @@ Signs an OCI artifact that is stored in a registry. Upon successful signing, the Sign artifacts Usage: - notation sign [flags] + notation sign [flags] Flags: --cert-file string Location of file containing a complete certificate chain for the signing key. Use this flag with '--key-file'. + --envelope-type string signature envelope format, options: 'jws', 'cose' (default "jws") -e, --expiry duration Optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m -h, --help Help for sign -k, --key string Signing key name, for a key previously added to notation's key list. --key-file string Location of file containing signing key file. Use this flag with '--cert-file'. -p, --password string Password or identity token for registry operations (default to $NOTATION_PASSWORD if not specified) + --plain-http Registry access via plain HTTP --plugin-config strings List of {key}={value} pairs that are passed as is to a plugin, if the key (--key) is associated with a signing plugin, refer plugin documentation to set appropriate values -u, --username string Username for registry operations (default to $NOTATION_USERNAME if not specified) - -Global Flags: - --plain-http Registry access via plain HTTP ``` ## Usage From 5495058c5227a3f40253dfaa86e256df916bd701 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 26 Oct 2022 12:36:24 +0800 Subject: [PATCH 03/15] updated dependencies Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- go.mod | 4 ++-- go.sum | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index dc3473532..ebe038a53 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -6,8 +6,8 @@ import ( "fmt" "time" + "github.com/notaryproject/notation-core-go/timestamp" "github.com/notaryproject/notation-go" - "github.com/notaryproject/notation-go/crypto/timestamp" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" "github.com/spf13/cobra" diff --git a/go.mod b/go.mod index 31b9e416a..9cb9aa152 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,8 @@ go 1.19 require ( github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f github.com/docker/docker-credential-helpers v0.7.0 - github.com/notaryproject/notation-core-go v0.1.0-alpha.4 - github.com/notaryproject/notation-go v0.11.0-alpha.4 + github.com/notaryproject/notation-core-go v0.1.0-alpha.4.0.20221017041709-56bd40a80d26 + github.com/notaryproject/notation-go v0.11.0-alpha.4.0.20221025011337-7ad4eca1a568 github.com/opencontainers/go-digest v1.0.0 github.com/spf13/cobra v1.6.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index a14fad87d..2732ca41a 100644 --- a/go.sum +++ b/go.sum @@ -19,8 +19,12 @@ github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7P github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v0.1.0-alpha.4 h1:0OhA2PjwT0TAouHOrU4K+8H9YM6E/e4/ocoq+JiHeOw= github.com/notaryproject/notation-core-go v0.1.0-alpha.4/go.mod h1:s8DZptmN1rZS0tBLTPt/w+d4o6eAcGWTYYJlXaJhQ4U= +github.com/notaryproject/notation-core-go v0.1.0-alpha.4.0.20221017041709-56bd40a80d26 h1:tAM+m4MocXBXdRBr8GDWABWHw3XiO3PE9+L38aEECLc= +github.com/notaryproject/notation-core-go v0.1.0-alpha.4.0.20221017041709-56bd40a80d26/go.mod h1:s8DZptmN1rZS0tBLTPt/w+d4o6eAcGWTYYJlXaJhQ4U= github.com/notaryproject/notation-go v0.11.0-alpha.4 h1:PNptLtrhW0jyw10hUWU+KNzvzeuBBZmg+/1IUaGYE10= github.com/notaryproject/notation-go v0.11.0-alpha.4/go.mod h1:4xYTcW4wfsXkXw3piUA53uSW82RwdXyipSEtiiRVrCw= +github.com/notaryproject/notation-go v0.11.0-alpha.4.0.20221025011337-7ad4eca1a568 h1:omjj1Ssrf85KFLyFP4pC50G9xqb7jUhy6RvBjJZ0tgY= +github.com/notaryproject/notation-go v0.11.0-alpha.4.0.20221025011337-7ad4eca1a568/go.mod h1:pTGrgvkitZClSoQY31P4LgBExtRRXg1AD/9tkFmxaS0= github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU= github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= From 72dfb82bafff1c86550a8ff681e1c9e840d55ad4 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 26 Oct 2022 14:13:07 +0800 Subject: [PATCH 04/15] fixed flags Signed-off-by: Patrick Zheng --- cmd/notation/common.go | 6 +++--- internal/cmd/flags.go | 2 +- specs/commandline/sign.md | 18 +++++++++--------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/cmd/notation/common.go b/cmd/notation/common.go index 92265bc92..46f0871d1 100644 --- a/cmd/notation/common.go +++ b/cmd/notation/common.go @@ -16,7 +16,7 @@ var ( flagUsername = &pflag.Flag{ Name: "username", Shorthand: "u", - Usage: "username for registry operations (if not specified, defaults to $NOTATION_USERNAME)", + Usage: "username for registry operations (default to $NOTATION_USERNAME if not specified)", } setflagUsername = func(fs *pflag.FlagSet, p *string) { fs.StringVarP(p, flagUsername.Name, flagUsername.Shorthand, "", flagUsername.Usage) @@ -25,7 +25,7 @@ var ( flagPassword = &pflag.Flag{ Name: "password", Shorthand: "p", - Usage: "password for registry operations (if not specified, defaults to $NOTATION_PASSWORD)", + Usage: "password for registry operations (default to $NOTATION_PASSWORD if not specified)", } setFlagPassword = func(fs *pflag.FlagSet, p *string) { fs.StringVarP(p, flagPassword.Name, flagPassword.Shorthand, "", flagPassword.Usage) @@ -33,7 +33,7 @@ var ( flagPlainHTTP = &pflag.Flag{ Name: "plain-http", - Usage: "Registry access via plain HTTP", + Usage: "registry access via plain HTTP", DefValue: "false", } setFlagPlainHTTP = func(fs *pflag.FlagSet, p *bool) { diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 94db08571..9d82bc9cd 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -75,7 +75,7 @@ var ( PflagPluginConfig = &pflag.Flag{ Name: "plugin-config", Shorthand: "c", - Usage: "list of comma-separated {key}={value} pairs that are passed as is to the plugin, refer plugin documentation to set appropriate values", + Usage: "{key}={value} pairs that are passed as is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values", } SetPflagPluginConfig = func(fs *pflag.FlagSet, p *string) { fs.StringVarP(p, PflagPluginConfig.Name, PflagPluginConfig.Shorthand, "", PflagPluginConfig.Usage) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index e45a8bbf3..08bb5f323 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -15,16 +15,16 @@ Usage: notation sign [flags] Flags: - --cert-file string Location of file containing a complete certificate chain for the signing key. Use this flag with '--key-file'. + --cert-file string location of file containing a complete certificate chain for the signing key. Use this flag with '--key-file'. --envelope-type string signature envelope format, options: 'jws', 'cose' (default "jws") - -e, --expiry duration Optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m - -h, --help Help for sign - -k, --key string Signing key name, for a key previously added to notation's key list. - --key-file string Location of file containing signing key file. Use this flag with '--cert-file'. - -p, --password string Password or identity token for registry operations (default to $NOTATION_PASSWORD if not specified) - --plain-http Registry access via plain HTTP - --plugin-config strings List of {key}={value} pairs that are passed as is to a plugin, if the key (--key) is associated with a signing plugin, refer plugin documentation to set appropriate values - -u, --username string Username for registry operations (default to $NOTATION_USERNAME if not specified) + -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m + -h, --help help for sign + -k, --key string signing key name, for a key previously added to notation's key list. + --key-file string location of file containing signing key file. Use this flag with '--cert-file'. + -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) + --plain-http registry access via plain HTTP + --plugin-config strings {key}={value} pairs that are passed as is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values + -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) ``` ## Usage From a57f51c43ff216e5cf9f3e234620e981e0037616 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 26 Oct 2022 16:07:52 +0800 Subject: [PATCH 05/15] quick update Signed-off-by: Patrick Zheng --- cmd/notation/manifest.go | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index 87f28acde..28a8b91b5 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -12,22 +12,10 @@ func getManifestDescriptorFromContext(ctx context.Context, opts *SecureFlagOpts, if ref == "" { return notation.Descriptor{}, errors.New("missing reference") } - // return getManifestDescriptorFromContextWithReference(ctx, opts, ref) + return getManifestDescriptorFromReference(ctx, opts, ref) } -// func getManifestDescriptorFromContextWithReference(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { -// if opts.Local { -// mediaType := opts.MediaType -// if ref == "-" { -// return getManifestDescriptorFromReader(os.Stdin, mediaType) -// } -// return getManifestDescriptorFromFile(ref, mediaType) -// } - -// return getManifestDescriptorFromReference(ctx, &opts.SecureFlagOpts, ref) -// } - func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpts, reference