Notation CLI baseline

.editorconfig

@@ -0,0 +1,22 @@
+root = true
+
+[*]
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+end_of_line = lf
+indent_style = space
+indent_size = 2
+tab_width = 2
+
+[*.go]
+indent_size = 4
+tab_width = 4
+indent_style = tab
+# required for multiline strings in test cases
+trim_trailing_whitespace = false
+
+[Makefile]
+indent_size = 4
+tab_width = 4
+indent_style = tab

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: true
 contact_links:
   - name: Ask a question
-    url: https://github.com/notaryproject/nv2/discussions
+    url: https://github.com/notaryproject/notation/discussions
     about: Ask questions and discuss with other community members

.github/dependabot.yml

@@ -0,0 +1,18 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yml

@@ -0,0 +1,34 @@
+name: build
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  build:
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
+    name: Continuous Integration
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        go-version: [1.17]
+      fail-fast: true
+    steps:
+      - name: Set up Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        id: go-mod-cache
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Get dependencies
+        run: make download
+      - name: Build
+        run: make build

.github/workflows/release-github.yml

@@ -0,0 +1,30 @@
+name: release-github
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  build:
+    name: Release Notation Binaries
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        go-version: [1.17]
+      fail-fast: true
+    steps:
+      - name: Set up Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_USER_TOKEN }}

.gitignore

@@ -0,0 +1,6 @@
+# VS Code
+.vscode
+
+# Custom
+bin/
+vendor/

.goreleaser.yml

@@ -0,0 +1,61 @@
+builds:
+  - main: ./cmd/notation
+    id: notation
+    binary: notation
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w -X {{.ModulePath}}/internal/version.Version={{.Version}} -X {{.ModulePath}}/internal/version.BuildMetadata=
+  - main: ./cmd/docker-notation
+    id: docker-notation
+    binary: docker-notation
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w -X {{.ModulePath}}/internal/version.Version={{.Version}} -X {{.ModulePath}}/internal/version.BuildMetadata=
+  - main: ./cmd/docker-generate
+    id: docker-generate
+    binary: docker-generate
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w
+archives:
+  - format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - LICENSE
+release:
+  prerelease: auto

Makefile

@@ -0,0 +1,63 @@
+MODULE         = github.com/notaryproject/notation
+DOCKER_PLUGINS = docker-generate docker-notation
+COMMANDS       = notation $(DOCKER_PLUGINS)
+GIT_TAG        = $(shell git describe --tags --abbrev=0 --exact-match 2>/dev/null)
+BUILD_METADATA =
+ifeq ($(GIT_TAG),) # unreleased build
+    GIT_COMMIT     = $(shell git rev-parse HEAD)
+    GIT_STATUS     = $(shell test -n "`git status --porcelain`" && echo "dirty" || echo "unreleased")
+	BUILD_METADATA = $(GIT_COMMIT).$(GIT_STATUS)
+endif
+LDFLAGS        = -X $(MODULE)/internal/version.BuildMetadata=$(BUILD_METADATA)
+GO_BUILD_FLAGS = --ldflags="$(LDFLAGS)"
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-25s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: all
+all: build
+
+.PHONY: FORCE
+FORCE:
+
+bin/%: cmd/% FORCE
+	go build $(GO_BUILD_FLAGS) -o $@ ./$<
+
+.PHONY: download
+download: ## download dependencies via go mod
+	go mod download
+
+.PHONY: build
+build: $(addprefix bin/,$(COMMANDS)) ## builds binaries
+
+.PHONY: clean
+clean:
+	git status --ignored --short | grep '^!! ' | sed 's/!! //' | xargs rm -rf
+
+.PHONY: check-line-endings
+check-line-endings: ## check line endings
+	! find cmd pkg internal -name "*.go" -type f -exec file "{}" ";" | grep CRLF
+
+.PHONY: fix-line-endings
+fix-line-endings: ## fix line endings
+	find cmd pkg internal -type f -name "*.go" -exec sed -i -e "s/\r//g" {} +
+
+.PHONY: vendor
+vendor: ## vendores the go modules
+	GO111MODULE=on go mod vendor
+
+.PHONY: install
+install: install-notation install-docker-plugins ## install the notation cli and docker plugins
+
+.PHONY: install-notation
+install-notation: bin/notation ## installs the notation cli
+	cp $< ~/bin/
+
+.PHONY: install-docker-%
+install-docker-%: bin/docker-%
+	cp $< ~/.docker/cli-plugins/
+
+.PHONY: install-docker-plugins
+install-docker-plugins: $(addprefix install-,$(DOCKER_PLUGINS)) ## installs the docker plugins
+	cp $(addprefix bin/,$(DOCKER_PLUGINS)) ~/.docker/cli-plugins/

