From 9eebe9116bb17d91d6e68e0aeab6e53af5fd5111 Mon Sep 17 00:00:00 2001 From: Byron Chien Date: Tue, 3 Jan 2023 12:27:38 -0800 Subject: [PATCH 1/5] Update notation sign and verify spec for metadata Signed-off-by: Byron Chien --- specs/commandline/sign.md | 32 +++++++++++++++----- specs/commandline/verify.md | 60 +++++++++++++++++++++++++++++++++---- 2 files changed, 79 insertions(+), 13 deletions(-) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index a40bb8825..7cc5c0a45 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -29,16 +29,22 @@ Usage: notation sign [flags] Flags: - -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m - -h, --help help for sign - -k, --key string signing key name, for a key previously added to notation's key list. - -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) - --plain-http registry access via plain HTTP - --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values - --signature-format string signature envelope format, options: 'jws', 'cose' (default "jws") - -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) + -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m + -h, --help help for sign + -k, --key string signing key name, for a key previously added to notation's key list. + -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) + --plain-http registry access via plain HTTP + --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values + --signature-format string signature envelope format, options: 'jws', 'cose' (default "jws") + -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) + -um, --user-metadata strings {key}={value} pairs that are added to the signature ``` +### User Metadata Restrictions +- `notation sign` must fail if metadata keys or values are not strings +- `notation sign` must fail if duplicate metadata keys are provided +- `notation sign` must fail if metadata keys conflict with reserved Notary or OCI keys + ## Usage ### Sign an OCI artifact @@ -82,6 +88,16 @@ notation sign --signature-format cose /@ notation sign /@ ``` +### Sign an OCI Artifact with user metadata + +```shell +# Prerequisites: +# A default signing key is configured using CLI "notation key" + +# sign an artifact stored in a registry and add user-metadata io.wabbit-networks.buildId=123 to the payload +notation sign /@ --user-metadata io.wabbit-networks.buildId=123 +``` + ### Sign an OCI artifact stored in a registry and specify the signature expiry duration, for example 24 hours ```shell diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index b154caac9..a3d1fa5dd 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -16,6 +16,15 @@ Warning: The resolved digest may not point to the same signed artifact, since ta Successfully verified signature for /@ ``` +The signed descriptor may have user defined metadata attached. If the signature for the OCI artifact contains any metadata, the output message is as follows: + +```text +Successfully verified signature for /@ + +User Metadata: +- : +``` + ## Outline ```text @@ -25,11 +34,13 @@ Usage: notation verify [flags] Flags: - -h, --help help for verify - -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) - --plain-http registry access via plain HTTP - --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values - -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) + -h, --help help for verify + -o, --output string output format, options: 'plaintext', 'json' (default: 'plaintext') + -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) + --plain-http registry access via plain HTTP + --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values + -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) + -um, --user-metadata strings {key}={value} pairs that must be present in the signature for successful verification if provided ``` ## Usage @@ -131,3 +142,42 @@ Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac48 Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` + +### Verify signatures on an OCI artifact with user metadata + +Use the `--user-metadata` flag to verify that provided key-value pairs are present in the payload of the valid signature. + +```shell +# Prerequisites: Signatures are stored in a registry referencing the signed OCI artifact +# Verify signatures on an OCI artifact identified by the tag and verify that io.wabbit-networks.data=foo is present in the signed payload +notation verify localhost:5000/net-monitor:v1 --user-metadata io.wabbit-networks.data=foo +``` + +An example of output messages for a successful verification: + +```text +Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. +Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. +Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 + +User Metadata: +- io.wabbit-networks.data : foo +``` + +### Verify signatures on an OCI artifact and format output as json + +Use the `--output` flag to configure the format of signature information returned on successful verification. + +```shell +# Prerequisites: Signatures are stored in a registry referencing the signed OCI artifact +# Verify signatures on an OCI artifact identified by the tag +notation verify