doc: creating the spec for inspect command#490
doc: creating the spec for inspect command#490vaninrao10 wants to merge 0 commit intonotaryproject:mainfrom
Conversation
vaninrao10
force-pushed
the
vani-branch-1
branch
from
9b49985 to
629a9fe
Compare
yizha1
left a comment
yizha1
left a comment
There was a problem hiding this comment.
Thanks @vaninrao10. My main concern is the human readable form of attributes, the current proposal doesn't seem fit into the tree view.
specs/commandline/inspect.md
Outdated
| ## Outline | ||
|
|
||
| ```text | ||
| Inspect artifacts and display the details of the signatures for all the listed signatures and its associated certificate properties. |
There was a problem hiding this comment.
Inspect all the signatures associated with the signed artifact.
specs/commandline/inspect.md
Outdated
| -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) | ||
| --plain-http registry access via plain HTTP | ||
| -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) | ||
| -o, --output on command line sets the output to json |
There was a problem hiding this comment.
-o flag should be placed before -p flag.
-o, --output string output format, options: "json"
There was a problem hiding this comment.
Do we need -o flag with inspect command? Are we expecting inspect command to be invoked programmatically ? If so we will also need to define output format for json output.
specs/commandline/inspect.md
Outdated
| Flags: | ||
| -h, --help for describing the signature | ||
| -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) | ||
| --plain-http registry access via plain HTTP |
There was a problem hiding this comment.
The indentation is not correct. Should be aligned with --password.
specs/commandline/inspect.md
Outdated
| Usage: | ||
| notation inspect [flags] <reference> | ||
|
|
||
| Aliases: |
There was a problem hiding this comment.
we can remove Aliases if no alias is available.
specs/commandline/inspect.md
Outdated
| └── application/vnd.cncf.notary.signature | ||
| ├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | ||
| ├──"Protected Attributes": | ||
| { |
There was a problem hiding this comment.
The indentation doesn't look right. The attributes were displayed in json format, however the whole tree view is in human readable form. It's a mix of two types of formats. We may need a new human readable form for attributes.
There was a problem hiding this comment.
I would say instead of json use the indentation/format we are using for other commands
|
Besides It is used to compare the signed payload against the descriptor of the remote artifact for troubleshooting purpose. |
specs/commandline/inspect.md
Outdated
| -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) | ||
| --plain-http registry access via plain HTTP | ||
| -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) | ||
| -o, --output on command line sets the output to json |
There was a problem hiding this comment.
Do we need -o flag with inspect command? Are we expecting inspect command to be invoked programmatically ? If so we will also need to define output format for json output.
specs/commandline/inspect.md
Outdated
| └── application/vnd.cncf.notary.signature | ||
| ├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | ||
| ├──"Protected Attributes": | ||
| { |
There was a problem hiding this comment.
I would say instead of json use the indentation/format we are using for other commands
specs/commandline/inspect.md
Outdated
| ├──<digest_of_signature_manifest> | ||
| ├──<Protected Attributes...> | ||
| ├──<UnProtected Attributes...> | ||
| ├──<Cert Properties...> |
There was a problem hiding this comment.
I would just call it certificates
| ├──<Cert Properties...> | |
| ├──<certificates> |
Codecov Report
@@ Coverage Diff @@
## main #490 +/- ##
=======================================
Coverage 29.57% 29.57%
=======================================
Files 26 26
Lines 1515 1515
=======================================
Hits 448 448
Misses 1050 1050
Partials 17 17 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
specs/commandline/inspect.md
Outdated
| ├──<signed attributes> | ||
| ├──<unsigned attributes> | ||
| ├──<certificates> | ||
| ├──<payload> |
specs/commandline/inspect.md
Outdated
| ├──<user-defined attributes> | ||
| ├──<unsigned Attributes> | ||
| ├──<certificates> | ||
| ├──<payload> |
There was a problem hiding this comment.
| ├──<payload> | |
| └──<payload> |
Similar changes for other outputs
|
DCO check if failing |
vaninrao10
force-pushed
the
vani-branch-1
branch
2 times, most recently
from
3e9fa2d to
59aa23d
Compare
Took care of it. |
vaninrao10
dismissed
yizha1’s stale review
This has been taken care in the inspect spec for the human readable format in the output examples.