string) (notation.Descriptor, error) { ref, err := registry.ParseReference(reference) if err != nil { @@ -40,6 +28,26 @@ func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpt return repo.Resolve(ctx, ref.ReferenceOrDefault()) } +// func getManifestDescriptorFromContext(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { +// if ref == "" { +// return notation.Descriptor{}, errors.New("missing reference") +// } + +// return getManifestDescriptorFromContextWithReference(ctx, opts, ref) +// } + +// func getManifestDescriptorFromContextWithReference(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { +// if opts.Local { +// mediaType := opts.MediaType +// if ref == "-" { +// return getManifestDescriptorFromReader(os.Stdin, mediaType) +// } +// return getManifestDescriptorFromFile(ref, mediaType) +// } + +// return getManifestDescriptorFromReference(ctx, &opts.SecureFlagOpts, ref) +// } + // func getManifestDescriptorFromFile(path, mediaType string) (notation.Descriptor, error) { // file, err := os.Open(path) // if err != nil { From c01dbd32115a8b5553586dab452cd02a5d737526 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Oct 2022 10:27:19 +0800 Subject: [PATCH 06/15] updated flag descriptions Signed-off-by: Patrick Zheng --- internal/cmd/flags.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 9d82bc9cd..715d0dbe2 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -15,7 +15,7 @@ var ( PflagKey = &pflag.Flag{ Name: "key", Shorthand: "k", - Usage: "signing key name", + Usage: "signing key name, for a key previously added to notation's key list.", } SetPflagKey = func(fs *pflag.FlagSet, p *string) { fs.StringVarP(p, PflagKey.Name, PflagKey.Shorthand, "", PflagKey.Usage) @@ -23,7 +23,7 @@ var ( PflagKeyFile = &pflag.Flag{ Name: "key-file", - Usage: "signing key file", + Usage: "location of file containing signing key file. Use this flag with '--cert-file'.", } SetPflagKeyFile = func(fs *pflag.FlagSet, p *string) { fs.StringVar(p, PflagKeyFile.Name, "", PflagKeyFile.Usage) @@ -31,7 +31,7 @@ var ( PflagCertFile = &pflag.Flag{ Name: "cert-file", - Usage: "signing certificate file", + Usage: "location of file containing a complete certificate chain for the signing key. Use this flag with '--key-file'.", } SetPflagCertFile = func(fs *pflag.FlagSet, p *string) { fs.StringVar(p, PflagCertFile.Name, "", PflagCertFile.Usage) @@ -57,7 +57,7 @@ var ( PflagExpiry = &pflag.Flag{ Name: "expiry", Shorthand: "e", - Usage: "expire duration", + Usage: "optional expiry that provides a \"best by use\" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m", } SetPflagExpiry = func(fs *pflag.FlagSet, p *time.Duration) { fs.DurationVarP(p, PflagExpiry.Name, PflagExpiry.Shorthand, time.Duration(0), PflagExpiry.Usage) From 4dbe1aa9dba0eaa5a52f6005c55389a6a8b2b8c7 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Oct 2022 21:17:15 +0800 Subject: [PATCH 07/15] renamed envelope-type to envelope-format Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- cmd/notation/sign_test.go | 4 ++-- docs/hello-signing.md | 2 +- internal/cmd/flags.go | 2 +- specs/commandline/sign.md | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index ebe038a53..1ab0e048f 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -38,7 +38,7 @@ Example - Sign a container image using the default signing key, with the default notation sign /: Example - Sign a container image using the default signing key, with the COSE envelope: - notation sign --envelope-type cose /: + notation sign --envelope-format cose /: Example - Sign a container image using the specified key name notation sign --key /: diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index bc6bef201..53f58602a 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -68,7 +68,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { "--key-file", expected.KeyFile, "--cert-file", expected.CertFile, "--plain-http", - "--envelope-type", expected.SignerFlagOpts.EnvelopeType, + "--envelope-format", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String()}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } @@ -99,7 +99,7 @@ func TestSignCommand_CorrectConfig(t *testing.T) { "--key", expected.Key, "--key-file", expected.KeyFile, "--cert-file", expected.CertFile, - "--envelope-type", expected.SignerFlagOpts.EnvelopeType, + "--envelope-format", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String(), "--plugin-config", expected.pluginConfig}); err != nil { t.Fatalf("Parse Flag failed: %v", err) diff --git a/docs/hello-signing.md b/docs/hello-signing.md index a19c6d3d7..7b934f2ff 100644 --- a/docs/hello-signing.md +++ b/docs/hello-signing.md @@ -98,7 +98,7 @@ To get things started quickly, the Notation cli supports self-generated signing To sign with COSE envelope ```bash - notation sign --envelope-type cose $IMAGE + notation sign --envelope-format cose $IMAGE ``` - List the image, and any associated signatures diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 715d0dbe2..d64441fe7 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -38,7 +38,7 @@ var ( } PflagEnvelopeType = &pflag.Flag{ - Name: "envelope-type", + Name: "envelope-format", Usage: "signature envelope format, options: 'jws', 'cose'", } SetPflagSignatureFormat = func(fs *pflag.FlagSet, p *string) { diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 08bb5f323..9532ccc34 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -16,7 +16,7 @@ Usage: Flags: --cert-file string location of file containing a complete certificate chain for the signing key. Use this flag with '--key-file'. - --envelope-type string signature envelope format, options: 'jws', 'cose' (default "jws") + --envelope-format string signature envelope format, options: 'jws', 'cose' (default "jws") -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m -h, --help help for sign -k, --key string signing key name, for a key previously added to notation's key list. From a821e85a2b55efe100c10d77821d17239c54648a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 28 Oct 2022 12:10:27 +0800 Subject: [PATCH 08/15] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/common.go | 41 ----------------------------------- cmd/notation/manifest.go | 45 --------------------------------------- cmd/notation/sign_test.go | 14 +----------- internal/cmd/options.go | 4 ---- internal/cmd/signer.go | 4 ---- specs/commandline/sign.md | 8 ------- 6 files changed, 1 insertion(+), 115 deletions(-) diff --git a/cmd/notation/common.go b/cmd/notation/common.go index 46f0871d1..674da7f84 100644 --- a/cmd/notation/common.go +++ b/cmd/notation/common.go @@ -39,25 +39,6 @@ var ( setFlagPlainHTTP = func(fs *pflag.FlagSet, p *bool) { fs.BoolVar(p, flagPlainHTTP.Name, false, flagPlainHTTP.Usage) } - - flagMediaType = &pflag.Flag{ - Name: "media-type", - Usage: "specify the media type of the manifest read from file or stdin", - DefValue: defaultMediaType, - } - setFlagMediaType = func(fs *pflag.FlagSet, p *string) { - fs.StringVar(p, flagMediaType.Name, defaultMediaType, flagMediaType.Usage) - } - - flagLocal = &pflag.Flag{ - Name: "local", - Shorthand: "l", - Usage: "reference is a local file", - DefValue: "false", - } - setFlagLocal = func(fs *pflag.FlagSet, p *bool) { - fs.BoolVarP(p, flagLocal.Name, flagLocal.Shorthand, false, flagLocal.Usage) - } ) type SecureFlagOpts struct { @@ -74,25 +55,3 @@ func (opts *SecureFlagOpts) ApplyFlags(fs *pflag.FlagSet) { opts.Username = os.Getenv(defaultUsernameEnv) opts.Password = os.Getenv(defaultPasswordEnv) } - -type CommonFlagOpts struct { - Local bool - MediaType string -} - -// ApplyFlags set flags and their default values for the FlagSet -func (opts *CommonFlagOpts) ApplyFlags(fs *pflag.FlagSet) { - setFlagMediaType(fs, &opts.MediaType) - setFlagLocal(fs, &opts.Local) -} - -type RemoteFlagOpts struct { - SecureFlagOpts - CommonFlagOpts -} - -// ApplyFlags set flags and their default values for the FlagSet -func (opts *RemoteFlagOpts) ApplyFlags(fs *pflag.FlagSet) { - opts.SecureFlagOpts.ApplyFlags(fs) - opts.CommonFlagOpts.ApplyFlags(fs) -} diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index 28a8b91b5..b9d82baf2 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -27,48 +27,3 @@ func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpt } return repo.Resolve(ctx, ref.ReferenceOrDefault()) } - -// func getManifestDescriptorFromContext(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { -// if ref == "" { -// return notation.Descriptor{}, errors.New("missing reference") -// } - -// return getManifestDescriptorFromContextWithReference(ctx, opts, ref) -// } - -// func getManifestDescriptorFromContextWithReference(ctx context.Context, opts *RemoteFlagOpts, ref string) (notation.Descriptor, error) { -// if opts.Local { -// mediaType := opts.MediaType -// if ref == "-" { -// return getManifestDescriptorFromReader(os.Stdin, mediaType) -// } -// return getManifestDescriptorFromFile(ref, mediaType) -// } - -// return getManifestDescriptorFromReference(ctx, &opts.SecureFlagOpts, ref) -// } - -// func