localhost:5000/net-monitor:v1 --output json +``` + +An example of output messages for a successful verification: + +```text +Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. +Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. +{"reference":"localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9","outcome":"Success","signatures":[{"digest":"sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333","userMetadata":{"io.wabbit-networks.data":"foo"}}]} +``` \ No newline at end of file From c7c512811e57a741b9eeb312f03fa7644a7d5048 Mon Sep 17 00:00:00 2001 From: byronchien Date: Tue, 3 Jan 2023 16:15:21 -0800 Subject: [PATCH 2/5] Removes restrictions, clarifies flag description, reorders examples Signed-off-by: Byron Chien --- specs/commandline/sign.md | 5 ----- specs/commandline/verify.md | 42 ++++++++++++++++--------------------- 2 files changed, 18 insertions(+), 29 deletions(-) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 7cc5c0a45..8a0da7718 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -40,11 +40,6 @@ Flags: -um, --user-metadata strings {key}={value} pairs that are added to the signature ``` -### User Metadata Restrictions -- `notation sign` must fail if metadata keys or values are not strings -- `notation sign` must fail if duplicate metadata keys are provided -- `notation sign` must fail if metadata keys conflict with reserved Notary or OCI keys - ## Usage ### Sign an OCI artifact diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index a3d1fa5dd..b069066d3 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -40,7 +40,7 @@ Flags: --plain-http registry access via plain HTTP --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) - -um, --user-metadata strings {key}={value} pairs that must be present in the signature for successful verification if provided + -um, --user-metadata strings user defined {key}={value} pairs that must be present in the signature for successful verification if provided ``` ## Usage @@ -124,54 +124,48 @@ An example of output messages for a successful verification: Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` -### Verify signatures on an OCI artifact identified by a tag +### Verify signatures on an OCI artifact with user metadata -A tag is resolved to a digest first before verification. +Use the `--user-metadata` flag to verify that provided key-value pairs are present in the payload of the valid signature. ```shell -# Prerequisites: Signatures are stored in a registry referencing the signed OCI artifact - -# Verify signatures on an OCI artifact identified by the tag -notation verify localhost:5000/net-monitor:v1 +# Verify signatures on the supplied OCI artifact identified by the digest and verify that io.wabbit-networks.data=foo is present in the signed payload +notation verify localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 --user-metadata io.wabbit-networks.data=foo ``` An example of output messages for a successful verification: ```text -Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. -Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 + +User Metadata: +- io.wabbit-networks.data : foo ``` -### Verify signatures on an OCI artifact with user metadata +### Verify signatures on an OCI artifact and format output as json -Use the `--user-metadata` flag to verify that provided key-value pairs are present in the payload of the valid signature. +Use the `--output` flag to configure the format of signature information returned on successful verification. ```shell -# Prerequisites: Signatures are stored in a registry referencing the signed OCI artifact -# Verify signatures on an OCI artifact identified by the tag and verify that io.wabbit-networks.data=foo is present in the signed payload -notation verify localhost:5000/net-monitor:v1 --user-metadata io.wabbit-networks.data=foo + +# Verify signatures on the supplied OCI artifact identified by the digest and output result as json +notation verify localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 --output json ``` An example of output messages for a successful verification: ```text -Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. -Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. -Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 - -User Metadata: -- io.wabbit-networks.data : foo +{"reference":"localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9","outcome":"Success","signatures":[{"digest":"sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333","userMetadata":{"io.wabbit-networks.data":"foo"}}]} ``` -### Verify signatures on an OCI artifact and format output as json +### Verify signatures on an OCI artifact identified by a tag -Use the `--output` flag to configure the format of signature information returned on successful verification. +A tag is resolved to a digest first before verification. ```shell # Prerequisites: Signatures are stored in a registry referencing the signed OCI artifact # Verify signatures on an OCI artifact identified by the tag -notation verify localhost:5000/net-monitor:v1 --output json +notation verify localhost:5000/net-monitor:v1 ``` An example of output messages