|
LGTM |
vaninrao10
force-pushed
the
vani-branch-1
branch
from
f5165b9 to
b283e24
Compare
|
LGTM |
specs/commandline/inspect.md
Outdated
|
|
||
| Use `notation inspect` command to inspect or describe all the signatures associated to a signed artifact (image) in a human readable format. | ||
|
|
||
| Upon successful execution,the digest of the signed artifact and details of all the signatures associated with artifact and its respective certificate properties are displayed as following: |
There was a problem hiding this comment.
and its respective to "their respective certificate"
specs/commandline/inspect.md
Outdated
| localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 | ||
| └── application/vnd.cncf.notary.signature | ||
| ├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | ||
| ├──"Protected Attributes": |
There was a problem hiding this comment.
As I recollect, the idea was to include even the image digest, signature artifact type, digest of signature and protected attribute inside the JSON formatting.
specs/commandline/inspect.md
Outdated
| { | ||
| "SHA1 Thumbprint":"2f1cc5b8455381cdefac83b4bd305b789cc9c16e" | ||
| } | ||
| └── sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb |
There was a problem hiding this comment.
Same comment as above. As I recollect one of the feedback item was to enclose everything inside JSON formatting
specs/commandline/inspect.md
Outdated
| } | ||
| "Certificate Properties": | ||
| { | ||
| "SHA1 Thumbprint":"2f1rr5b8455381frdajc83b4bd305b743cc9513u" |
There was a problem hiding this comment.
Suggest use a different name like "Certificate Thumbprint 1", "Certificate Thumbprint 2".
specs/commandline/inspect.md
Outdated
| ├──expiry: 2022-10-06T07:01:20Z | ||
| ├──verification plugin: com.example.nv2plugin //extended attributes used by Notary v2 to support plugins | ||
| ├──user-defined attributes: | ||
| ├──io.wabbit-networks.buildId: 123 //Notary v2 payload annotations is shown here has user defined metadata. |
There was a problem hiding this comment.
| ├──io.wabbit-networks.buildId: 123 //Notary v2 payload annotations is shown here has user defined metadata. | |
| ├──io.wabbit-networks.buildId: 123 //user-defined payload annotations |
specs/commandline/inspect.md
Outdated
| ├──<digest_of_signature_manifest> | ||
| ├──<signed attributes> | ||
| ├──<user-defined attributes> | ||
| ├──<unsigned Attributes> |
There was a problem hiding this comment.
| ├──<unsigned Attributes> | |
| ├──<unsigned attributes> |
FeynmanZhou
left a comment
FeynmanZhou
left a comment
There was a problem hiding this comment.
@vaninrao10 Please see my comments above. Thanks!
yizha1
left a comment
yizha1
left a comment
There was a problem hiding this comment.
Thanks @vaninrao10, the latest version looks much better. Exciting. New comments were provided.
vaninrao10
force-pushed
the
vani-branch-1
branch
from
2e3c130 to
469ea15
Compare
vaninrao10
force-pushed
the
vani-branch-1
branch
2 times, most recently
from
2aeb76f to
ae544e4
Compare
shizhMSFT
changed the title
specs/commandline/inspect.md
Outdated
| <registry>/<repository>@<digest> | ||
| └──application/vnd.cncf.notary.signature | ||
| ├──<digest_of_signature_manifest> | ||
| ├──<signing algorithm> | ||
| ├──<signed attributes> | ||
| ├──<user-defined attributes> | ||
| ├──<unsigned attributes> | ||
| ├──<certificates> | ||
| └──<payload> | ||
| ├──<digest_of_signature_manifest> | ||
| ├──<signing algorithm> | ||
| ├──<signed attributes> | ||
| ├──<unsigned attributes> | ||
| ├──<certificates> | ||
| └──<payload> |
There was a problem hiding this comment.