getManifestDescriptorFromFile(path, mediaType string) (notation.Descriptor, error) { -// file, err := os.Open(path) -// if err != nil { -// return notation.Descriptor{}, err -// } -// defer file.Close() -// return getManifestDescriptorFromReader(file, mediaType) -// } - -// func getManifestDescriptorFromReader(r io.Reader, mediaType string) (notation.Descriptor, error) { -// lr := &io.LimitedReader{ -// R: r, -// N: math.MaxInt64, -// } -// digest, err := digest.SHA256.FromReader(lr) -// if err != nil { -// return notation.Descriptor{}, err -// } -// return notation.Descriptor{ -// MediaType: mediaType, -// Digest: digest, -// Size: math.MaxInt64 - lr.N, -// }, nil -// } diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index 53f58602a..f9ac3f565 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -20,8 +20,6 @@ func TestSignCommand_BasicArgs(t *testing.T) { }, SignerFlagOpts: cmd.SignerFlagOpts{ Key: "key", - KeyFile: "keyfile", - CertFile: "certfile", EnvelopeType: envelope.JWS, }, } @@ -29,9 +27,7 @@ func TestSignCommand_BasicArgs(t *testing.T) { expected.reference, "-u", expected.Username, "--password", expected.Password, - "--key", expected.Key, - "--key-file", expected.KeyFile, - "--cert-file", expected.CertFile}); err != nil { + "--key", expected.Key}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -54,8 +50,6 @@ func TestSignCommand_MoreArgs(t *testing.T) { }, SignerFlagOpts: cmd.SignerFlagOpts{ Key: "key", - KeyFile: "keyfile", - CertFile: "certfile", EnvelopeType: envelope.COSE, }, expiry: 24 * time.Hour, @@ -65,8 +59,6 @@ func TestSignCommand_MoreArgs(t *testing.T) { "-u", expected.Username, "-p", expected.Password, "--key", expected.Key, - "--key-file", expected.KeyFile, - "--cert-file", expected.CertFile, "--plain-http", "--envelope-format", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String()}); err != nil { @@ -87,8 +79,6 @@ func TestSignCommand_CorrectConfig(t *testing.T) { reference: "ref", SignerFlagOpts: cmd.SignerFlagOpts{ Key: "key", - KeyFile: "keyfile", - CertFile: "certfile", EnvelopeType: envelope.JWS, }, expiry: 365 * 24 * time.Hour, @@ -97,8 +87,6 @@ func TestSignCommand_CorrectConfig(t *testing.T) { if err := command.ParseFlags([]string{ expected.reference, "--key", expected.Key, - "--key-file", expected.KeyFile, - "--cert-file", expected.CertFile, "--envelope-format", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String(), "--plugin-config", expected.pluginConfig}); err != nil { diff --git a/internal/cmd/options.go b/internal/cmd/options.go index 99defc1a8..3751c4d8f 100644 --- a/internal/cmd/options.go +++ b/internal/cmd/options.go @@ -7,15 +7,11 @@ import ( // SignerFlagOpts cmd opts for using cmd.GetSigner type SignerFlagOpts struct { Key string - KeyFile string - CertFile string EnvelopeType string } // ApplyFlags set flags and their default values for the FlagSet func (opts *SignerFlagOpts) ApplyFlags(fs *pflag.FlagSet) { SetPflagKey(fs, &opts.Key) - SetPflagKeyFile(fs, &opts.KeyFile) - SetPflagCertFile(fs, &opts.CertFile) SetPflagSignatureFormat(fs, &opts.EnvelopeType) } diff --git a/internal/cmd/signer.go b/internal/cmd/signer.go index 872f727ba..8c11cb130 100644 --- a/internal/cmd/signer.go +++ b/internal/cmd/signer.go @@ -21,10 +21,6 @@ func GetSigner(opts *SignerFlagOpts) (notation.Signer, error) { if err != nil { return nil, err } - if keyPath := opts.KeyFile; keyPath != "" { - certPath := opts.CertFile - return signature.NewSignerFromFiles(keyPath, certPath, mediaType) - } // Construct a signer from preconfigured key pair in config.json // if key name is provided as the CLI argument key, err := configutil.ResolveKey(opts.Key) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 9532ccc34..7642d9b31 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -15,12 +15,10 @@ Usage: notation sign [flags] Flags: - --cert-file string location of file containing a complete certificate chain for the signing key. Use this flag with '--key-file'. --envelope-format string signature envelope format, options: 'jws', 'cose' (default "jws") -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m -h, --help help for sign -k, --key string signing key name, for a key previously added to notation's key list. - --key-file string location of file containing signing key file. Use this flag with '--cert-file'. -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) --plain-http registry access via plain HTTP --plugin-config strings {key}={value} pairs