From b910a8a1114648a207b5676aa8d3e6e0d57b261c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 12 Oct 2022 11:02:39 +0800 Subject: [PATCH 01/19] updated dependency Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 11 +++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index bab4cc5c6..a55dac5f2 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,8 @@ go 1.19 require ( github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f github.com/docker/docker-credential-helpers v0.7.0 - github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921054535-009c09a9628e - github.com/notaryproject/notation-go v0.10.0-alpha.3.0.20220927020950-2bcfd343f974 + github.com/notaryproject/notation-core-go v0.1.0-alpha.4 + github.com/notaryproject/notation-go v0.11.0-alpha.4 github.com/opencontainers/go-digest v1.0.0 github.com/spf13/cobra v1.5.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 7c8e219c0..47134c266 100644 --- a/go.sum +++ b/go.sum @@ -3,14 +3,15 @@ github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f h1:3N github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f/go.mod h1:28YO/VJk9/64+sTGNuYaBjWxrXTPrj0C0XmgTIOjxX4= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921054535-009c09a9628e h1:n3wJRhIVbEGg497rtKV3IMaZJv2hFKYHCOtNIOAyLYw= -github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921054535-009c09a9628e/go.mod h1:mM4M9wPdu0CGgh8f3wOcu0XMiXwEKWQurjBG4nmqQ4g= -github.com/notaryproject/notation-go v0.10.0-alpha.3.0.20220927020950-2bcfd343f974 h1:aJ5p4zydKHoyXVK62H50fmj5czcxXpSG5a24EgoZH5E= -github.com/notaryproject/notation-go v0.10.0-alpha.3.0.20220927020950-2bcfd343f974/go.mod h1:TeQIoxMetPFqJSDzcHnGZ6x9kKzglfSmgxYrWt9/viA= +github.com/notaryproject/notation-core-go v0.1.0-alpha.4 h1:0OhA2PjwT0TAouHOrU4K+8H9YM6E/e4/ocoq+JiHeOw= +github.com/notaryproject/notation-core-go v0.1.0-alpha.4/go.mod h1:s8DZptmN1rZS0tBLTPt/w+d4o6eAcGWTYYJlXaJhQ4U= +github.com/notaryproject/notation-go v0.11.0-alpha.4 h1:PNptLtrhW0jyw10hUWU+KNzvzeuBBZmg+/1IUaGYE10= +github.com/notaryproject/notation-go v0.11.0-alpha.4/go.mod h1:4xYTcW4wfsXkXw3piUA53uSW82RwdXyipSEtiiRVrCw= github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU= github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -24,6 +25,8 @@ github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83 h1:g8vDfnNOPcGzg6mnlBGc0J5t5lAJkaepXqbc9qFRnFs= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64 h1:UiNENfZ8gDvpiWw7IpOMQ27spWmThO1RwwdQVbJahJM= From 60e9fdf534df19781c2cf2cefa57550fe9dd0997 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 22 Nov 2022 14:05:08 +0800 Subject: [PATCH 02/19] updated CLI outputs for sign/verification with tag reference Signed-off-by: Patrick Zheng --- cmd/notation/list.go | 5 ++--- cmd/notation/manifest.go | 13 +++++++------ cmd/notation/sign.go | 33 +++++++++++++++++++++++++-------- cmd/notation/verify.go | 19 +++++++++++-------- internal/ioutil/print.go | 7 ++++++- 5 files changed, 51 insertions(+), 26 deletions(-) diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 027c4c663..2f8b6008d 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -6,7 +6,6 @@ import ( "fmt" notationRegistry "github.com/notaryproject/notation-go/registry" - notationregistry "github.com/notaryproject/notation-go/registry" "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1" @@ -52,7 +51,7 @@ func runList(command *cobra.Command, opts *listOpts) error { } // core process - manifestDesc, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, reference) + manifestDesc, _, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, reference) if err != nil { return err } @@ -66,7 +65,7 @@ func runList(command *cobra.Command, opts *listOpts) error { // // TODO: this is a temporary function and will be replaced after // notation-go refactor. -func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Digest, sigRepo *notationregistry.RepositoryClient, reference string) error { +func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Digest, sigRepo *notationRegistry.RepositoryClient, reference string) error { // prepare title ref, err := registry.ParseReference(reference) if err != nil { diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index b9d82baf2..e6e68aabb 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -8,22 +8,23 @@ import ( "oras.land/oras-go/v2/registry" ) -func getManifestDescriptorFromContext(ctx context.Context, opts *SecureFlagOpts, ref string) (notation.Descriptor, error) { +func getManifestDescriptorFromContext(ctx context.Context, opts *SecureFlagOpts, ref string) (notation.Descriptor, registry.Reference, error) { if ref == "" { - return notation.Descriptor{}, errors.New("missing reference") + return notation.Descriptor{}, registry.Reference{}, errors.New("missing reference") } return getManifestDescriptorFromReference(ctx, opts, ref) } -func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpts, reference string) (notation.Descriptor, error) { +func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpts, reference string) (notation.Descriptor, registry.Reference, error) { ref, err := registry.ParseReference(reference) if err != nil { - return notation.Descriptor{}, err + return notation.Descriptor{}, registry.Reference{}, err } repo, err := getRepositoryClient(opts, ref) if err != nil { - return notation.Descriptor{}, err + return notation.Descriptor{}, registry.Reference{}, err } - return repo.Resolve(ctx, ref.ReferenceOrDefault()) + manifestDesc, err := repo.Resolve(ctx, ref.ReferenceOrDefault()) + return manifestDesc, ref, err } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index b1c7a83bc..9005a5dc7 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -12,6 +12,11 @@ import ( "github.com/spf13/cobra" ) +type tagReference struct { + isTag bool + tag string +} + type signOpts struct { cmd.SignerFlagOpts SecureFlagOpts @@ -70,7 +75,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // core process - desc, opts, err := prepareSigningContent(command.Context(), cmdOpts) + desc, opts, tagReference, err := prepareSigningContent(command.Context(), cmdOpts) if err != nil { return err } @@ -89,23 +94,35 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { ) } - fmt.Println(desc.Digest) + if tagReference.isTag { + fmt.Println("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:latest`) because tags are mutable and a tag reference can point to a different artifact than the one signed.") + fmt.Printf("Resolving artifact tag %q to digest %q before signing.