for a successful verification: @@ -179,5 +173,5 @@ An example of output messages for a successful verification: ```text Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. -{"reference":"localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9","outcome":"Success","signatures":[{"digest":"sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333","userMetadata":{"io.wabbit-networks.data":"foo"}}]} +Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` \ No newline at end of file From e205408aad4d22c4d1bf73fd85d250a6ca8a1e26 Mon Sep 17 00:00:00 2001 From: Byron Chien Date: Thu, 5 Jan 2023 09:58:16 -0800 Subject: [PATCH 3/5] Adds additional output examples and updates short flag Signed-off-by: Byron Chien --- specs/commandline/sign.md | 7 ++++-- specs/commandline/verify.md | 44 ++++++++++++++++++++++++------------- 2 files changed, 34 insertions(+), 17 deletions(-) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 8a0da7718..33c19d9ec 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -37,7 +37,7 @@ Flags: --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values --signature-format string signature envelope format, options: 'jws', 'cose' (default "jws") -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) - -um, --user-metadata strings {key}={value} pairs that are added to the signature + -m, --user-metadata strings {key}={value} pairs that are added to the signature payload ``` ## Usage @@ -90,7 +90,10 @@ notation sign /@ # A default signing key is configured using CLI "notation key" # sign an artifact stored in a registry and add user-metadata io.wabbit-networks.buildId=123 to the payload -notation sign /@ --user-metadata io.wabbit-networks.buildId=123 +notation sign --user-metadata io.wabbit-networks.buildId=123 /@ + +# sign an artifact stored in a registry and add user-metadata io.wabbit-networks.buildId=123 and io.wabbit-networks.buildTime=1672944615 to the payload +notation sign --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=1672944615 /@ ``` ### Sign an OCI artifact stored in a registry and specify the signature expiry duration, for example 24 hours diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index b069066d3..5a1db380d 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -21,8 +21,10 @@ The signed descriptor may have user defined metadata attached. If the signature ```text Successfully verified signature for /@ -User Metadata: -- : +The artifact is signed with the following user metadata. + +KEY VALUE + ``` ## Outline @@ -35,12 +37,11 @@ Usage: Flags: -h, --help help for verify - -o, --output string output format, options: 'plaintext', 'json' (default: 'plaintext') -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) --plain-http registry access via plain HTTP --plugin-config strings {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) - -um, --user-metadata strings user defined {key}={value} pairs that must be present in the signature for successful verification if provided + -m, --user-metadata strings user defined {key}={value} pairs that must be present in the signature for successful verification if provided ``` ## Usage @@ -129,8 +130,8 @@ Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b993 Use the `--user-metadata` flag to verify that provided key-value pairs are present in the payload of the valid signature. ```shell -# Verify signatures on the supplied OCI artifact identified by the digest and verify that io.wabbit-networks.data=foo is present in the signed payload -notation verify localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 --user-metadata io.wabbit-networks.data=foo +# Verify signatures on the supplied OCI artifact identified by the digest and verify that io.wabbit-networks.buildId=123 is present in the signed payload +notation verify --user-metadata io.wabbit-networks.buildId=123 localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` An example of output messages for a successful verification: @@ -138,24 +139,37 @@ An example of output messages for a successful verification: ```text Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 -User Metadata: -- io.wabbit-networks.data : foo +The artifact is signed with the following user metadata. + +KEY VALUE +io.wabbit-networks.buildId 123 ``` -### Verify signatures on an OCI artifact and format output as json +An example of output messages for an unsuccessful verification: -Use the `--output` flag to configure the format of signature information returned on successful verification. +```text +Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 +``` -```shell +An example of output messages for an unsuccessful verification with verbose logging enabled: -# Verify signatures on the supplied OCI artifact identified by the digest and output result as json -notation verify localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 --output json +```text +INFO Checking whether signature verification should be skipped or not +INFO Check over. Trust policy is not configured to skip signature verification +INFO Processing signature with digest: sha256:dbb22c0686b714ccbb53e4579771ee0f9ab9d37cd77cadb767549322742979f3 +INFO User