that are passed as is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values @@ -84,9 +82,3 @@ notation key list # Sign a container image using the specified key name notation sign --key /: ``` - -### Sign a container image using a local key and certificate which are not added in the signing key list - -```shell -notation sign --key-file --cert-file /: -``` From fa050da4e9d1fed10c4fb5cb477895f0ddf8ebc3 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 28 Oct 2022 12:28:44 +0800 Subject: [PATCH 09/15] update per code review Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 3 --- internal/cmd/flags.go | 16 ---------------- 2 files changed, 19 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 1ab0e048f..8b7765ed8 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -43,9 +43,6 @@ Example - Sign a container image using the default signing key, with the COSE en Example - Sign a container image using the specified key name notation sign --key /: -Example - Sign a container image using a local testing key and certificate file directly - notation sign --key-file --cert-file /: - Example - Sign a container image using the image digest notation sign /@ `, diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index d64441fe7..416f48d30 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -21,22 +21,6 @@ var ( fs.StringVarP(p, PflagKey.Name, PflagKey.Shorthand, "", PflagKey.Usage) } - PflagKeyFile = &pflag.Flag{ - Name: "key-file", - Usage: "location of file containing signing key file. Use this flag with '--cert-file'.", - } - SetPflagKeyFile = func(fs *pflag.FlagSet, p *string) { - fs.StringVar(p, PflagKeyFile.Name, "", PflagKeyFile.Usage) - } - - PflagCertFile = &pflag.Flag{ - Name: "cert-file", - Usage: "location of file containing a complete certificate chain for the signing key. Use this flag with '--key-file'.", - } - SetPflagCertFile = func(fs *pflag.FlagSet, p *string) { - fs.StringVar(p, PflagCertFile.Name, "", PflagCertFile.Usage) - } - PflagEnvelopeType = &pflag.Flag{ Name: "envelope-format", Usage: "signature envelope format, options: 'jws', 'cose'", From 45668cfe7dc1fefee3c3595690433192f4976921 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 28 Oct 2022 12:59:01 +0800 Subject: [PATCH 10/15] renamed envelope-type to signature-format Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- cmd/notation/sign_test.go | 4 ++-- docs/hello-signing.md | 2 +- internal/cmd/flags.go | 2 +- specs/commandline/sign.md | 16 ++++++++-------- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 8b7765ed8..a1e12ae61 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -38,7 +38,7 @@ Example - Sign a container image using the default signing key, with the default notation sign /: Example - Sign a container image using the default signing key, with the COSE envelope: - notation sign --envelope-format cose /: + notation sign --signature-format cose /: Example - Sign a container image using the specified key name notation sign --key /: diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index f9ac3f565..9b307a610 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -60,7 +60,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { "-p", expected.Password, "--key", expected.Key, "--plain-http", - "--envelope-format", expected.SignerFlagOpts.EnvelopeType, + "--signature-format", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String()}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } @@ -87,7 +87,7 @@ func TestSignCommand_CorrectConfig(t *testing.T) { if err := command.ParseFlags([]string{ expected.reference, "--key", expected.Key, - "--envelope-format", expected.SignerFlagOpts.EnvelopeType, + "--signature-format", expected.SignerFlagOpts.EnvelopeType, "--expiry", expected.expiry.String(), "--plugin-config", expected.pluginConfig}); err != nil { t.Fatalf("Parse Flag failed: %v", err) diff --git a/docs/hello-signing.md b/docs/hello-signing.md index 7b934f2ff..a19c6d3d7 100644 --- a/docs/hello-signing.md +++ b/docs/hello-signing.md @@ -98,7 +98,7 @@ To get things started quickly, the Notation cli supports self-generated signing To sign with COSE envelope ```bash - notation sign --envelope-format cose $IMAGE + notation sign --envelope-type cose $IMAGE ``` - List the image, and any associated signatures diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 416f48d30..cc416eb70 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -22,7 +22,7 @@ var ( } PflagEnvelopeType = &pflag.Flag{ - Name: "envelope-format", + Name: "signature-format", Usage: "signature envelope format, options: 'jws', 'cose'", } SetPflagSignatureFormat = func(fs *pflag.FlagSet, p *string) { diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 7642d9b31..8561c4a07 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -15,14 +15,14 @@ Usage: notation sign [flags] Flags: - --envelope-format string signature envelope format, options: 'jws', 'cose' (default "jws") - -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m - -h, --help help for sign - -k, --key string signing key name, for a key previously added to notation's key list. - -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) - --plain-http registry access via plain HTTP - --plugin-config strings {key}={value} pairs that are passed as is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values - -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) + --signature-format string signature envelope format, options: 'jws', 'cose' (default "jws") + -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m + -h, --help help for sign + -k, --key string signing key name, for a key previously added to notation's key list. + -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) + --plain-http registry access via plain HTTP + --plugin-config strings {key}={value} pairs that are passed as is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values + -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) ``` ## Usage From 2796b43e02f2dbb41fa5756a33a35edcaab8b840 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Sat, 29 Oct 2022 20:43:10 +0800 Subject: [PATCH 11/15] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 21 +++------------------ internal/cmd/flags.go | 2 +- specs/commandline/sign.md | 4 ++-- 3 files changed, 6 insertions(+), 21 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index a1e12ae61..0fb718c81 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -6,7 +6,6 @@ import ( "fmt" "time" - "github.com/notaryproject/notation-core-go/timestamp" "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" @@ -16,11 +15,9 @@ import ( type signOpts struct { cmd.SignerFlagOpts SecureFlagOpts - timestamp string - expiry time.Duration - originReference string - pluginConfig string - reference string + expiry time.Duration + pluginConfig string + reference string } func signCommand(opts *signOpts) *cobra.Command { @@ -101,24 +98,12 @@ func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.Descri if err != nil { return notation.Descriptor{}, notation.SignOptions{}, err } - if identity := opts.originReference; identity != "" { - manifestDesc.Annotations = map[string]string{ - "identity": identity, - } - } - var tsa timestamp.Timestamper - if endpoint := opts.timestamp; endpoint != "" { - if tsa, err = timestamp.NewHTTPTimestamper(nil, endpoint); err != nil { - return notation.Descriptor{}, notation.SignOptions{}, err - } - } pluginConfig, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) if err != nil { return notation.Descriptor{}, notation.SignOptions{}, err } return manifestDesc, notation.SignOptions{ Expiry: cmd.GetExpiry(opts.expiry), - TSA: tsa, PluginConfig: pluginConfig, }, nil } diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index cc416eb70..cdf9503b9 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -59,7 +59,7 @@ var ( PflagPluginConfig = &pflag.Flag{ Name: "plugin-config", Shorthand: "c", - Usage: "{key}={value} pairs that are passed as is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values", + Usage: "{key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values", } SetPflagPluginConfig = func(fs *pflag.FlagSet, p *string) { fs.StringVarP(p, PflagPluginConfig.Name, PflagPluginConfig.Shorthand, "", PflagPluginConfig.Usage) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 8561c4a07..8df20eed1 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -15,13 +15,13 @@ Usage: notation sign [flags] Flags: - --signature-format string signature envelope format, options: 'jws', 'cose' (default "jws") -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m -h, --help help for sign -k, --key string signing key name, for a key previously added to notation's key list. -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) --plain-http registry access via plain HTTP - --plugin-config strings {key}={value} pairs that are passed as is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values + --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values + --signature-format string