\n", tagReference.tag, desc.Digest) + } + fmt.Println("Successfully signed", desc.Digest) return nil } -func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.Descriptor, notation.SignOptions, error) { - manifestDesc, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference) +func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.Descriptor, notation.SignOptions, tagReference, error) { + var tagRef tagReference + isTag := !isDigestReference(opts.reference) + manifestDesc, ref, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference) if err != nil { - return notation.Descriptor{}, notation.SignOptions{}, err + return notation.Descriptor{}, notation.SignOptions{}, tagReference{}, err } pluginConfig, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) if err != nil { - return notation.Descriptor{}, notation.SignOptions{}, err + return notation.Descriptor{}, notation.SignOptions{}, tagReference{}, err + } + if isTag { + tagRef = tagReference{ + isTag: isTag, + tag: ref.Reference, // ref.Reference is a tag reference + } } return manifestDesc, notation.SignOptions{ Expiry: cmd.GetExpiry(opts.expiry), PluginConfig: pluginConfig, - }, nil + }, tagRef, nil } func pushSignature(ctx context.Context, opts *SecureFlagOpts, ref string, sig []byte) (notation.Descriptor, error) { @@ -114,7 +131,7 @@ func pushSignature(ctx context.Context, opts *SecureFlagOpts, ref string, sig [] if err != nil { return notation.Descriptor{}, err } - manifestDesc, err := getManifestDescriptorFromReference(ctx, opts, ref) + manifestDesc, _, err := getManifestDescriptorFromReference(ctx, opts, ref) if err != nil { return notation.Descriptor{}, err } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index e5fd71a5f..c20fae8b3 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -46,7 +46,7 @@ func verifyCommand(opts *verifyOpts) *cobra.Command { func runVerify(command *cobra.Command, opts *verifyOpts) error { // resolve the given reference and set the digest. - ref, err := resolveReference(command, opts) + ref, tagRef, err := resolveReference(command, opts) if err != nil { return err } @@ -68,7 +68,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { outcomes, err := verifier.Verify(ctx, ref.String()) // write out. - return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref.Reference) + return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref.Reference, tagRef.isTag, tagRef.tag) } func getVerifier(opts *verifyOpts, ref registry.Reference) (*verification.Verifier, error) { @@ -82,24 +82,27 @@ func getVerifier(opts *verifyOpts, ref registry.Reference) (*verification.Verifi return verification.NewVerifier(repo) } -func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) { +func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, tagReference, error) { ref, err := registry.ParseReference(opts.reference) if err != nil { - return registry.Reference{}, err + return registry.Reference{}, tagReference{}, err } if isDigestReference(opts.reference) { - return ref, nil + return ref, tagReference{}, nil } // Resolve tag reference to digest reference. - manifestDesc, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) + manifestDesc, tagRef, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) if err != nil { - return registry.Reference{}, err + return registry.Reference{}, tagReference{}, err } ref.Reference = manifestDesc.Digest.String() - return ref, nil + return ref, tagReference{ + isTag: true, + tag: tagRef.Reference, + }, nil } func isDigestReference(reference string) bool { diff --git a/internal/ioutil/print.go b/internal/ioutil/print.go index 9f7eca634..ebfef28d3 100644 --- a/internal/ioutil/print.go +++ b/internal/ioutil/print.go @@ -54,7 +54,12 @@ func PrintCertificateMap(w io.Writer, v []config.CertificateReference) error { return tw.Flush() } -func PrintVerificationResults(w io.Writer, v []*verification.SignatureVerificationOutcome, resultErr error, digest string) error { +func PrintVerificationResults(w io.Writer, v []*verification.SignatureVerificationOutcome, resultErr error, digest string, isTag bool, tag string) error { + if isTag { + fmt.Println("Warning: Always verify artifact using digest(`@sha256:...`) rather than a tag(`:latest`) because tags are mutable and a tag reference can point to a different artifact than the one verified.") + fmt.Printf("Resolved artifact tag %q to digest %q before verification.\n", tag, digest) + } + tw := newTabWriter(w) if resultErr == nil { From 99d98de1798aa0ca43e91a9ceda7e301202387dd Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 22 Nov 2022 15:52:59 +0800 Subject: [PATCH 03/19] update Signed-off-by: Patrick Zheng --- internal/ioutil/print.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/ioutil/print.go b/internal/ioutil/print.go index ebfef28d3..6fe2d25f2 100644 --- a/internal/ioutil/print.go +++ b/internal/ioutil/print.go @@ -63,7 +63,7 @@ func PrintVerificationResults(w io.Writer, v []*verification.SignatureVerificati tw := newTabWriter(w) if resultErr == nil { - fmt.Fprintf(tw, "Signature verification succeeded for %s\n", digest) + fmt.Fprintf(tw, "Successfully verified for %s\n", digest) // TODO[https://github.com/notaryproject/notation/issues/304]: print out failed validations as warnings. return nil } From 9b8bf6c9d6fa72e78455a33c3b25ffb602409192 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 30 Nov 2022 11:37:28 +0800 Subject: [PATCH 04/19] update based on spec Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 27 ++++++++++++--------------- cmd/notation/verify.go | 27 +++++++++++++++++---------- internal/ioutil/print.go | 8 +++++--- 3 files changed, 34 insertions(+), 28 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 41907de33..b3598d1fa 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -11,13 +11,9 @@ import ( "github.com/notaryproject/notation/internal/envelope" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" + "oras.land/oras-go/v2/registry" ) -type tagReference struct { - isTag bool - tag string -} - type signOpts struct { cmd.SignerFlagOpts SecureFlagOpts @@ -76,7 +72,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // core process - desc, opts, tagReference, err := prepareSigningContent(command.Context(), cmdOpts) + desc, opts, tagReference, ref, err := prepareSigningContent(command.Context(), cmdOpts) if err != nil { return err } @@ -91,32 +87,33 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { // write out if tagReference.isTag { - fmt.Println("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:latest`) because tags are mutable and a tag reference can point to a different artifact than the one signed.") - fmt.Printf("Resolving artifact tag %q to digest %q before signing.\n", tagReference.tag, desc.Digest) + fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", tagReference.tag) + fmt.Printf("Resolved artifact tag %q to digest %q before signing.\n", tagReference.tag, desc.Digest) } - fmt.Println("Successfully signed", desc.Digest) + + fmt.Printf("Successfully signed %s/%s@%s", ref.Registry, ref.Repository, desc.Digest) return nil } -func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descriptor, notation.SignOptions, tagReference, error) { +func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descriptor, notation.SignOptions, tagReference, registry.Reference, error) { var tagRef tagReference isTag := !isDigestReference(opts.reference) manifestDesc, ref, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, err + return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, registry.Reference{}, err } mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, err + return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, registry.Reference{}, err } pluginConfig, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, err + return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, registry.Reference{}, err } if isTag { tagRef = tagReference{ isTag: isTag, - tag: ref.Reference, // ref.Reference is a tag reference + tag: ref.ReferenceOrDefault(), } } return manifestDesc, notation.SignOptions{ @@ -124,5 +121,5 @@ func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descrip SignatureMediaType: mediaType, Expiry: cmd.GetExpiry(opts.expiry), PluginConfig: pluginConfig, - }, tagRef, nil + }, tagRef, ref, nil } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 79e47e070..b30bc4a90 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -17,6 +17,11 @@ import ( "oras.land/oras-go/v2/registry/remote" ) +type tagReference struct { + isTag bool + tag string +} + type verifyOpts struct { SecureFlagOpts reference string @@ -48,13 +53,13 @@ func verifyCommand(opts *verifyOpts) *cobra.Command { } func runVerify(command *cobra.Command, opts *verifyOpts) error { - // resolve the given reference and set the digest. + // resolve the given reference and set the digest ref, tagRef, err := resolveReference(command, opts) if err != nil { return err } - // initialize verifier. + // initialize verifier verifier, err := verifier.NewFromConfig() if err != nil { return err @@ -67,7 +72,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { } repo := notationRegistry.NewRepository(&remote_repo) - // set up verification plugin config. + // set up verification plugin config configs, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) if err != nil { return err @@ -81,11 +86,11 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { MaxSignatureAttempts: math.MaxInt64, } - // core verify process. + // core verify process _, outcomes, err := notation.Verify(command.Context(), verifier, repo, verifyOpts) - // write out. - return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref.Reference, tagRef.isTag, tagRef.tag) + // write out + return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref, tagRef.isTag, tagRef.tag) } func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, tagReference, error) { @@ -103,11 +108,13 @@ func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Refere if err != nil { return registry.Reference{}, tagReference{}, err } - ref.Reference = manifestDesc.Digest.String() + + // At this point, ref.Reference holds the resolved digest, while + // tagReference holds the original tag. return ref, tagReference{ isTag: true, - tag: tagRef.Reference, + tag: tagRef.ReferenceOrDefault(), }, nil } @@ -117,6 +124,6 @@ func isDigestReference(reference string) bool { return false } - index := strings.Index(parts[1], "@") - return index != -1 + _, _, found := strings.Cut(parts[1], "@") + return found } diff --git a/internal/ioutil/print.go b/internal/ioutil/print.go index a9c158858..6fdf86ac8 100644 --- a/internal/ioutil/print.go +++ b/internal/ioutil/print.go @@ -10,6 +10,7 @@ import ( "github.com/notaryproject/notation-go/config" "github.com/notaryproject/notation-go/plugin" "github.com/notaryproject/notation-go/plugin/proto" + "oras.land/oras-go/v2/registry" ) func newTabWriter(w io.Writer) *tabwriter.Writer { @@ -56,16 +57,17 @@ func PrintKeyMap(w io.Writer, target string, v []config.KeySuite) error { return tw.Flush() } -func PrintVerificationResults(w io.Writer, v []*notation.VerificationOutcome, resultErr error, digest string, isTag bool, tag string) error { +func PrintVerificationResults(w io.Writer, v []*notation.VerificationOutcome, resultErr error, ref registry.Reference, isTag bool, tag string) error { + digest := ref.Reference if isTag { - fmt.Println("Warning: Always verify artifact using digest(`@sha256:...`) rather than a tag(`:latest`) because tags are mutable and a tag reference can point to a different artifact than the one verified.") fmt.Printf("Resolved artifact tag %q to digest %q before verification.\n", tag, digest) + fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.") } tw := newTabWriter(w) if resultErr == nil { - fmt.Fprintf(tw, "Successfully verified for %s\n", digest) + fmt.Fprintf(tw, "Successfully verified signature for %s/%s@%s\n", ref.Registry, ref.Repository, digest) // TODO[https://github.com/notaryproject/notation/issues/304]: print out failed validations as warnings. return nil } From e2f3d97031d43513649143fd4afa19abcc062b44 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 30 Nov 2022 11:53:24 +0800 Subject: [PATCH 05/19] update Signed-off-by: Patrick Zheng --- cmd/notation/verify.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index b30bc4a90..b410dadbe 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -65,12 +65,12 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { return err } authClient, plainHTTP, _ := getAuthClient(&opts.SecureFlagOpts, ref) - remote_repo := remote.Repository{ + remoteRepo := remote.Repository{ Client: authClient, Reference: ref, PlainHTTP: plainHTTP, } - repo := notationRegistry.NewRepository(&remote_repo) + repo := notationRegistry.NewRepository(&remoteRepo) // set up verification plugin config configs, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) From 92a6b0d569effbac8f0361a8b39864eaf8d43676 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Dec 2022 21:51:05 +0800 Subject: [PATCH 06/19] update Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 26 +++++++------------------- cmd/notation/verify.go | 26 ++++++++------------------ internal/ioutil/print.go | 13 +++---------- 3 files changed, 18 insertions(+), 47 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index b3598d1fa..9b0147501 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -72,7 +72,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // core process - desc, opts, tagReference, ref, err := prepareSigningContent(command.Context(), cmdOpts) + desc, opts, ref, err := prepareSigningContent(command.Context(), cmdOpts) if err != nil { return err } @@ -86,40 +86,28 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // write out - if tagReference.isTag { - fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", tagReference.tag) - fmt.Printf("Resolved artifact tag %q to digest %q before signing.\n", tagReference.tag, desc.Digest) - } - fmt.Printf("Successfully signed %s/%s@%s", ref.Registry, ref.Repository, desc.Digest) + return nil } -func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descriptor, notation.SignOptions, tagReference, registry.Reference, error) { - var tagRef tagReference - isTag := !isDigestReference(opts.reference) +func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descriptor, notation.SignOptions, registry.Reference, error) { manifestDesc, ref, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, registry.Reference{}, err + return ocispec.Descriptor{}, notation.SignOptions{}, registry.Reference{}, err } mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, registry.Reference{}, err + return ocispec.Descriptor{}, notation.SignOptions{}, registry.Reference{}, err } pluginConfig, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, tagReference{}, registry.Reference{}, err - } - if isTag { - tagRef = tagReference{ - isTag: isTag, - tag: ref.ReferenceOrDefault(), - } + return ocispec.Descriptor{}, notation.SignOptions{}, registry.Reference{}, err } return manifestDesc, notation.SignOptions{ ArtifactReference: opts.reference, SignatureMediaType: mediaType, Expiry: cmd.GetExpiry(opts.expiry), PluginConfig: pluginConfig, - }, tagRef, ref, nil + }, ref, nil } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index b410dadbe..d34a6e37c 