building.md

@@ -0,0 +1,33 @@
+# Building Notation
+
+The notation repo contains the following:
+
+- `notation` - A CLI for signing and verifying artifacts with Notation
+- `docker-generate` - Extends docker with `docker generate` to create locally persisted manifest for signing, without having to push to a registry.
+- `docker-notation` - Extends docker with `docker notation` to enable, sign and verify Notation signatures.
+
+Building above binaries require [golang](https://golang.org/dl/) with version `>= 1.17`.
+
+## Windows with WSL
+
+- Build the binaries, installing them to:
+  - `~/bin/notation`
+  - `~/.docker/cli-plugins/docker-generate`
+  - `~/.docker/cli-plugins/docker-notation`
+  ```sh
+  git clone https://github.com/notaryproject/notation.git
+  cd notation
+  make install
+  ```
+- Verify binaries are installed
+  ```sh
+  docker --help
+  # look for 
+  Management Commands:
+    generate*   Generate artifacts (CNCF Notary Project, 0.1.0)
+    notation*   Manage signatures on Docker images (CNCF Notary Project, 0.5.3-alpha)
+
+  which notation
+  # output
+  /home/<user>/bin/notation
+  ```

cmd/docker-generate/generate.go

@@ -0,0 +1,12 @@
+package main
+
+import (
+	"github.com/urfave/cli/v2"
+)
+
+var generateCommand = &cli.Command{
+	Name: "generate",
+	Subcommands: []*cli.Command{
+		manifestCommand,
+	},
+}

cmd/docker-generate/main.go

@@ -0,0 +1,21 @@
+package main
+
+import (
+	"log"
+	"os"
+
+	"github.com/urfave/cli/v2"
+)
+
+func main() {
+	app := &cli.App{
+		Name: "docker",
+		Commands: []*cli.Command{
+			generateCommand,
+			metadataCommand,
+		},
+	}
+	if err := app.Run(os.Args); err != nil {
+		log.Fatal(err)
+	}
+}

cmd/docker-generate/manifest.go

@@ -0,0 +1,66 @@
+package main
+
+import (
+	"io"
+	"os"
+	"os/exec"
+
+	"github.com/notaryproject/notation/pkg/docker"
+	"github.com/urfave/cli/v2"
+)
+
+var manifestCommand = &cli.Command{
+	Name:      "manifest",
+	Usage:     "generates the manifest of a docker image",
+	ArgsUsage: "[<reference>]",
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:    "output",
+			Aliases: []string{"o"},
+			Usage:   "write to a file instead of stdout",
+		},
+	},
+	Action: generateManifest,
+}
+
+func generateManifest(ctx *cli.Context) error {
+	var reader io.Reader
+	if reference := ctx.Args().First(); reference != "" {
+		cmd := exec.Command("docker", "save", reference)
+		cmd.Stderr = os.Stderr
+		stdout, err := cmd.StdoutPipe()
+		if err != nil {
+			return err
+		}
+		reader = stdout
+		if err := cmd.Start(); err != nil {
+			return err
+		}
+	} else {
+		reader = os.Stdin
+	}
+
+	var writer io.Writer
+	if output := ctx.String("output"); output != "" {
+		file, err := os.Create(output)
+		if err != nil {
+			return err
+		}
+		defer file.Close()
+		writer = file
+	} else {
+		writer = os.Stdout
+	}
+
+	manifest, err := docker.GenerateSchema2FromDockerSave(reader)
+	if err != nil {
+		return err
+	}
+	_, payload, err := manifest.Payload()
+	if err != nil {
+		return err
+	}
+
+	_, err = writer.Write(payload)
+	return err
+}