signature envelope format, options: 'jws', 'cose' (default "jws") -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) ``` From eb334a46031d3d05eb28b66173eb52c736ba56e2 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 31 Oct 2022 14:19:32 +0800 Subject: [PATCH 12/15] resolved conflicts Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- cmd/notation/sign_test.go | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 0fb718c81..b1c7a83bc 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -16,7 +16,7 @@ type signOpts struct { cmd.SignerFlagOpts SecureFlagOpts expiry time.Duration - pluginConfig string + pluginConfig []string reference string } diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index 1d6b0f631..0333a2127 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -23,7 +23,6 @@ func TestSignCommand_BasicArgs(t *testing.T) { Key: "key", EnvelopeType: envelope.JWS, }, - pluginConfig: []string{"key0=val0"}, } if err := command.ParseFlags([]string{ expected.reference, @@ -54,8 +53,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { Key: "key", EnvelopeType: envelope.COSE, }, - expiry: 24 * time.Hour, - pluginConfig: []string{"key0=val0"}, + expiry: 24 * time.Hour, } if err := command.ParseFlags([]string{ expected.reference, From 47f1c77f73f643f1258a302836782ada7ad48d71 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 31 Oct 2022 14:48:38 +0800 Subject: [PATCH 13/15] updated per code review Signed-off-by: Patrick Zheng --- internal/cmd/flags.go | 2 +- specs/commandline/sign.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 3698addd2..f948b06bf 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -40,7 +40,7 @@ var ( PflagExpiry = &pflag.Flag{ Name: "expiry", Shorthand: "e", - Usage: "optional expiry that provides a \"best by use\" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m", + Usage: "optional expiry that provides a \"best by use\" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m", } SetPflagExpiry = func(fs *pflag.FlagSet, p *time.Duration) { fs.DurationVarP(p, PflagExpiry.Name, PflagExpiry.Shorthand, time.Duration(0), PflagExpiry.Usage) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 8df20eed1..995ce60b6 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -15,7 +15,7 @@ Usage: notation sign [flags] Flags: - -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m), hours(h) or days(d). For example: 30d, 12h, 30m, 1d3h20m + -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m -h, --help help for sign -k, --key string signing key name, for a key previously added to notation's key list. -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) From 9f7ed0ae123eaa9267b9f0b2526efd250c4635e7 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 31 Oct 2022 15:24:25 +0800 Subject: [PATCH 14/15] added back version command Signed-off-by: Patrick Zheng --- cmd/notation/main.go | 4 +++- cmd/notation/verify.go | 6 +----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/cmd/notation/main.go b/cmd/notation/main.go index 53d7098dc..fd35a6250 100644 --- a/cmd/notation/main.go +++ b/cmd/notation/main.go @@ -20,7 +20,9 @@ func main() { keyCommand(), pluginCommand(), loginCommand(nil), - logoutCommand(nil)) + logoutCommand(nil), + versionCommand()) + if err := cmd.Execute(); err != nil { log.Fatal(err) } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 4d4f66086..e5fd71a5f 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -27,11 +27,7 @@ func verifyCommand(opts *verifyOpts) *cobra.Command { command := &cobra.Command{ Use: "verify [flags] ", Short: "Verify Artifacts", - Long: `Verify signatures associated with the artifact. - -Prerequisite: a trusted certificate needs to be generated or added using the command "notation cert". - -notation verify [--plugin-config =...] [--username ] [--password ] `, + Long: "Verify signatures associated with the artifact.", Args: func(cmd *cobra.Command, args []string) error { if len(args) == 0 { return errors.New("missing reference") From 86ec32401f9ce3ef975a50aec9b5e14ef5867a10 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 31 Oct 2022 16:01:38 +0800 Subject: [PATCH 15/15] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/notation/main.go b/cmd/notation/main.go index fd35a6250..185927862 100644 --- a/cmd/notation/main.go +++ b/cmd/notation/main.go @@ -21,8 +21,8 @@ func main() { pluginCommand(), loginCommand(nil), logoutCommand(nil), - versionCommand()) - + versionCommand(), + ) if err := cmd.Execute(); err != nil { log.Fatal(err) }