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -17,11 +17,6 @@ import ( "oras.land/oras-go/v2/registry/remote" ) -type tagReference struct { - isTag bool - tag string -} - type verifyOpts struct { SecureFlagOpts reference string @@ -54,7 +49,7 @@ func verifyCommand(opts *verifyOpts) *cobra.Command { func runVerify(command *cobra.Command, opts *verifyOpts) error { // resolve the given reference and set the digest - ref, tagRef, err := resolveReference(command, opts) + ref, err := resolveReference(command, opts) if err != nil { return err } @@ -90,32 +85,27 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { _, outcomes, err := notation.Verify(command.Context(), verifier, repo, verifyOpts) // write out - return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref, tagRef.isTag, tagRef.tag) + return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref) } -func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, tagReference, error) { +func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) { ref, err := registry.ParseReference(opts.reference) if err != nil { - return registry.Reference{}, tagReference{}, err + return registry.Reference{}, err } if isDigestReference(opts.reference) { - return ref, tagReference{}, nil + return ref, nil } // Resolve tag reference to digest reference. - manifestDesc, tagRef, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) + manifestDesc, _, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) if err != nil { - return registry.Reference{}, tagReference{}, err + return registry.Reference{}, err } ref.Reference = manifestDesc.Digest.String() - // At this point, ref.Reference holds the resolved digest, while - // tagReference holds the original tag. - return ref, tagReference{ - isTag: true, - tag: tagRef.ReferenceOrDefault(), - }, nil + return ref, nil } func isDigestReference(reference string) bool { diff --git a/internal/ioutil/print.go b/internal/ioutil/print.go index 6fdf86ac8..cae75f0ca 100644 --- a/internal/ioutil/print.go +++ b/internal/ioutil/print.go @@ -57,21 +57,14 @@ func PrintKeyMap(w io.Writer, target string, v []config.KeySuite) error { return tw.Flush() } -func PrintVerificationResults(w io.Writer, v []*notation.VerificationOutcome, resultErr error, ref registry.Reference, isTag bool, tag string) error { - digest := ref.Reference - if isTag { - fmt.Printf("Resolved artifact tag %q to digest %q before verification.\n", tag, digest) - fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.") - } - +func PrintVerificationResults(w io.Writer, v []*notation.VerificationOutcome, resultErr error, ref registry.Reference) error { tw := newTabWriter(w) - if resultErr == nil { - fmt.Fprintf(tw, "Successfully verified signature for %s/%s@%s\n", ref.Registry, ref.Repository, digest) + fmt.Fprintf(tw, "Successfully verified signature for %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) // TODO[https://github.com/notaryproject/notation/issues/304]: print out failed validations as warnings. return nil } - fmt.Printf("Signature verification failed for all the signatures associated with digest: %s\n", digest) + fmt.Printf("Signature verification failed for all the signatures associated with %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) tw.Flush() return resultErr From 7c71f4f5683783df1871ea26670a880dcf8672eb Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Dec 2022 21:55:36 +0800 Subject: [PATCH 07/19] update Signed-off-by: Patrick Zheng --- cmd/notation/manifest.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index 9b52def0d..ddc55b838 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -26,5 +26,8 @@ func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpt return ocispec.Descriptor{}, registry.Reference{}, err } manifestDesc, err := repo.Resolve(ctx, ref.ReferenceOrDefault()) + if err != nil { + return ocispec.Descriptor{}, registry.Reference{}, err + } return manifestDesc, ref, err } From fbdfe5290f9522e8669d5aec0071c84613731fbc Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Dec 2022 22:06:31 +0800 Subject: [PATCH 08/19] update Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 9b0147501..fa05f2300 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -86,7 +86,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // write out - fmt.Printf("Successfully signed %s/%s@%s", ref.Registry, ref.Repository, desc.Digest) + fmt.Printf("Successfully signed %s/%s@%s\n", ref.Registry, ref.Repository, desc.Digest) return nil } From d4a00ef60612ddd35ad0871a11273c7f1903d759 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 2 Dec 2022 11:03:18 +0800 Subject: [PATCH 09/19] updated output for verify Signed-off-by: Patrick Zheng --- cmd/notation/verify.go | 25 ++++++++++++++++++++++--- internal/ioutil/print.go | 15 --------------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index d34a6e37c..e51836252 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -2,15 +2,14 @@ package main import ( "errors" + "fmt" "math" - "os" "strings" "github.com/notaryproject/notation-go" notationRegistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/verifier" "github.com/notaryproject/notation/internal/cmd" - "github.com/notaryproject/notation/internal/ioutil" "github.com/spf13/cobra" "oras.land/oras-go/v2/registry" @@ -85,7 +84,27 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { _, outcomes, err := notation.Verify(command.Context(), verifier, repo, verifyOpts) // write out - return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref) + // on failure + if err != nil || len(outcomes) == 0 { + if err == nil { + err = errors.New("verification outcomes is empty") + } + fmt.Printf("Signature verification failed for all the signatures associated with %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) + return err + } + + // on success + outcome := outcomes[0] + // print out warning for any failed result with logged verification action + for _, result := range outcome.VerificationResults { + if result.Error != nil { + // at this point, the verification action has to be logged and + // it's failed + fmt.Printf("warning: %v was set to \"logged\" and failed with error: %v\n", result.Type, result.Error) + } + } + fmt.Printf("Successfully verified signature for %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) + return nil } func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) { diff --git a/internal/ioutil/print.go b/internal/ioutil/print.go index cae75f0ca..2f9273117 100644 --- a/internal/ioutil/print.go +++ b/internal/ioutil/print.go @@ -6,11 +6,9 @@ import ( "io" "text/tabwriter" - "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/config" "github.com/notaryproject/notation-go/plugin" "github.com/notaryproject/notation-go/plugin/proto" - "oras.land/oras-go/v2/registry" ) func newTabWriter(w io.Writer) *tabwriter.Writer { @@ -56,16 +54,3 @@ func PrintKeyMap(w io.Writer, target string, v []config.KeySuite) error { } return tw.Flush() } - -func PrintVerificationResults(w io.Writer, v []*notation.VerificationOutcome, resultErr error, ref registry.Reference) error { - tw := newTabWriter(w) - if resultErr == nil { - fmt.Fprintf(tw, "Successfully verified signature for %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) - // TODO[https://github.com/notaryproject/notation/issues/304]: print out failed validations as warnings. - return nil - } - fmt.Printf("Signature verification failed for all the signatures associated with %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) - tw.Flush() - - return resultErr -} From 8ec720a7de9cc87808cdeee55eddbb869bf05af8 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 2 Dec 2022 13:04:21 +0800 Subject: [PATCH 10/19] update Signed-off-by: Patrick Zheng --- cmd/notation/verify.go | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 48b3c2551..df10b8d31 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -4,7 +4,6 @@ import ( "errors" "fmt" "math" - "strings" "github.com/notaryproject/notation-go" notationRegistry "github.com/notaryproject/notation-go/registry" @@ -122,7 +121,8 @@ func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Refere return registry.Reference{}, err } - if isDigestReference(opts.reference) { + // reference is a digest reference + if ref.ValidateReferenceAsDigest() == nil { return ref, nil } @@ -135,13 +135,3 @@ func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Refere return ref, nil } - -func isDigestReference(reference string) bool { - parts := strings.SplitN(reference, "/", 2) - if len(parts) == 1 { - return false - } - - _, _, found := strings.Cut(parts[1], "@") - return found -} From 92b82c3dfe8d7509abea11c8cc2317dd836f9b79 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 2 Dec 2022 17:16:01 +0800 Subject: [PATCH 11/19] update Signed-off-by: Patrick Zheng --- cmd/notation/verify.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index df10b8d31..a4fe19e0a 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -94,11 +94,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { // write out // on failure if err != nil || len(outcomes) == 0 { - if err == nil { - err = errors.New("verification outcomes is empty") - } - fmt.Printf("Signature verification failed for all the signatures associated with %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) - return err + return fmt.Errorf("signature verification failed for all the signatures associated with %s/%s@%s", ref.Registry, ref.Repository, ref.Reference) } // on success From c74fdc81bacdcac973571dcf2188c0e2fd7abd0d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 2 Dec 2022 23:07:59 +0800 Subject: [PATCH 12/19] added back tag to digest warnings print out Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 12 ++++++++++-- cmd/notation/verify.go | 35 +++++++++++++++++++++++------------ 2 files changed, 33 insertions(+), 14 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 9c436cbd8..ad03848e9 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -89,7 +89,12 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // write out - fmt.Printf("Successfully signed %s/%s@%s\n", ref.Registry, ref.Repository, desc.Digest) + if ref.ValidateReferenceAsDigest() != nil { + // reference is not a digest reference + fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) + fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, desc.Digest.String()) + } + fmt.Println("Successfully signed", ref.String()) return nil } @@ -107,9 +112,12 @@ func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descrip if err != nil { return ocispec.Descriptor{}, notation.SignOptions{}, registry.Reference{}, err } + digestRef := ref + // always pass digest reference to SignOptions + digestRef.Reference = manifestDesc.Digest.String() signOpts := notation.SignOptions{ - ArtifactReference: opts.reference, + ArtifactReference: digestRef.String(), SignatureMediaType: mediaType, ExpiryDuration: opts.expiry, PluginConfig: pluginConfig, diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index a4fe19e0a..c22a45a2c 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -9,6 +9,7 @@ import ( notationRegistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/verifier" "github.com/notaryproject/notation/internal/cmd" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" "oras.land/oras-go/v2/registry" @@ -56,20 +57,26 @@ Example - Verify a signature on an OCI artifact identified by a tag (Notation w func runVerify(command *cobra.Command, opts *verifyOpts) error { // resolve the given reference and set the digest - ref, err := resolveReference(command, opts) + desc, ref, isTag, err := resolveReference(command, opts) if err != nil { return err } + digestRef := ref + if isTag { + // Resolve tag to digest reference + digestRef.Reference = desc.Digest.String() + } + // initialize verifier verifier, err := verifier.NewFromConfig() if err != nil { return err } - authClient, plainHTTP, _ := getAuthClient(&opts.SecureFlagOpts, ref) + authClient, plainHTTP, _ := getAuthClient(&opts.SecureFlagOpts, digestRef) remoteRepo := remote.Repository{ Client: authClient, - Reference: ref, + Reference: digestRef, PlainHTTP: plainHTTP, } repo := notationRegistry.NewRepository(&remoteRepo) @@ -80,8 +87,9 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { return err } + // always pass digest reference to RemoteVerifyOptions verifyOpts := notation.RemoteVerifyOptions{ - ArtifactReference: ref.String(), + ArtifactReference: digestRef.String(), PluginConfig: configs, // TODO: need to change MaxSignatureAttempts as a user input flag or // a field in config.json @@ -107,27 +115,30 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { fmt.Printf("warning: %v was set to \"logged\" and failed with error: %v\n", result.Type, result.Error) } } - fmt.Printf("Successfully verified signature for %s/%s@%s\n", ref.Registry, ref.Repository, ref.Reference) + if isTag { + fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, desc.Digest.String()) + fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable") + } + fmt.Println("Successfully verified signature for", ref.String()) return nil } -func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) { +func resolveReference(command *cobra.Command, opts *verifyOpts) (ocispec.Descriptor, registry.Reference, bool, error) { ref, err := registry.ParseReference(opts.reference) if err != nil { - return registry.Reference{}, err + return ocispec.Descriptor{}, registry.Reference{}, false, err } // reference is a digest reference if ref.ValidateReferenceAsDigest() == nil { - return ref, nil + return ocispec.Descriptor{}, ref, false, nil } - // Resolve tag reference to digest reference. + // get manifest descriptor manifestDesc, _, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) if err != nil { - return registry.Reference{}, err + return ocispec.Descriptor{}, registry.Reference{}, true, err } - ref.Reference = manifestDesc.Digest.String() - return ref, nil + return manifestDesc, ref, true, nil } From 0a4a3792e04a5cdf1fe5717657b15b8f2fdd6577 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Sat, 3 Dec 2022 00:03:38 +0800 Subject: [PATCH 13/19] update Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 31 +++++++++++++++---------------- cmd/notation/verify.go | 37 ++++++++++++++----------------------- 2 files changed, 29 insertions(+), 39 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index ad03848e9..00b7e34a4 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -9,7 +9,6 @@ import ( "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" - ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" "oras.land/oras-go/v2/registry" ) @@ -75,7 +74,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // core process - desc, opts, ref, err := prepareSigningContent(command.Context(), cmdOpts) + opts, ref, err := prepareSigningContent(command.Context(), cmdOpts) if err != nil { return err } @@ -89,39 +88,39 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // write out - if ref.ValidateReferenceAsDigest() != nil { - // reference is not a digest reference - fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) - fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, desc.Digest.String()) - } fmt.Println("Successfully signed", ref.String()) return nil } -func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descriptor, notation.SignOptions, registry.Reference, error) { +func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.SignOptions, registry.Reference, error) { manifestDesc, ref, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, registry.Reference{}, err + return notation.SignOptions{}, registry.Reference{}, err } mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, registry.Reference{}, err + return notation.SignOptions{}, registry.Reference{}, err } pluginConfig, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) if err != nil { - return ocispec.Descriptor{}, notation.SignOptions{}, registry.Reference{}, err + return notation.SignOptions{}, registry.Reference{}, err + } + if ref.ValidateReferenceAsDigest() != nil { + // reference is not a digest reference + fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) + fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, manifestDesc.Digest.String()) + + // resolve tag to digest reference + ref.Reference = manifestDesc.Digest.String() } - digestRef := ref - // always pass digest reference to SignOptions - digestRef.Reference = manifestDesc.Digest.String() signOpts := notation.SignOptions{ - ArtifactReference: digestRef.String(), + ArtifactReference: ref.String(), SignatureMediaType: mediaType, ExpiryDuration: opts.expiry, PluginConfig: pluginConfig, } - return manifestDesc, signOpts, ref, nil + return signOpts, ref, nil } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index c22a45a2c..6bb91eea7 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -9,7 +9,6 @@ import ( notationRegistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/verifier" "github.com/notaryproject/notation/internal/cmd" - ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" "oras.land/oras-go/v2/registry" @@ -57,26 +56,20 @@ Example - Verify a signature on an OCI artifact identified by a tag (Notation w func runVerify(command *cobra.Command, opts *verifyOpts) error { // resolve the given reference and set the digest - desc, ref, isTag, err := resolveReference(command, opts) + ref, err := resolveReference(command, opts) if err != nil { return err } - digestRef := ref - if isTag { - // Resolve tag to digest reference - digestRef.Reference = desc.Digest.String() - } - // initialize verifier verifier, err := verifier.NewFromConfig() if err != nil { return err } - authClient, plainHTTP, _ := getAuthClient(&opts.SecureFlagOpts, digestRef) + authClient, plainHTTP, _ := getAuthClient(&opts.SecureFlagOpts, ref) remoteRepo := remote.Repository{ Client: authClient, - Reference: digestRef, + Reference: ref, PlainHTTP: plainHTTP, } repo := notationRegistry.NewRepository(&remoteRepo) @@ -87,9 +80,8 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { return err } - // always pass digest reference to RemoteVerifyOptions verifyOpts := notation.RemoteVerifyOptions{ - ArtifactReference: digestRef.String(), + ArtifactReference: ref.String(), PluginConfig: configs, // TODO: need to change MaxSignatureAttempts as a user input flag or // a field in config.json @@ -102,7 +94,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { // write out // on failure if err != nil || len(outcomes) == 0 { - return fmt.Errorf("signature verification failed for all the signatures associated with %s/%s@%s", ref.Registry, ref.Repository, ref.Reference) + return fmt.Errorf("signature verification failed for all the signatures associated with %s", ref.String()) } // on success @@ -115,30 +107,29 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { fmt.Printf("warning: %v was set to \"logged\" and failed with error: %v\n", result.Type, result.Error) } } - if isTag { - fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, desc.Digest.String()) - fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable") - } fmt.Println("Successfully verified signature for", ref.String()) return nil } -func resolveReference(command *cobra.Command, opts *verifyOpts) (ocispec.Descriptor, registry.Reference, bool, error) { +func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) { ref, err := registry.ParseReference(opts.reference) if err != nil { - return ocispec.Descriptor{}, registry.Reference{}, false, err + return registry.Reference{}, err } // reference is a digest reference if ref.ValidateReferenceAsDigest() == nil { - return ocispec.Descriptor{}, ref, false, nil + return ref, nil } - // get manifest descriptor + // resolve tag to digest reference manifestDesc, _, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) if err != nil { - return ocispec.Descriptor{}, registry.Reference{}, true, err + return registry.Reference{}, err } + fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String()) + fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.") + ref.Reference = manifestDesc.Digest.String() - return manifestDesc, ref, true, nil + return ref, nil } From 89d544c5f3bf78d5f584df299c971b59983a358d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Sat, 3 Dec 2022 09:20:27 +0800 Subject: [PATCH 14/19] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/list.go | 6 +++--- cmd/notation/manifest.go | 3 ++- cmd/notation/registry.go | 8 ++++---- cmd/notation/sign.go | 2 +- cmd/notation/verify.go | 8 ++++---- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 8ebc514a1..45085817e 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -5,7 +5,7 @@ import ( "errors" "fmt" - notationRegistry "github.com/notaryproject/notation-go/registry" + notationregistry "github.com/notaryproject/notation-go/registry" "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" @@ -61,7 +61,7 @@ func runList(command *cobra.Command, opts *listOpts) error { // printSignatureManifestDigests returns the signature manifest digests of // the subject manifest. -func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Digest, sigRepo notationRegistry.Repository, reference string) error { +func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Digest, sigRepo notationregistry.Repository, reference string) error { // prepare title ref, err := registry.ParseReference(reference) if err != nil { @@ -72,7 +72,7 @@ func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Di printTitle := func() { if !titlePrinted { fmt.Println(ref) - fmt.Printf("└── %s\n", notationRegistry.ArtifactTypeNotation) + fmt.Printf("└── %s\n", notationregistry.ArtifactTypeNotation) titlePrinted = true } } diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index ddc55b838..90aeab420 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -25,7 +25,8 @@ func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpt if err != nil { return ocispec.Descriptor{}, registry.Reference{}, err } - manifestDesc, err := repo.Resolve(ctx, ref.ReferenceOrDefault()) + ref.Reference = ref.ReferenceOrDefault() + manifestDesc, err := repo.Resolve(ctx, ref.Reference) if err != nil { return ocispec.Descriptor{}, registry.Reference{}, err } diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index 884627e1c..da37e2288 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -5,7 +5,7 @@ import ( "errors" "net" - notationRegistry "github.com/notaryproject/notation-go/registry" + notationregistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation/internal/version" loginauth "github.com/notaryproject/notation/pkg/auth" "github.com/notaryproject/notation/pkg/configutil" @@ -14,7 +14,7 @@ import ( "oras.land/oras-go/v2/registry/remote/auth" ) -func getSignatureRepository(opts *SecureFlagOpts, reference string) (notationRegistry.Repository, error) { +func getSignatureRepository(opts *SecureFlagOpts, reference string) (notationregistry.Repository, error) { ref, err := registry.ParseReference(reference) if err != nil { return nil, err @@ -35,7 +35,7 @@ func getRegistryClient(opts *SecureFlagOpts, serverAddress string) (*remote.Regi return reg, nil } -func getRepositoryClient(opts *SecureFlagOpts, ref registry.Reference) (notationRegistry.Repository, error) { +func getRepositoryClient(opts *SecureFlagOpts, ref registry.Reference) (notationregistry.Repository, error) { authClient, plainHTTP, err := getAuthClient(opts, ref) if err != nil { return nil, err @@ -46,7 +46,7 @@ func getRepositoryClient(opts *SecureFlagOpts, ref registry.Reference) (notation PlainHTTP: plainHTTP, } - return notationRegistry.NewRepository(repo), nil + return notationregistry.NewRepository(repo), nil } func getAuthClient(opts *SecureFlagOpts, ref registry.Reference) (*auth.Client, bool, error) { diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 00b7e34a4..e58340d54 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -88,7 +88,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } // write out - fmt.Println("Successfully signed", ref.String()) + fmt.Println("Successfully signed", ref) return nil } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 6bb91eea7..2a6c455ca 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -6,7 +6,7 @@ import ( "math" "github.com/notaryproject/notation-go" - notationRegistry "github.com/notaryproject/notation-go/registry" + notationregistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/verifier" "github.com/notaryproject/notation/internal/cmd" @@ -72,7 +72,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { Reference: ref, PlainHTTP: plainHTTP, } - repo := notationRegistry.NewRepository(&remoteRepo) + repo := notationregistry.NewRepository(&remoteRepo) // set up verification plugin config configs, err := cmd.ParseFlagPluginConfig(opts.pluginConfig) @@ -104,7 +104,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { if result.Error != nil { // at this point, the verification action has to be logged and // it's failed - fmt.Printf("warning: %v was set to \"logged\" and failed with error: %v\n", result.Type, result.Error) + fmt.Printf("Warning: %v was set to \"logged\" and failed with error: %v\n", result.Type, result.Error) } } fmt.Println("Successfully verified signature for", ref.String()) @@ -123,7 +123,7 @@ func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Refere } // resolve tag to digest reference - manifestDesc, _, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) + manifestDesc, ref, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) if err != nil { return registry.Reference{}, err } From 77a9187215885a79114d8077f07a847f097a2b4f Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 5 Dec 2022 10:41:32 +0800 Subject: [PATCH 15/19] return err if reference is missing digest or tag Signed-off-by: Patrick Zheng --- cmd/notation/manifest.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index 90aeab420..5e79eaec2 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -21,11 +21,14 @@ func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpt if err != nil { return ocispec.Descriptor{}, registry.Reference{}, err } + if ref.Reference == "" { + return ocispec.Descriptor{}, registry.Reference{}, errors.New("reference is missing digest or tag") + } repo, err := getRepositoryClient(opts, ref) if err != nil { return ocispec.Descriptor{}, registry.Reference{}, err } - ref.Reference = ref.ReferenceOrDefault() + manifestDesc, err := repo.Resolve(ctx, ref.Reference) if err != nil { return ocispec.Descriptor{}, registry.Reference{}, err From 17c27517fa0e7a96ce7c7cd884e5774087eb7a1b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 5 Dec 2022 11:44:07 +0800 Subject: [PATCH 16/19] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/list.go | 2 +- cmd/notation/manifest.go | 13 +++++-------- cmd/notation/sign.go | 4 ++-- cmd/notation/verify.go | 11 ++++------- 4 files changed, 12 insertions(+), 18 deletions(-) diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 45085817e..001994c2f 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -50,7 +50,7 @@ func runList(command *cobra.Command, opts *listOpts) error { } // core process - manifestDesc, _, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, reference) + manifestDesc, _, err := getManifestDescriptor(command.Context(), &opts.SecureFlagOpts, reference) if err != nil { return err } diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go index 5e79eaec2..d9fe26f68 100644 --- a/cmd/notation/manifest.go +++ b/cmd/notation/manifest.go @@ -8,15 +8,12 @@ import ( "oras.land/oras-go/v2/registry" ) -func getManifestDescriptorFromContext(ctx context.Context, opts *SecureFlagOpts, ref string) (ocispec.Descriptor, registry.Reference, error) { - if ref == "" { +// getManifestDescriptor returns target artifact manifest descriptor and +// registry.Reference given user input reference. +func getManifestDescriptor(ctx context.Context, opts *SecureFlagOpts, reference string) (ocispec.Descriptor, registry.Reference, error) { + if reference == "" { return ocispec.Descriptor{}, registry.Reference{}, errors.New("missing reference") } - - return getManifestDescriptorFromReference(ctx, opts, ref) -} - -func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpts, reference string) (ocispec.Descriptor, registry.Reference, error) { ref, err := registry.ParseReference(reference) if err != nil { return ocispec.Descriptor{}, registry.Reference{}, err @@ -33,5 +30,5 @@ func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpt if err != nil { return ocispec.Descriptor{}, registry.Reference{}, err } - return manifestDesc, ref, err + return manifestDesc, ref, nil } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index e58340d54..04465fa23 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -94,7 +94,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.SignOptions, registry.Reference, error) { - manifestDesc, ref, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference) + manifestDesc, ref, err := getManifestDescriptor(ctx, &opts.SecureFlagOpts, opts.reference) if err != nil { return notation.SignOptions{}, registry.Reference{}, err } @@ -106,7 +106,7 @@ func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.SignOp if err != nil { return notation.SignOptions{}, registry.Reference{}, err } - if ref.ValidateReferenceAsDigest() != nil { + if err := ref.ValidateReferenceAsDigest(); err != nil { // reference is not a digest reference fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, manifestDesc.Digest.String()) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 2a6c455ca..9852fb627 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -112,23 +112,20 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { } func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) { - ref, err := registry.ParseReference(opts.reference) + manifestDesc, ref, err := getManifestDescriptor(command.Context(), &opts.SecureFlagOpts, opts.reference) if err != nil { return registry.Reference{}, err } // reference is a digest reference - if ref.ValidateReferenceAsDigest() == nil { + if err := ref.ValidateReferenceAsDigest(); err == nil { return ref, nil } - // resolve tag to digest reference - manifestDesc, ref, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference) - if err != nil { - return registry.Reference{}, err - } + // reference is a tag reference fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String()) fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.") + // resolve tag to digest reference ref.Reference = manifestDesc.Digest.String() return ref, nil From a2b946750cdf87e1a16559ffdc0dd093e045485c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 5 Dec 2022 13:19:05 +0800 Subject: [PATCH 17/19] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 15 ++++++--------- cmd/notation/verify.go | 14 +++++++++----- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 04465fa23..5336c6333 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -9,6 +9,7 @@ import ( "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" "oras.land/oras-go/v2/registry" ) @@ -94,10 +95,14 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { } func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.SignOptions, registry.Reference, error) { - manifestDesc, ref, err := getManifestDescriptor(ctx, &opts.SecureFlagOpts, opts.reference) + ref, err := resolveReference(ctx, &opts.SecureFlagOpts, opts.reference, func(ref registry.Reference, manifestDesc ocispec.Descriptor) { + fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) + fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, manifestDesc.Digest.String()) + }) if err != nil { return notation.SignOptions{}, registry.Reference{}, err } + mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { return notation.SignOptions{}, registry.Reference{}, err @@ -106,14 +111,6 @@ func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.SignOp if err != nil { return notation.SignOptions{}, registry.Reference{}, err } - if err := ref.ValidateReferenceAsDigest(); err != nil { - // reference is not a digest reference - fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) - fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, manifestDesc.Digest.String()) - - // resolve tag to digest reference - ref.Reference = manifestDesc.Digest.String() - } signOpts := notation.SignOptions{ ArtifactReference: ref.String(), diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 9852fb627..f8cbc2a4a 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -1,6 +1,7 @@ package main import ( + "context" "errors" "fmt" "math" @@ -9,6 +10,7 @@ import ( notationregistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/verifier" "github.com/notaryproject/notation/internal/cmd" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" "oras.land/oras-go/v2/registry" @@ -56,7 +58,10 @@ Example - Verify a signature on an OCI artifact identified by a tag (Notation w func runVerify(command *cobra.Command, opts *verifyOpts) error { // resolve the given reference and set the digest - ref, err := resolveReference(command, opts) + ref, err := resolveReference(command.Context(), &opts.SecureFlagOpts, opts.reference, func(ref registry.Reference, manifestDesc ocispec.Descriptor) { + fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String()) + fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.") + }) if err != nil { return err } @@ -111,8 +116,8 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { return nil } -func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) { - manifestDesc, ref, err := getManifestDescriptor(command.Context(), &opts.SecureFlagOpts, opts.reference) +func resolveReference(ctx context.Context, opts *SecureFlagOpts, reference string, fn func(registry.Reference, ocispec.Descriptor)) (registry.Reference, error) { + manifestDesc, ref, err := getManifestDescriptor(ctx, opts, reference) if err != nil { return registry.Reference{}, err } @@ -123,8 +128,7 @@ func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Refere } // reference is a tag reference - fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String()) - fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.") + fn(ref, manifestDesc) // resolve tag to digest reference ref.Reference = manifestDesc.Digest.String() From c28e2abb5592ef72023589a65c982f6d4b6400cc Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 5 Dec 2022 13:26:24 +0800 Subject: [PATCH 18/19] updated dependencies Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9517dc154..2f7a21808 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f github.com/docker/docker-credential-helpers v0.7.0 github.com/notaryproject/notation-core-go v0.2.0-beta.1.0.20221123104522-9b5de089a023 - github.com/notaryproject/notation-go v0.12.0-beta.1.0.20221202040523-bc022cc61d50 + github.com/notaryproject/notation-go v0.12.0-beta.1.0.20221205052202-e9545a718368 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc2 github.com/spf13/cobra v1.6.1 diff --git a/go.sum b/go.sum index 80bc38f57..f736ce582 100644 --- a/go.sum +++ b/go.sum @@ -21,8 +21,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/notaryproject/notation-core-go v0.2.0-beta.1.0.20221123104522-9b5de089a023 h1:Z/2hxPJOjWfmgOPTNkGBDp/LVIEtizd9uJNQvjFE0Dc= github.com/notaryproject/notation-core-go v0.2.0-beta.1.0.20221123104522-9b5de089a023/go.mod h1:n8Gbvl9sKa00KptkKEL5XKUyMTIALe74QipKauE2rj4= -github.com/notaryproject/notation-go v0.12.0-beta.1.0.20221202040523-bc022cc61d50 h1:1i9PCRE6fLzYDxAE2HjDvXD1+U+5z25bWWwJOV2mk78= -github.com/notaryproject/notation-go v0.12.0-beta.1.0.20221202040523-bc022cc61d50/go.mod h1:2Xy40C9rJip3h9XPC6ei2HEEdUoZJ5KDC6mlX/FD0oQ= +github.com/notaryproject/notation-go v0.12.0-beta.1.0.20221205052202-e9545a718368 h1:OIrolpRY9PpFeWPtMPEOKNdYf+2TI13XY6gmmkJc+JY= +github.com/notaryproject/notation-go v0.12.0-beta.1.0.20221205052202-e9545a718368/go.mod h1:2Xy40C9rJip3h9XPC6ei2HEEdUoZJ5KDC6mlX/FD0oQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034= From e21c8ee880ce66cf8fbd5d2154278ec082688b16 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 5 Dec 2022 13:31:50 +0800 Subject: [PATCH 19/19] update Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 5336c6333..9331ab395 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -90,7 +90,6 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { // write out fmt.Println("Successfully signed", ref) - return nil }