spec: update cli sign spec for tag to digest translation#439
Merged
priteshbandi merged 29 commits intonotaryproject:mainfrom Dec 2, 2022
Merged
spec: update cli sign spec for tag to digest translation#439priteshbandi merged 29 commits intonotaryproject:mainfrom
priteshbandi merged 29 commits intonotaryproject:mainfrom
Conversation
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
yizha1
requested review from
a team,
FeynmanZhou,
dtzar,
priteshbandi,
shizhMSFT and
toddysm
Codecov Report
@@ Coverage Diff @@
## main #439 +/- ##
==========================================
- Coverage 32.82% 32.48% -0.35%
==========================================
Files 25 25
Lines 1237 1250 +13
==========================================
Hits 406 406
- Misses 819 832 +13
Partials 12 12
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Contributor
|
I think the verbiage should be changed to - [ Sign an OCI artifact stored in a registry and use ”--expiry”(expiration) parameter to define the expiration duration for the signature in days, for example 1day = 24 hours. ] |
Signed-off-by: Yi Zha <yizha1@microsoft.com>
FeynmanZhou
reviewed
Nov 24, 2022
FeynmanZhou
reviewed
Nov 24, 2022
Member
FeynmanZhou
left a comment
FeynmanZhou
left a comment
There was a problem hiding this comment.
Overall looks good. Only two concerns left above
shizhMSFT
reviewed
Nov 25, 2022
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Contributor
|
LGTM |
iamsamirzon
approved these changes
Nov 29, 2022
shizhMSFT
reviewed
Dec 1, 2022
specs/commandline/sign.md
Outdated
Comment on lines
18
to
19
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. | ||
| Resolved artifact tag '<tag>' to digest '<digest>' before signing. |
Contributor
There was a problem hiding this comment.
Note: These outputs will be in the form of logs.
| # Or change the default signing key to an existing signing key | ||
| notation key update --default <key_name> | ||
| # Prerequisites: | ||
| # - A signing plugin is installed. See plugin documentation (https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. |
Contributor
There was a problem hiding this comment.
Instead of the main branch, should we use a tag version for the URL?
Contributor
Author
There was a problem hiding this comment.
Can we update it later once we have cut a version for notaryproject?
specs/commandline/sign.md
Outdated
| Upon successful signing, the generated signature is pushed to the registry and associated with the signed OCI artifact. The output message is printed out as following: | ||
|
|
||
| ```text | ||
| Successfully signed <registry>/<repository>@<digest>. |
Contributor
There was a problem hiding this comment.
It seems not consistent with notation verify that the sentence has a dot at the end or not.
|
|
||
| ```console | ||
| $ notation sign localhost:5000/net-monitor:v1 | ||
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. |
Contributor
There was a problem hiding this comment.
Suggested change
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. | |
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:<tag>`) because tags are mutable and a tag reference can point to a different artifact than the one signed. |
Contributor
Author
There was a problem hiding this comment.
I would keep line 115 as it is, but change the text in line 18 from :v1 to :<tag>. What do you think?
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
yizha1
dismissed
toddysm’s stale review
Discussed with Toddy, and looks good to him
7h3-3mp7y-m4n
pushed a commit
to 7h3-3mp7y-m4n/notation
that referenced
this pull request
Mar 29, 2025
…ct#439) This PR is mainly to improve the output message of `notation sign` command for tag to digest translation. Signed-off-by: Yi Zha <zhayi@outlook.com> Signed-off-by: Yi Zha <yizha1@microsoft.com>
FeynmanZhou
pushed a commit
to FeynmanZhou/notation
that referenced
this pull request
May 15, 2025
…ct#439) This PR is mainly to improve the output message of `notation sign` command for tag to digest translation. Signed-off-by: Yi Zha <zhayi@outlook.com> Signed-off-by: Yi Zha <yizha1@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is mainly to improve the output message of
notation signcommand for tag to digest translation.