Metadata flag is present. Checking signature metadata for specified values. +Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` -An example of output messages for a successful verification: +An example of output messages for an unsuccessful verification with debug logging enabled: ```text -{"reference":"localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9","outcome":"Success","signatures":[{"digest":"sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333","userMetadata":{"io.wabbit-networks.data":"foo"}}]} +... +INFO User Metadata flag is present. Checking signature metadata for specified values. +DEBU[2023-01-05T11:35:07-08:00] Verifying that metadata { "io.wabbit-networks.buildId":"123" } is present in signature metadata. +DEBU[2023-01-05T11:35:07-08:00] Signature metadata: { "io.wabbit-networks.buildId":"321" } +DEBU[2023-01-05T11:35:07-08:00] Error: specified metadata is not present in the signature. +Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` ### Verify signatures on an OCI artifact identified by a tag From 765ca1d5ad30d90779ebaa2275f63ac3abe2b7b8 Mon Sep 17 00:00:00 2001 From: Byron Chien Date: Fri, 6 Jan 2023 14:47:41 -0800 Subject: [PATCH 4/5] Adds an error message for metadata failure Signed-off-by: Byron Chien --- specs/commandline/verify.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 5a1db380d..d930ea85c 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -148,6 +148,7 @@ io.wabbit-networks.buildId 123 An example of output messages for an unsuccessful verification: ```text +Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` @@ -158,6 +159,7 @@ INFO Checking whether signature verification should be skipped or not INFO Check over. Trust policy is not configured to skip signature verification INFO Processing signature with digest: sha256:dbb22c0686b714ccbb53e4579771ee0f9ab9d37cd77cadb767549322742979f3 INFO User Metadata flag is present. Checking signature metadata for specified values. +Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` @@ -169,6 +171,7 @@ INFO User Metadata flag is present. Checking signature metadata for specified va DEBU[2023-01-05T11:35:07-08:00] Verifying that metadata { "io.wabbit-networks.buildId":"123" } is present in signature metadata. DEBU[2023-01-05T11:35:07-08:00] Signature metadata: { "io.wabbit-networks.buildId":"321" } DEBU[2023-01-05T11:35:07-08:00] Error: specified metadata is not present in the signature. +Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` From 38d99174f13755b4b416f84d23bd2150f1c09f2d Mon Sep 17 00:00:00 2001 From: Byron Chien Date: Thu, 12 Jan 2023 11:35:12 -0800 Subject: [PATCH 5/5] Update for PR suggestions Signed-off-by: Byron Chien --- specs/commandline/verify.md | 30 +++--------------------------- 1 file changed, 3 insertions(+), 27 deletions(-) diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index d930ea85c..e0d8b930d 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -16,12 +16,12 @@ Warning: The resolved digest may not point to the same signed artifact, since ta Successfully verified signature for /@ ``` -The signed descriptor may have user defined metadata attached. If the signature for the OCI artifact contains any metadata, the output message is as follows: +A signature can have user defined metadata. If the signature for the OCI artifact contains any metadata, the output message is as follows: ```text Successfully verified signature for /@ -The artifact is signed with the following user metadata. +The artifact was signed with the following user metadata. KEY VALUE @@ -148,31 +148,7 @@ io.wabbit-networks.buildId 123 An example of output messages for an unsuccessful verification: ```text -Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 -Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 -``` - -An example of output messages for an unsuccessful verification with verbose logging enabled: - -```text -INFO Checking whether signature verification should be skipped or not -INFO Check over. Trust policy is not configured to skip signature verification -INFO Processing signature with digest: sha256:dbb22c0686b714ccbb53e4579771ee0f9ab9d37cd77cadb767549322742979f3 -INFO User Metadata flag is present. Checking signature metadata for specified values. -Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 -Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 -``` - -An example of output messages for an unsuccessful verification with debug logging enabled: - -```text -... -INFO User Metadata flag is present. Checking signature metadata for specified values. -DEBU[2023-01-05T11:35:07-08:00] Verifying that metadata { "io.wabbit-networks.buildId":"123" } is present in signature metadata. -DEBU[2023-01-05T11:35:07-08:00] Signature metadata: { "io.wabbit-networks.buildId":"321" } -DEBU[2023-01-05T11:35:07-08:00] Error: specified metadata is not present in the signature. -Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 -Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 +Error: signature verification failed: unable to find specified metadata in any signatures ``` ### Verify signatures on an OCI artifact identified by a tag