| <registry>/<repository>@<digest> | |
| └──application/vnd.cncf.notary.signature | |
| ├──<digest_of_signature_manifest> | |
| ├──<signing algorithm> | |
| ├──<signed attributes> | |
| ├──<user-defined attributes> | |
| ├──<unsigned attributes> | |
| ├──<certificates> | |
| └──<payload> | |
| ├──<digest_of_signature_manifest> | |
| ├──<signing algorithm> | |
| ├──<signed attributes> | |
| ├──<unsigned attributes> | |
| ├──<certificates> | |
| └──<payload> | |
| <registry>/<repository>@<digest> | |
| └── application/vnd.cncf.notary.signature | |
| ├── <digest_of_signature_manifest> | |
| │ ├── <signing algorithm> | |
| │ ├── <signed attributes> | |
| │ ├── <user-defined attributes> | |
| │ ├── <unsigned attributes> | |
| │ ├── <certificates> | |
| │ └── <payload> | |
| └── <digest_of_signature_manifest> | |
| ├── <signing algorithm> | |
| ├── <signed attributes> | |
| ├── <unsigned attributes> | |
| ├── <certificates> | |
| └── <payload> |
There was a problem hiding this comment.
Similar format should be applied to the examples.
specs/commandline/inspect.md
Outdated
| ├──certificates: | ||
| ├──SHA1 fingerprint: 2f1cc5b8455381cdefac83b4bd305b789cc9c16e | ||
| ├──Issued to: Microsoft Root Certificate Authority 2010 | ||
| ├──Issued by: Microsoft Root Certificate Authority 2010 |
There was a problem hiding this comment.
Should this sub tree print a cert chain instead of a single cert?
specs/commandline/inspect.md
Outdated
| ├──SHA1 fingerprint: 2f1cc5b8455381cdefac83b4bd305b789cc9c16e | ||
| ├──Issued to: Microsoft Root Certificate Authority 2010 | ||
| ├──Issued by: Microsoft Root Certificate Authority 2010 |
There was a problem hiding this comment.
Valid time range is also an important field.
specs/commandline/inspect.md
Outdated
| ├──SHA1 fingerprint: 2f1cc5b8455381cdefac83b4bd305b789cc9c16e | ||
| ├──Issued to: Microsoft Root Certificate Authority 2010 | ||
| ├──Issued by: Microsoft Root Certificate Authority 2010 | ||
| ├──payload: //descriptor of the target artifact manifest that is signed. |
There was a problem hiding this comment.
Instead of payload, should it be called subject or target artifact?
specs/commandline/inspect.md
Outdated
| "signingScheme": "notary.default.x509", | ||
| "signingTime": "2022-04-06T07:01:20Z", | ||
| "expiry": "2022-10-06T07:01:20Z", | ||
| "verification plugin": "com.example.nv2plugin" |
There was a problem hiding this comment.
Should it be verificationPlugin?
There was a problem hiding this comment.
field names should be consistent across the json view.
There was a problem hiding this comment.
@priteshbandi @vaninrao10 @FeynmanZhou @shizhMSFT I don't see any big issues for this PR, just the flag name whether it is called -o, --output, since we also plan to introduce this kind of flag to other CLI commands, it's better we can decide now. See comments #490 (comment)
specs/commandline/inspect.md
Outdated
|
|
||
| Flags: | ||
| -h, --help for describing the signature | ||
| -o, --output on command line sets the output to json |
There was a problem hiding this comment.
Since we need to add this kind of output flag for other notation cli commands, and it is on the user interface, it's better we can align what is the best solution for our users. Here are 3 options so far:
-o, --output json- `--display {tree, json) by default tree
- --json (an example in https://clig.dev/#output)
Any other options, Let's vote?
|
@vaninrao10 please fix the DCO issues. |
shizhMSFT
left a comment
shizhMSFT
left a comment
There was a problem hiding this comment.
The DCO check is failing. Could you sign off all the commits?
vaninrao10
force-pushed
the
vani-branch-1
branch
from
81f0578 to
ebf16d6
Compare
vaninrao10
force-pushed
the
vani-branch-1
branch
from
ebf16d6 to
c736231
Compare
7 participants
Signed-off-by: vaninrao10vaninrao@amazon.com
Use Case / Scenarios: