From e04d7cd94cd249b0ffbe4fd216ee2a7affec41e9 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 6 Dec 2023 11:06:36 +0800 Subject: [PATCH 01/80] tsa Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 3 +++ go.mod | 12 ++++++++---- go.sum | 24 ++++++++++++------------ 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 5a1c5c8f7..b15a4cd14 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -43,6 +43,7 @@ type signOpts struct { allowReferrersAPI bool ociLayout bool inputType inputType + tsaServerURL string } func signCommand(opts *signOpts) *cobra.Command { @@ -112,6 +113,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) + command.Flags().StringVar(&opts.tsaServerURL, "tsa", "", "TSA server URL") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") command.MarkFlagsMutuallyExclusive("oci-layout", "allow-referrers-api") experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) @@ -180,6 +182,7 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts, sigRepo notationreg SignatureMediaType: mediaType, ExpiryDuration: opts.expiry, PluginConfig: pluginConfig, + TSAServerURL: opts.tsaServerURL, }, UserMetadata: userMetadata, } diff --git a/go.mod b/go.mod index 5bbb4c412..c38f93506 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - golang.org/x/term v0.13.0 + golang.org/x/term v0.14.0 oras.land/oras-go/v2 v2.3.1 ) @@ -25,8 +25,12 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/mod v0.13.0 // indirect + golang.org/x/crypto v0.15.0 // indirect + golang.org/x/mod v0.14.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/sys v0.14.0 // indirect ) + +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20231204081632-05b04634606c + +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20231204082611-ca5bba24b098 diff --git a/go.sum b/go.sum index d30a5638e..64e9b07ed 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Two-Hearts/notation-core-go v0.0.0-20231204081632-05b04634606c h1:+T5N99gr+CIWQW7z8a0CNQWNmW0HS2rm2AbLRV8BNdo= +github.com/Two-Hearts/notation-core-go v0.0.0-20231204081632-05b04634606c/go.mod h1:lqk34iYxJ1OpFP3r2gbBKzYIj/1pJ9p7mNULf1KjErY= +github.com/Two-Hearts/notation-go v0.0.0-20231204082611-ca5bba24b098 h1:xRzeAZZgp9HD0aBeQVsJFvzp8FIJDobU+DkjDqGozTw= +github.com/Two-Hearts/notation-go v0.0.0-20231204082611-ca5bba24b098/go.mod h1:siS4mkTptkL15tmRm0hPmAHXYCdefOP93mztgVmmEgM= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -18,10 +22,6 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.1 h1:01doxjDERbd0vocLQrlJdusKrRLNNn50OJzp0c5I4Cw= -github.com/notaryproject/notation-core-go v1.0.1/go.mod h1:rayl8WlKgS4YxOZgDO0iGGB4Ef515ZFZUFaZDmsPXgE= -github.com/notaryproject/notation-go v1.0.1 h1:D3fqG3eaBKVESRySV/Tg//MyTg2Q1nTKPh/t2q9LpSw= -github.com/notaryproject/notation-go v1.0.1/go.mod h1:VonyZsbocRQQNIDq/VPV5jKJOQwDH3gvfK4cXNpUA0U= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= @@ -51,12 +51,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= -golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -76,15 +76,15 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= From f249e7ab7e67e74319b01dd024861c7325699a9a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 4 Jan 2024 15:50:57 +0800 Subject: [PATCH 02/80] update Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 05dddcb58..0ebe1caee 100644 --- a/go.mod +++ b/go.mod @@ -31,6 +31,6 @@ require ( golang.org/x/sys v0.15.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20231204081632-05b04634606c +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20231228095230-f39811ad62fd -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20231204082611-ca5bba24b098 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20231228030203-2937f6838f20 diff --git a/go.sum b/go.sum index b7a605bc2..b3103dd11 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20231204081632-05b04634606c h1:+T5N99gr+CIWQW7z8a0CNQWNmW0HS2rm2AbLRV8BNdo= -github.com/Two-Hearts/notation-core-go v0.0.0-20231204081632-05b04634606c/go.mod h1:lqk34iYxJ1OpFP3r2gbBKzYIj/1pJ9p7mNULf1KjErY= -github.com/Two-Hearts/notation-go v0.0.0-20231204082611-ca5bba24b098 h1:xRzeAZZgp9HD0aBeQVsJFvzp8FIJDobU+DkjDqGozTw= -github.com/Two-Hearts/notation-go v0.0.0-20231204082611-ca5bba24b098/go.mod h1:siS4mkTptkL15tmRm0hPmAHXYCdefOP93mztgVmmEgM= +github.com/Two-Hearts/notation-core-go v0.0.0-20231228095230-f39811ad62fd h1:euw4ObwxBCwt9iCbzOhKRpe8RMpYL5LMMOFcSCXzwGA= +github.com/Two-Hearts/notation-core-go v0.0.0-20231228095230-f39811ad62fd/go.mod h1:UODkkz67jE/0osUGm8vqDFvdzy10wkXj0qVCfskMoks= +github.com/Two-Hearts/notation-go v0.0.0-20231228030203-2937f6838f20 h1:jDtFpp1CLVMXqFskurWIa0E9FE1JuCN03y1T4ygF15o= +github.com/Two-Hearts/notation-go v0.0.0-20231228030203-2937f6838f20/go.mod h1:nG77ends1yzxQsnXmB+goZEqc5zf6gUjrUz0V8NiRRg= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From 3cbd3e53feb32e1501e8bf321be2420b7c8027c5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Jan 2024 16:51:16 +0800 Subject: [PATCH 03/80] update Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 0ebe1caee..260ce8971 100644 --- a/go.mod +++ b/go.mod @@ -31,6 +31,6 @@ require ( golang.org/x/sys v0.15.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20231228095230-f39811ad62fd +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240115065858-01e426868efb -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20231228030203-2937f6838f20 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240115070140-b454646ffe90 diff --git a/go.sum b/go.sum index b3103dd11..4a4d5bfbc 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20231228095230-f39811ad62fd h1:euw4ObwxBCwt9iCbzOhKRpe8RMpYL5LMMOFcSCXzwGA= -github.com/Two-Hearts/notation-core-go v0.0.0-20231228095230-f39811ad62fd/go.mod h1:UODkkz67jE/0osUGm8vqDFvdzy10wkXj0qVCfskMoks= -github.com/Two-Hearts/notation-go v0.0.0-20231228030203-2937f6838f20 h1:jDtFpp1CLVMXqFskurWIa0E9FE1JuCN03y1T4ygF15o= -github.com/Two-Hearts/notation-go v0.0.0-20231228030203-2937f6838f20/go.mod h1:nG77ends1yzxQsnXmB+goZEqc5zf6gUjrUz0V8NiRRg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240115065858-01e426868efb h1:ZMzek1iFSk+A02pgcovmWPv+sMVl4pMGg1Gi3/jhlJY= +github.com/Two-Hearts/notation-core-go v0.0.0-20240115065858-01e426868efb/go.mod h1:UODkkz67jE/0osUGm8vqDFvdzy10wkXj0qVCfskMoks= +github.com/Two-Hearts/notation-go v0.0.0-20240115070140-b454646ffe90 h1:YhFwaXnYZWYkrP/FKA20nr0tCWEzQjfez2LGHFoe9bg= +github.com/Two-Hearts/notation-go v0.0.0-20240115070140-b454646ffe90/go.mod h1:YNuljD7oFyVA8k/yAh2FmEPvGEpxSoc5LzdV316bi1c= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From e84f407fcd48129a94c61c16b492893aec34effc Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Feb 2024 12:24:29 +0800 Subject: [PATCH 04/80] update tspclient-go Signed-off-by: Patrick Zheng --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index b4eb00af7..5f7c5f343 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.16.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240123043947-8ad3eab6de2e +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240131082739-3e76750e7e47 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240123044605-9cd5aafaea0c +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240131083630-ea97a99e7c3c -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240122092120-2bc44d93e3de +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d diff --git a/go.sum b/go.sum index fed41e97a..9ae039579 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240123043947-8ad3eab6de2e h1:Y8tQ++n4f1F7jRwIFNcbIEMkqHASU2oSRAQToJEEgWw= -github.com/Two-Hearts/notation-core-go v0.0.0-20240123043947-8ad3eab6de2e/go.mod h1:k7FA8ztvUYy8Cj8tkwYsYhtNentRXsA0RdZaj9cyies= -github.com/Two-Hearts/notation-go v0.0.0-20240123044605-9cd5aafaea0c h1:VqarUMs6S40XgfvYKvKkc8n4+kgdLU7IzxP1sFtM9R8= -github.com/Two-Hearts/notation-go v0.0.0-20240123044605-9cd5aafaea0c/go.mod h1:7slwAIiPjxPmqzOagmIG1sw1nFGWnC4+LV6X6Ksj6UQ= -github.com/Two-Hearts/tspclient-go v0.0.0-20240122092120-2bc44d93e3de h1:hVtfF/PdWNEO6lGPE2ljr7zgAehX6At0oao1abpvo9Q= -github.com/Two-Hearts/tspclient-go v0.0.0-20240122092120-2bc44d93e3de/go.mod h1:Pgt9nPf69t08eVXdxjcfxZalElbQocRuP1DGSKZDpMs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240131082739-3e76750e7e47 h1:W1nlb5g6XVdyJ46WcUnY91Ja+BCfvvgUeuZYOF1Q5VA= +github.com/Two-Hearts/notation-core-go v0.0.0-20240131082739-3e76750e7e47/go.mod h1:FaerqzzTnQn/bqZhph5WGhrGhFOFRDeghTvXAUG1SZA= +github.com/Two-Hearts/notation-go v0.0.0-20240131083630-ea97a99e7c3c h1:JA6dfdys6bpapWTTv3RY7OCepd1GBtZk/QSIaKv2to8= +github.com/Two-Hearts/notation-go v0.0.0-20240131083630-ea97a99e7c3c/go.mod h1:AUMMI4P0O95PLZdpO/alcY2en0Vzsg+zOH4OtjIOLQU= +github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d h1:RaFc+6Xkky04Y9DHb4BVhq9M1u3yhdoyccgDzcXwSgw= +github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d/go.mod h1:Pgt9nPf69t08eVXdxjcfxZalElbQocRuP1DGSKZDpMs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From 0e83d2f62709cbbb4e433f19c3753e2c5b9acfe0 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Feb 2024 13:00:26 +0800 Subject: [PATCH 05/80] tsa Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 5f7c5f343..48d060064 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.16.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240131082739-3e76750e7e47 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240201045651-5fc45dcf1f9e -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240131083630-ea97a99e7c3c +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240201045827-fa4eaafc7f2e replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d diff --git a/go.sum b/go.sum index 9ae039579..b02508c89 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240131082739-3e76750e7e47 h1:W1nlb5g6XVdyJ46WcUnY91Ja+BCfvvgUeuZYOF1Q5VA= -github.com/Two-Hearts/notation-core-go v0.0.0-20240131082739-3e76750e7e47/go.mod h1:FaerqzzTnQn/bqZhph5WGhrGhFOFRDeghTvXAUG1SZA= -github.com/Two-Hearts/notation-go v0.0.0-20240131083630-ea97a99e7c3c h1:JA6dfdys6bpapWTTv3RY7OCepd1GBtZk/QSIaKv2to8= -github.com/Two-Hearts/notation-go v0.0.0-20240131083630-ea97a99e7c3c/go.mod h1:AUMMI4P0O95PLZdpO/alcY2en0Vzsg+zOH4OtjIOLQU= +github.com/Two-Hearts/notation-core-go v0.0.0-20240201045651-5fc45dcf1f9e h1:IysWIIIVRtsKXps0UfoiPpcOoWeRVR2eau71WUmihMU= +github.com/Two-Hearts/notation-core-go v0.0.0-20240201045651-5fc45dcf1f9e/go.mod h1:FaerqzzTnQn/bqZhph5WGhrGhFOFRDeghTvXAUG1SZA= +github.com/Two-Hearts/notation-go v0.0.0-20240201045827-fa4eaafc7f2e h1:JFhuM45jguL53hvIr+RhV4G23p8P7DZ6KQGJErv19ZY= +github.com/Two-Hearts/notation-go v0.0.0-20240201045827-fa4eaafc7f2e/go.mod h1://jxcI9A3w7pdKJI5QGAdjAH3YBMhivEMktj0N/fDv8= github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d h1:RaFc+6Xkky04Y9DHb4BVhq9M1u3yhdoyccgDzcXwSgw= github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d/go.mod h1:Pgt9nPf69t08eVXdxjcfxZalElbQocRuP1DGSKZDpMs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= From a45c5dc8ac83fcdeb4efc46144e01db4744c48bd Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Feb 2024 13:12:58 +0800 Subject: [PATCH 06/80] update Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 48d060064..be4428509 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.16.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240201045651-5fc45dcf1f9e +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240201050938-182af1affc30 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240201045827-fa4eaafc7f2e +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240201051118-dc9c5fe78190 replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d diff --git a/go.sum b/go.sum index b02508c89..d24e39a2a 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240201045651-5fc45dcf1f9e h1:IysWIIIVRtsKXps0UfoiPpcOoWeRVR2eau71WUmihMU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240201045651-5fc45dcf1f9e/go.mod h1:FaerqzzTnQn/bqZhph5WGhrGhFOFRDeghTvXAUG1SZA= -github.com/Two-Hearts/notation-go v0.0.0-20240201045827-fa4eaafc7f2e h1:JFhuM45jguL53hvIr+RhV4G23p8P7DZ6KQGJErv19ZY= -github.com/Two-Hearts/notation-go v0.0.0-20240201045827-fa4eaafc7f2e/go.mod h1://jxcI9A3w7pdKJI5QGAdjAH3YBMhivEMktj0N/fDv8= +github.com/Two-Hearts/notation-core-go v0.0.0-20240201050938-182af1affc30 h1:0EE/GVxacnp/KykreEfdzqc1HZcESd6w2Q0Q6IzUneo= +github.com/Two-Hearts/notation-core-go v0.0.0-20240201050938-182af1affc30/go.mod h1:FaerqzzTnQn/bqZhph5WGhrGhFOFRDeghTvXAUG1SZA= +github.com/Two-Hearts/notation-go v0.0.0-20240201051118-dc9c5fe78190 h1:fpYg02wM3Q4j5NccY+i3Y/iQzJvcrq1Vt/YVor5lFoM= +github.com/Two-Hearts/notation-go v0.0.0-20240201051118-dc9c5fe78190/go.mod h1:1oFNm+y0tL06T5ul3R0Q9/cIrjr4qPwdr8f8qi59490= github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d h1:RaFc+6Xkky04Y9DHb4BVhq9M1u3yhdoyccgDzcXwSgw= github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d/go.mod h1:Pgt9nPf69t08eVXdxjcfxZalElbQocRuP1DGSKZDpMs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= From a851775aa4f5296f086ab6a7fc1fe206d8041cac Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 22 Mar 2024 16:45:48 +0800 Subject: [PATCH 07/80] update Signed-off-by: Patrick Zheng --- go.mod | 13 +++++++------ go.sum | 26 ++++++++++++++------------ 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 0485f9904..784a9b52c 100644 --- a/go.mod +++ b/go.mod @@ -16,23 +16,24 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect github.com/notaryproject/tspclient-go v0.0.0-20240122083733-a373599795a2 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/mod v0.14.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/mod v0.16.0 // indirect golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.18.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240201050938-182af1affc30 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240322074029-e6537801a769 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240201051118-dc9c5fe78190 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240322082508-e5984163c386 -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240322031047-c33159600668 diff --git a/go.sum b/go.sum index 42b11b193..7a6d9b22a 100644 --- a/go.sum +++ b/go.sum @@ -1,19 +1,19 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240201050938-182af1affc30 h1:0EE/GVxacnp/KykreEfdzqc1HZcESd6w2Q0Q6IzUneo= -github.com/Two-Hearts/notation-core-go v0.0.0-20240201050938-182af1affc30/go.mod h1:FaerqzzTnQn/bqZhph5WGhrGhFOFRDeghTvXAUG1SZA= -github.com/Two-Hearts/notation-go v0.0.0-20240201051118-dc9c5fe78190 h1:fpYg02wM3Q4j5NccY+i3Y/iQzJvcrq1Vt/YVor5lFoM= -github.com/Two-Hearts/notation-go v0.0.0-20240201051118-dc9c5fe78190/go.mod h1:1oFNm+y0tL06T5ul3R0Q9/cIrjr4qPwdr8f8qi59490= -github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d h1:RaFc+6Xkky04Y9DHb4BVhq9M1u3yhdoyccgDzcXwSgw= -github.com/Two-Hearts/tspclient-go v0.0.0-20240131082004-ba595813cc9d/go.mod h1:Pgt9nPf69t08eVXdxjcfxZalElbQocRuP1DGSKZDpMs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240322074029-e6537801a769 h1:IjW5HyuNFL1rW29o/dCFoO4J5kXGCrEMOwNTwPyd6fs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240322074029-e6537801a769/go.mod h1:cYwg3vrJsiuSC3ID7bG4/q6spGYbBTIr2mqG3ePwrqQ= +github.com/Two-Hearts/notation-go v0.0.0-20240322082508-e5984163c386 h1:XL4Wl+LexfczAkbgNcviZbzPEB/bEOlnEbJ0oA6L55c= +github.com/Two-Hearts/notation-go v0.0.0-20240322082508-e5984163c386/go.mod h1:mtlmnCSIYKEfXnMAupJiiNJsH7oy0gn5gs+crSxT25g= +github.com/Two-Hearts/tspclient-go v0.0.0-20240322031047-c33159600668 h1:DwEjNM07LP9yYT17LMWEgv4g0UnjmORuyX2aqUgnURE= +github.com/Two-Hearts/tspclient-go v0.0.0-20240322031047-c33159600668/go.mod h1:Pgt9nPf69t08eVXdxjcfxZalElbQocRuP1DGSKZDpMs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= @@ -24,6 +24,8 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= +github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -51,12 +53,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= From eb0fcc9c9e61f084ef96c4d17bb455fa580ad3df Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 27 Mar 2024 16:50:52 +0800 Subject: [PATCH 08/80] updated timestamp Signed-off-by: Patrick Zheng --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 784a9b52c..a7eb5cff1 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.18.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240322074029-e6537801a769 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240327080830-9d2a35b7f3f0 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240322082508-e5984163c386 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240327082239-e085696162b1 -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240322031047-c33159600668 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240327084647-c8f8e4ead7c7 diff --git a/go.sum b/go.sum index 7a6d9b22a..feea14340 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240322074029-e6537801a769 h1:IjW5HyuNFL1rW29o/dCFoO4J5kXGCrEMOwNTwPyd6fs= -github.com/Two-Hearts/notation-core-go v0.0.0-20240322074029-e6537801a769/go.mod h1:cYwg3vrJsiuSC3ID7bG4/q6spGYbBTIr2mqG3ePwrqQ= -github.com/Two-Hearts/notation-go v0.0.0-20240322082508-e5984163c386 h1:XL4Wl+LexfczAkbgNcviZbzPEB/bEOlnEbJ0oA6L55c= -github.com/Two-Hearts/notation-go v0.0.0-20240322082508-e5984163c386/go.mod h1:mtlmnCSIYKEfXnMAupJiiNJsH7oy0gn5gs+crSxT25g= -github.com/Two-Hearts/tspclient-go v0.0.0-20240322031047-c33159600668 h1:DwEjNM07LP9yYT17LMWEgv4g0UnjmORuyX2aqUgnURE= -github.com/Two-Hearts/tspclient-go v0.0.0-20240322031047-c33159600668/go.mod h1:Pgt9nPf69t08eVXdxjcfxZalElbQocRuP1DGSKZDpMs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240327082239-e085696162b1 h1:VFaRt48d2PQ97WY3u4sWWgWpIBHSzid6UjiJG+0Ydcw= +github.com/Two-Hearts/notation-core-go v0.0.0-20240327082239-e085696162b1/go.mod h1:GsHR/83xmdubOk+77PlzIilthZNt+qCY4I9BxMKXbxg= +github.com/Two-Hearts/notation-go v0.0.0-20240327084647-c8f8e4ead7c7 h1:t4CGA1e6ay4ccjbuZRlxeahmIaGYsHuUWu7fJ5JZtbo= +github.com/Two-Hearts/notation-go v0.0.0-20240327084647-c8f8e4ead7c7/go.mod h1:qKbxXxW6/oQwGbJWtYwa73jE/czJZyElj7QotGr8ldg= +github.com/Two-Hearts/tspclient-go v0.0.0-20240327080830-9d2a35b7f3f0 h1:EbUo6vzeco2sq3ipHCL7JtsgAwOXNiM7BRRRLVp2o3U= +github.com/Two-Hearts/tspclient-go v0.0.0-20240327080830-9d2a35b7f3f0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From be15eb2c76bd1ce5f730229427ef7e8a3124505d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 8 Apr 2024 16:08:51 +0800 Subject: [PATCH 09/80] test Signed-off-by: Patrick Zheng --- go.mod | 10 +++++----- go.sum | 16 ++++++++-------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index a7eb5cff1..dc3b63fb8 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation go 1.21 require ( - github.com/notaryproject/notation-core-go v1.0.2 + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 @@ -11,7 +11,7 @@ require ( github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 golang.org/x/term v0.18.0 - oras.land/oras-go/v2 v2.4.0 + oras.land/oras-go/v2 v2.5.0 ) require ( @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.18.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240327080830-9d2a35b7f3f0 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240408072521-32657eeb0822 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240327082239-e085696162b1 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240408072948-cbde6f956cbe -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240327084647-c8f8e4ead7c7 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240408073941-2e674e4cb276 diff --git a/go.sum b/go.sum index feea14340..383deacef 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240327082239-e085696162b1 h1:VFaRt48d2PQ97WY3u4sWWgWpIBHSzid6UjiJG+0Ydcw= -github.com/Two-Hearts/notation-core-go v0.0.0-20240327082239-e085696162b1/go.mod h1:GsHR/83xmdubOk+77PlzIilthZNt+qCY4I9BxMKXbxg= -github.com/Two-Hearts/notation-go v0.0.0-20240327084647-c8f8e4ead7c7 h1:t4CGA1e6ay4ccjbuZRlxeahmIaGYsHuUWu7fJ5JZtbo= -github.com/Two-Hearts/notation-go v0.0.0-20240327084647-c8f8e4ead7c7/go.mod h1:qKbxXxW6/oQwGbJWtYwa73jE/czJZyElj7QotGr8ldg= -github.com/Two-Hearts/tspclient-go v0.0.0-20240327080830-9d2a35b7f3f0 h1:EbUo6vzeco2sq3ipHCL7JtsgAwOXNiM7BRRRLVp2o3U= -github.com/Two-Hearts/tspclient-go v0.0.0-20240327080830-9d2a35b7f3f0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240408072948-cbde6f956cbe h1:BaNFMCJckSyFinHzrDw8K5hADfEp1dmdFHiDg5jb2K0= +github.com/Two-Hearts/notation-core-go v0.0.0-20240408072948-cbde6f956cbe/go.mod h1:etS+BOHG3eXU6yMSxMOjeZjrEQojZMb57/5uALoL6gY= +github.com/Two-Hearts/notation-go v0.0.0-20240408073941-2e674e4cb276 h1:nt5L1DtVp56eQ3UE7370X6IuWTxISAx5jnT73qmSVro= +github.com/Two-Hearts/notation-go v0.0.0-20240408073941-2e674e4cb276/go.mod h1:P5scq28MKlr6megmigWwkhEix1MyzD6HYBSRMPeEaWc= +github.com/Two-Hearts/tspclient-go v0.0.0-20240408072521-32657eeb0822 h1:Fri3XvjQNGCHw7uZINZhk/p6qP9eYdjgyPltUQdB1f4= +github.com/Two-Hearts/tspclient-go v0.0.0-20240408072521-32657eeb0822/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -102,5 +102,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= -oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= +oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c= +oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg= From 177be5bc336a075e8fc5ec0b559d736a62150dc1 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 10 Apr 2024 11:59:29 +0800 Subject: [PATCH 10/80] update Signed-off-by: Patrick Zheng --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index dc3b63fb8..25a1e3c16 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.18.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240408072521-32657eeb0822 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240408072948-cbde6f956cbe +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240410034234-29bc7737eb3c -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240408073941-2e674e4cb276 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240410035320-31de40f4956a diff --git a/go.sum b/go.sum index 383deacef..d78792ab9 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240408072948-cbde6f956cbe h1:BaNFMCJckSyFinHzrDw8K5hADfEp1dmdFHiDg5jb2K0= -github.com/Two-Hearts/notation-core-go v0.0.0-20240408072948-cbde6f956cbe/go.mod h1:etS+BOHG3eXU6yMSxMOjeZjrEQojZMb57/5uALoL6gY= -github.com/Two-Hearts/notation-go v0.0.0-20240408073941-2e674e4cb276 h1:nt5L1DtVp56eQ3UE7370X6IuWTxISAx5jnT73qmSVro= -github.com/Two-Hearts/notation-go v0.0.0-20240408073941-2e674e4cb276/go.mod h1:P5scq28MKlr6megmigWwkhEix1MyzD6HYBSRMPeEaWc= -github.com/Two-Hearts/tspclient-go v0.0.0-20240408072521-32657eeb0822 h1:Fri3XvjQNGCHw7uZINZhk/p6qP9eYdjgyPltUQdB1f4= -github.com/Two-Hearts/tspclient-go v0.0.0-20240408072521-32657eeb0822/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240410034234-29bc7737eb3c h1:hr6zVMTS6oEjGuNt7HSAG/41Ck7KQVG+UJxeiF6LHgI= +github.com/Two-Hearts/notation-core-go v0.0.0-20240410034234-29bc7737eb3c/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4= +github.com/Two-Hearts/notation-go v0.0.0-20240410035320-31de40f4956a h1:IRMw8JKpEOsqbyl2w9l94OB8YEcPUegMvqQvtf/4PiQ= +github.com/Two-Hearts/notation-go v0.0.0-20240410035320-31de40f4956a/go.mod h1:gQJ98AE4ItBTHw5TSBzl86pzwy1s2YcZrTNpGO2uKr4= +github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 h1:7SJ4FlWTmpXssu5J+XI7Fzn50tPsagFMEJSWmqv8nLU= +github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From 64ffee524af3613b522449daf5623295e977015e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 11 Apr 2024 16:57:57 +0800 Subject: [PATCH 11/80] added at-timestamped-time in verification Signed-off-by: Patrick Zheng --- cmd/notation/verify.go | 27 +++++++++++++++------------ go.mod | 4 ++-- go.sum | 8 ++++---- 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 2ac0b9f48..41d7f37a4 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -33,14 +33,15 @@ import ( type verifyOpts struct { cmd.LoggingFlagOpts SecureFlagOpts - reference string - pluginConfig []string - userMetadata []string - allowReferrersAPI bool - ociLayout bool - trustPolicyScope string - inputType inputType - maxSignatureAttempts int + reference string + pluginConfig []string + userMetadata []string + allowReferrersAPI bool + ociLayout bool + trustPolicyScope string + inputType inputType + maxSignatureAttempts int + verifyAtTimestampedTime bool } func verifyCommand(opts *verifyOpts) *cobra.Command { @@ -99,6 +100,7 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataVerifyUsage) command.Flags().IntVar(&opts.maxSignatureAttempts, "max-signatures", 100, "maximum number of signatures to evaluate or examine") cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "verify")) + command.Flags().BoolVar(&opts.verifyAtTimestampedTime, "at-timestamped-time", false, "verify timestamp countersignature at the time point been stamped") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] verify the artifact stored as OCI image layout") command.Flags().StringVar(&opts.trustPolicyScope, "scope", "", "[Experimental] set trust policy scope for artifact verification, required and can only be used when flag \"--oci-layout\" is set") command.MarkFlagsRequiredTogether("oci-layout", "scope") @@ -141,10 +143,11 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { } intendedRef := resolveArtifactDigestReference(resolvedRef, opts.trustPolicyScope) verifyOpts := notation.VerifyOptions{ - ArtifactReference: intendedRef, - PluginConfig: configs, - MaxSignatureAttempts: opts.maxSignatureAttempts, - UserMetadata: userMetadata, + ArtifactReference: intendedRef, + PluginConfig: configs, + MaxSignatureAttempts: opts.maxSignatureAttempts, + UserMetadata: userMetadata, + VerifyAtTimestampedTime: opts.verifyAtTimestampedTime, } _, outcomes, err := notation.Verify(ctx, sigVerifier, sigRepo, verifyOpts) err = checkVerificationFailure(outcomes, resolvedRef, err) diff --git a/go.mod b/go.mod index 25a1e3c16..fb1a7a871 100644 --- a/go.mod +++ b/go.mod @@ -34,6 +34,6 @@ require ( replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240410034234-29bc7737eb3c +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240411021119-44995cc7a08f -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240410035320-31de40f4956a +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240411065042-545e1e76454e diff --git a/go.sum b/go.sum index d78792ab9..64eca591f 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240410034234-29bc7737eb3c h1:hr6zVMTS6oEjGuNt7HSAG/41Ck7KQVG+UJxeiF6LHgI= -github.com/Two-Hearts/notation-core-go v0.0.0-20240410034234-29bc7737eb3c/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4= -github.com/Two-Hearts/notation-go v0.0.0-20240410035320-31de40f4956a h1:IRMw8JKpEOsqbyl2w9l94OB8YEcPUegMvqQvtf/4PiQ= -github.com/Two-Hearts/notation-go v0.0.0-20240410035320-31de40f4956a/go.mod h1:gQJ98AE4ItBTHw5TSBzl86pzwy1s2YcZrTNpGO2uKr4= +github.com/Two-Hearts/notation-core-go v0.0.0-20240411021119-44995cc7a08f h1:OUQLq7PVUmvVMSuI7RV9IQwcLkqP2fr+DwCo7lMirM0= +github.com/Two-Hearts/notation-core-go v0.0.0-20240411021119-44995cc7a08f/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4= +github.com/Two-Hearts/notation-go v0.0.0-20240411065042-545e1e76454e h1:zVqFLHBKMZhetLSvT/DCl+I47ErHWbmzuY5ewrbKMeg= +github.com/Two-Hearts/notation-go v0.0.0-20240411065042-545e1e76454e/go.mod h1:VTU1+JpJJJDAqHvuJu3y79BIWZA71KL2dlmFjwJhcsI= github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 h1:7SJ4FlWTmpXssu5J+XI7Fzn50tPsagFMEJSWmqv8nLU= github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= From b0c8b4599d8449d3e76385355810494285d137a9 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 12 Apr 2024 09:51:43 +0800 Subject: [PATCH 12/80] added cli spec Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- specs/commandline/sign.md | 11 +++++++++++ specs/commandline/verify.md | 14 ++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index b15a4cd14..7ecbeeb67 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -113,7 +113,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) - command.Flags().StringVar(&opts.tsaServerURL, "tsa", "", "TSA server URL") + command.Flags().StringVar(&opts.tsaServerURL, "tsa-url", "", "timestamp authority server URL") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") command.MarkFlagsMutuallyExclusive("oci-layout", "allow-referrers-api") experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 1bb445797..baca5df65 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -42,6 +42,7 @@ Flags: --plugin string signing plugin name. This is mutually exclusive with the --key flag --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") + --tsa-url string timestamp authority server URL -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload -v, --verbose verbose mode @@ -155,6 +156,16 @@ Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag( Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` +### Sign an OCI artifact and timestamp the signature with user specified timestamp authority + +```shell +# Prerequisites: +# A default signing key is configured using CLI "notation key" + +# Use option "--tsa-url" to specify the timestamp authority URL. +notation sign --tsa-url /@ +``` + ### [Experimental] Sign container images stored in OCI layout directory Container images can be stored in OCI image Layout defined in spec [OCI image layout][oci-image-layout]. It is a directory structure that contains files and folders. The OCI image layout could be a tarball or a directory in the filesystem. For example, a file named `hello-world.tar` or a directory named `hello-world`. Notation only supports signing images stored in OCI layout directory for now. Users can reference an image in the layout using either tags, or the exact digest. For example, use `hello-world:v1` or `hello-world@sha256xxx` to reference the image in OCI layout directory named `hello-world`. diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 943e7bcd3..b4ebf55cf 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -38,6 +38,7 @@ Usage: notation verify [flags] Flags: + --at-timestamped-time verify timestamp countersignature at the time point been stamped --allow-referrers-api [Experimental] use the Referrers API to verify signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for verify @@ -176,6 +177,19 @@ Warning: Always verify the artifact using digest(@sha256:...) rather than a tag Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` +### Verify timestamp countersignature at the time point been stamped + +```shell +# Verify timestamp countersignature at the time point been stamped +notation verify --at-timestamped-time localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 +``` + +An example of output messages for a successful verification: + +```text +Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 +``` + ### [Experimental] Verify container images in OCI layout directory Users should configure trust policy properly before verifying artifacts in OCI layout directory. According to trust policy specification, `registryScopes` property of trust policy configuration determines which trust policy is applicable for the given artifact. For example, an image stored in a remote registry is referenced by "localhost:5000/net-monitor:v1". In order to verify the image, the value of `registryScopes` should contain "localhost:5000/net-monitor", which is the repository URL of the image. However, the reference to the image stored in OCI layout directory doesn't contain repository URL information. Users can set `registryScopes` to the URL that the image is supposed to be stored in the registry, and then use flag `--scope` for `notation verify` command to determine which trust policy is used for verification. Here is an example of trust policy configured for image `hello-world:v1`: From 47872ad239409d0d2752e7601293fd4a092b2121 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 18 Apr 2024 13:08:41 +0800 Subject: [PATCH 13/80] update Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 955f5c31e..4c4297ab4 100644 --- a/go.mod +++ b/go.mod @@ -34,6 +34,6 @@ require ( replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240411021119-44995cc7a08f +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240411065042-545e1e76454e +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240418050603-6e3630339661 diff --git a/go.sum b/go.sum index 64eca591f..90ea0780d 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240411021119-44995cc7a08f h1:OUQLq7PVUmvVMSuI7RV9IQwcLkqP2fr+DwCo7lMirM0= -github.com/Two-Hearts/notation-core-go v0.0.0-20240411021119-44995cc7a08f/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4= -github.com/Two-Hearts/notation-go v0.0.0-20240411065042-545e1e76454e h1:zVqFLHBKMZhetLSvT/DCl+I47ErHWbmzuY5ewrbKMeg= -github.com/Two-Hearts/notation-go v0.0.0-20240411065042-545e1e76454e/go.mod h1:VTU1+JpJJJDAqHvuJu3y79BIWZA71KL2dlmFjwJhcsI= +github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b h1:a27dSIOWWw7rJSD2ebmWUYjwhhhPnIaMGlqPl9OuCmI= +github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4= +github.com/Two-Hearts/notation-go v0.0.0-20240418050603-6e3630339661 h1:SsB0YpXYuCdawVOQ8sdkGpJwM+6mCMrTqhUnnFPjDdk= +github.com/Two-Hearts/notation-go v0.0.0-20240418050603-6e3630339661/go.mod h1:pnMWvi0BhD4TKGoMfKbLqF0jP72weMM23x/cx0wu0j4= github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 h1:7SJ4FlWTmpXssu5J+XI7Fzn50tPsagFMEJSWmqv8nLU= github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= From 5c7a70b848e9b5cac892fae4337b8a7d0ef8dbfc Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 18 Apr 2024 13:27:06 +0800 Subject: [PATCH 14/80] test Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/suite/trustpolicy/verification_level.go | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 4c4297ab4..16f61d4ce 100644 --- a/go.mod +++ b/go.mod @@ -36,4 +36,4 @@ replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240418050603-6e3630339661 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240418052257-bea674c16d59 diff --git a/go.sum b/go.sum index 90ea0780d..7fcc0c372 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b h1:a27dSIOWWw7rJSD2ebmWUYjwhhhPnIaMGlqPl9OuCmI= github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4= -github.com/Two-Hearts/notation-go v0.0.0-20240418050603-6e3630339661 h1:SsB0YpXYuCdawVOQ8sdkGpJwM+6mCMrTqhUnnFPjDdk= -github.com/Two-Hearts/notation-go v0.0.0-20240418050603-6e3630339661/go.mod h1:pnMWvi0BhD4TKGoMfKbLqF0jP72weMM23x/cx0wu0j4= +github.com/Two-Hearts/notation-go v0.0.0-20240418052257-bea674c16d59 h1:GTXdnMY+hlvavLfzoOO+1T/z5xaGSu9bVDA3K6cDXv4= +github.com/Two-Hearts/notation-go v0.0.0-20240418052257-bea674c16d59/go.mod h1:pnMWvi0BhD4TKGoMfKbLqF0jP72weMM23x/cx0wu0j4= github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 h1:7SJ4FlWTmpXssu5J+XI7Fzn50tPsagFMEJSWmqv8nLU= github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= diff --git a/test/e2e/suite/trustpolicy/verification_level.go b/test/e2e/suite/trustpolicy/verification_level.go index 6ada0259b..c9984aaaa 100644 --- a/test/e2e/suite/trustpolicy/verification_level.go +++ b/test/e2e/suite/trustpolicy/verification_level.go @@ -98,7 +98,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period and no timestamp token was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) @@ -156,7 +156,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period and no timestamp token was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) @@ -226,7 +226,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period and no timestamp token was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) From 7aee9925dbd243d0474be97f461dc03535422e0e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 18 Apr 2024 13:35:06 +0800 Subject: [PATCH 15/80] fixed e2e tests Signed-off-by: Patrick Zheng --- test/e2e/suite/trustpolicy/verification_level.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/suite/trustpolicy/verification_level.go b/test/e2e/suite/trustpolicy/verification_level.go index c9984aaaa..ee31c94b2 100644 --- a/test/e2e/suite/trustpolicy/verification_level.go +++ b/test/e2e/suite/trustpolicy/verification_level.go @@ -98,7 +98,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period and no timestamp token was found in the signature envelope"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"] and no timestamp token was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) @@ -156,7 +156,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period and no timestamp token was found in the signature envelope"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"] and no timestamp token was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) @@ -226,7 +226,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period and no timestamp token was found in the signature envelope"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"] and no timestamp token was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) From 4b3a06de1ef2cecbc6c330ddfc08a947a45878c5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 8 May 2024 16:56:34 +0800 Subject: [PATCH 16/80] updated per spec Signed-off-by: Patrick Zheng --- go.mod | 14 ++++++------ go.sum | 70 +++++++++++++++++++++++++++++++++++++++++----------------- 2 files changed, 57 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index f455f0b1e..58c575c75 100644 --- a/go.mod +++ b/go.mod @@ -18,22 +18,22 @@ require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect - github.com/go-ldap/ldap/v3 v3.4.6 // indirect + github.com/go-ldap/ldap/v3 v3.4.8 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect - github.com/google/uuid v1.3.1 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect github.com/notaryproject/tspclient-go v0.0.0-20240122083733-a373599795a2 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.21.0 // indirect - golang.org/x/mod v0.16.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/mod v0.17.0 // indirect golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.19.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240508074024-ec1725d6dc9b -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240508074737-fc1cb3d28098 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240418052257-bea674c16d59 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240508084813-de71d3441d09 diff --git a/go.sum b/go.sum index f73536486..fd01e10ab 100644 --- a/go.sum +++ b/go.sum @@ -1,13 +1,13 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b h1:a27dSIOWWw7rJSD2ebmWUYjwhhhPnIaMGlqPl9OuCmI= -github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4= -github.com/Two-Hearts/notation-go v0.0.0-20240418052257-bea674c16d59 h1:GTXdnMY+hlvavLfzoOO+1T/z5xaGSu9bVDA3K6cDXv4= -github.com/Two-Hearts/notation-go v0.0.0-20240418052257-bea674c16d59/go.mod h1:pnMWvi0BhD4TKGoMfKbLqF0jP72weMM23x/cx0wu0j4= -github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 h1:7SJ4FlWTmpXssu5J+XI7Fzn50tPsagFMEJSWmqv8nLU= -github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= -github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= -github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= +github.com/Two-Hearts/notation-core-go v0.0.0-20240508074737-fc1cb3d28098 h1:xfyYkDuH7MXz5+Pd5wvRSlARyDUp9UM7I23OzlbIMsA= +github.com/Two-Hearts/notation-core-go v0.0.0-20240508074737-fc1cb3d28098/go.mod h1:wkaaIh2fMRBO3j48U/F64tZOCqcYkuKOiA9o7ERkXXU= +github.com/Two-Hearts/notation-go v0.0.0-20240508084813-de71d3441d09 h1:IhAKpuMjYTwNm83j+x5cIBhsXx7zmU2vQtmlU2igLQQ= +github.com/Two-Hearts/notation-go v0.0.0-20240508084813-de71d3441d09/go.mod h1:5AMTl82slXK/SXcDz5ruivU9tgMgC74sfboVL8godtM= +github.com/Two-Hearts/tspclient-go v0.0.0-20240508074024-ec1725d6dc9b h1:pNICDsr2or3iCRyjB8UnrG/N7mhP6H6yIfx3F8Zkcqk= +github.com/Two-Hearts/tspclient-go v0.0.0-20240508074024-ec1725d6dc9b/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -16,14 +16,31 @@ github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1t github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= -github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc= +github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ= +github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -41,10 +58,13 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o= github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= @@ -52,18 +72,25 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= -golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -77,14 +104,16 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -92,13 +121,14 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From 4cb6be6b4fc39b77eda068b493569ecc27a6deb6 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 8 May 2024 17:02:29 +0800 Subject: [PATCH 17/80] fixed e2e tests Signed-off-by: Patrick Zheng --- test/e2e/suite/trustpolicy/verification_level.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/suite/trustpolicy/verification_level.go b/test/e2e/suite/trustpolicy/verification_level.go index ee31c94b2..ef9a73416 100644 --- a/test/e2e/suite/trustpolicy/verification_level.go +++ b/test/e2e/suite/trustpolicy/verification_level.go @@ -98,7 +98,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"] and no timestamp token was found in the signature envelope"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"], and no timestamp countersignature was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) @@ -156,7 +156,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"] and no timestamp token was found in the signature envelope"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"], and no timestamp countersignature was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) @@ -226,7 +226,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"] and no timestamp token was found in the signature envelope"). + "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"], and no timestamp countersignature was found in the signature envelope"). MatchKeyWords(VerifySuccessfully) }) }) From b498611728cbe71dd7378da60b3f6f36f3274335 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 10 May 2024 16:22:32 +0800 Subject: [PATCH 18/80] updated tspclient-go Signed-off-by: Patrick Zheng --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 58c575c75..ab03c74b7 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.19.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240508074024-ec1725d6dc9b +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240508074737-fc1cb3d28098 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240508084813-de71d3441d09 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240510081650-cde5adb39abf diff --git a/go.sum b/go.sum index fd01e10ab..8d0b5c175 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240508074737-fc1cb3d28098 h1:xfyYkDuH7MXz5+Pd5wvRSlARyDUp9UM7I23OzlbIMsA= -github.com/Two-Hearts/notation-core-go v0.0.0-20240508074737-fc1cb3d28098/go.mod h1:wkaaIh2fMRBO3j48U/F64tZOCqcYkuKOiA9o7ERkXXU= -github.com/Two-Hearts/notation-go v0.0.0-20240508084813-de71d3441d09 h1:IhAKpuMjYTwNm83j+x5cIBhsXx7zmU2vQtmlU2igLQQ= -github.com/Two-Hearts/notation-go v0.0.0-20240508084813-de71d3441d09/go.mod h1:5AMTl82slXK/SXcDz5ruivU9tgMgC74sfboVL8godtM= -github.com/Two-Hearts/tspclient-go v0.0.0-20240508074024-ec1725d6dc9b h1:pNICDsr2or3iCRyjB8UnrG/N7mhP6H6yIfx3F8Zkcqk= -github.com/Two-Hearts/tspclient-go v0.0.0-20240508074024-ec1725d6dc9b/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f h1:0qJ4YyR0q7SYv9N1VMafb5823SpxI7AGuYnSlvEcTjo= +github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f/go.mod h1:KDiMLnM1MHQRMeiPM622MN0MBb9Hz6xRU4/O9qDOics= +github.com/Two-Hearts/notation-go v0.0.0-20240510081650-cde5adb39abf h1:eVcVj0G9iVEtFn7SzOx+sZEuhdAW1trftTVS7nPgSi8= +github.com/Two-Hearts/notation-go v0.0.0-20240510081650-cde5adb39abf/go.mod h1:jjaqXrqUi1NFpYm4ZLo/YSHg587lR3BfT0n97U/TE4Y= +github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4 h1:jtwluHassbSXeXjloQ5FCJJ1hOhN/DCnAztY8Cr6if0= +github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From 7ffa82be09beee6235e4a646b62d1e5ae083cfe1 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 4 Jun 2024 16:56:40 +0800 Subject: [PATCH 19/80] timestamping Signed-off-by: Patrick Zheng --- go.mod | 10 +++++----- go.sum | 16 ++++++++-------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index a615d3516..ef741926b 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation go 1.22 require ( - github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e + github.com/notaryproject/notation-core-go v1.0.3 github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 @@ -26,14 +26,14 @@ require ( github.com/notaryproject/tspclient-go v0.0.0-20240122083733-a373599795a2 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.22.0 // indirect + golang.org/x/crypto v0.23.0 // indirect golang.org/x/mod v0.17.0 // indirect golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.20.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240604074342-99b519049ef9 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240510081650-cde5adb39abf +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240604085003-d8f19cfde887 diff --git a/go.sum b/go.sum index 6c549d683..af4f62c08 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f h1:0qJ4YyR0q7SYv9N1VMafb5823SpxI7AGuYnSlvEcTjo= -github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f/go.mod h1:KDiMLnM1MHQRMeiPM622MN0MBb9Hz6xRU4/O9qDOics= -github.com/Two-Hearts/notation-go v0.0.0-20240510081650-cde5adb39abf h1:eVcVj0G9iVEtFn7SzOx+sZEuhdAW1trftTVS7nPgSi8= -github.com/Two-Hearts/notation-go v0.0.0-20240510081650-cde5adb39abf/go.mod h1:jjaqXrqUi1NFpYm4ZLo/YSHg587lR3BfT0n97U/TE4Y= -github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4 h1:jtwluHassbSXeXjloQ5FCJJ1hOhN/DCnAztY8Cr6if0= -github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240604074342-99b519049ef9 h1:gMwiXl+IGOeVhF4KUHbfqbvqZsgONcqPtzfYBexFKRE= +github.com/Two-Hearts/notation-core-go v0.0.0-20240604074342-99b519049ef9/go.mod h1:uk5VrENYWqPdnnBOZCEk1XEfilOscHJckfhaWzuMJlU= +github.com/Two-Hearts/notation-go v0.0.0-20240604085003-d8f19cfde887 h1:6RMO1ZKh5F1xOB1lkK8i5lRIAFikxg3SeCJSF3emBxs= +github.com/Two-Hearts/notation-go v0.0.0-20240604085003-d8f19cfde887/go.mod h1:Bxv3jSdrQ+ladGv1sqfQ+Zy6tiS0o+XseOIC7F/63cA= +github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4 h1:WCm4ObRL++IM3gVexV7evDbhzk2c4iAZYJmlTWIBOnQ= +github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -75,8 +75,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= From ca20476853ce994ff0e400acef44c180e74f9cc1 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 4 Jun 2024 17:10:45 +0800 Subject: [PATCH 20/80] fixed e2e tests Signed-off-by: Patrick Zheng --- test/e2e/suite/trustpolicy/verification_level.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/suite/trustpolicy/verification_level.go b/test/e2e/suite/trustpolicy/verification_level.go index ef9a73416..3f6c1197c 100644 --- a/test/e2e/suite/trustpolicy/verification_level.go +++ b/test/e2e/suite/trustpolicy/verification_level.go @@ -98,7 +98,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"], and no timestamp countersignature was found in the signature envelope"). + "after certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period, it was expired at \"Tue, 27 Jun 2023 06:10:00 +0000\""). MatchKeyWords(VerifySuccessfully) }) }) @@ -156,7 +156,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"], and no timestamp countersignature was found in the signature envelope"). + "after certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period, it was expired at \"Tue, 27 Jun 2023 06:10:00 +0000\""). MatchKeyWords(VerifySuccessfully) }) }) @@ -226,7 +226,7 @@ var _ = Describe("notation trust policy verification level test", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", - "error: current time is not in certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period [\"Mon, 26 Jun 2023 06:10:00 +0000\", \"Tue, 27 Jun 2023 06:10:00 +0000\"], and no timestamp countersignature was found in the signature envelope"). + "after certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" validity period, it was expired at \"Tue, 27 Jun 2023 06:10:00 +0000\""). MatchKeyWords(VerifySuccessfully) }) }) From 9dca4dcd1f2e2f5145b637fa93883f11864229df Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 11 Jun 2024 18:46:58 +0800 Subject: [PATCH 21/80] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 28d6658d5..4d55f3e22 100644 --- a/go.mod +++ b/go.mod @@ -36,4 +36,4 @@ replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240611092236-ee0b91b980f5 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240611104501-3cdb0b204de5 diff --git a/go.sum b/go.sum index d56ad74dd..861f68486 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d h1:Jang//VKYgXC2lxp7E2YaTk+FpsAmUSEs9NVrNBrAHE= github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d/go.mod h1:uk5VrENYWqPdnnBOZCEk1XEfilOscHJckfhaWzuMJlU= -github.com/Two-Hearts/notation-go v0.0.0-20240611092236-ee0b91b980f5 h1:/Rg0u41itdMa9+XeqiIqJHeNOepi7Bp3PFhl3bXJY2Q= -github.com/Two-Hearts/notation-go v0.0.0-20240611092236-ee0b91b980f5/go.mod h1:LSGBYYTw8mHofe13TqUBibOoVedUzpTQdTPwycku7V0= +github.com/Two-Hearts/notation-go v0.0.0-20240611104501-3cdb0b204de5 h1:c0kPFznwIG9x6wa4rsy83SBg6Ht249RJEFUCKxO30ZU= +github.com/Two-Hearts/notation-go v0.0.0-20240611104501-3cdb0b204de5/go.mod h1:LSGBYYTw8mHofe13TqUBibOoVedUzpTQdTPwycku7V0= github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4 h1:WCm4ObRL++IM3gVexV7evDbhzk2c4iAZYJmlTWIBOnQ= github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= From 6cd87c891552ce9cdeb9e8039e8a9e4bc348031c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 18 Jun 2024 13:39:54 +0800 Subject: [PATCH 22/80] updated timestamping Signed-off-by: Patrick Zheng --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 4d55f3e22..a901b1967 100644 --- a/go.mod +++ b/go.mod @@ -26,14 +26,14 @@ require ( github.com/notaryproject/tspclient-go v0.0.0-20240122083733-a373599795a2 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.24.0 // indirect golang.org/x/mod v0.18.0 // indirect golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240618052238-43b2412f153d -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240611104501-3cdb0b204de5 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240618052902-b002bea38168 diff --git a/go.sum b/go.sum index 861f68486..ec5da432f 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d h1:Jang//VKYgXC2lxp7E2YaTk+FpsAmUSEs9NVrNBrAHE= -github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d/go.mod h1:uk5VrENYWqPdnnBOZCEk1XEfilOscHJckfhaWzuMJlU= -github.com/Two-Hearts/notation-go v0.0.0-20240611104501-3cdb0b204de5 h1:c0kPFznwIG9x6wa4rsy83SBg6Ht249RJEFUCKxO30ZU= -github.com/Two-Hearts/notation-go v0.0.0-20240611104501-3cdb0b204de5/go.mod h1:LSGBYYTw8mHofe13TqUBibOoVedUzpTQdTPwycku7V0= -github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4 h1:WCm4ObRL++IM3gVexV7evDbhzk2c4iAZYJmlTWIBOnQ= -github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240618052238-43b2412f153d h1:gEQfHJBM0FqpCEK4kkSJwhh0S+LIbjNOezT2SP7a8oY= +github.com/Two-Hearts/notation-core-go v0.0.0-20240618052238-43b2412f153d/go.mod h1:2+fC2xU0ai2zw1NhZS5h1lhv6mYTKorAh6xv3OnDKE4= +github.com/Two-Hearts/notation-go v0.0.0-20240618052902-b002bea38168 h1:tSrSgZfNiBCvhBB5/E6MsGnb3SXtspClg9r916IO1N4= +github.com/Two-Hearts/notation-go v0.0.0-20240618052902-b002bea38168/go.mod h1:MVcQLr53U3RvwoRaZWpiwPRzFR8HP+c5KQmvkgZ2DeY= +github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 h1:AV5JQ4TOXFoAKgjq68j3VQJNId5CPIp7x+HUUadiyhc= +github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -75,8 +75,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= From 0040af62d902bd85d1bb8f4c1fadc30821f02814 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 20 Jun 2024 20:43:55 +0800 Subject: [PATCH 23/80] update Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index a901b1967..35fbfa882 100644 --- a/go.mod +++ b/go.mod @@ -34,6 +34,6 @@ require ( replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240618052238-43b2412f153d +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240620100717-817296a010e2 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240618052902-b002bea38168 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240620100629-0697044fdb65 diff --git a/go.sum b/go.sum index ec5da432f..531e42a7b 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240618052238-43b2412f153d h1:gEQfHJBM0FqpCEK4kkSJwhh0S+LIbjNOezT2SP7a8oY= -github.com/Two-Hearts/notation-core-go v0.0.0-20240618052238-43b2412f153d/go.mod h1:2+fC2xU0ai2zw1NhZS5h1lhv6mYTKorAh6xv3OnDKE4= -github.com/Two-Hearts/notation-go v0.0.0-20240618052902-b002bea38168 h1:tSrSgZfNiBCvhBB5/E6MsGnb3SXtspClg9r916IO1N4= -github.com/Two-Hearts/notation-go v0.0.0-20240618052902-b002bea38168/go.mod h1:MVcQLr53U3RvwoRaZWpiwPRzFR8HP+c5KQmvkgZ2DeY= +github.com/Two-Hearts/notation-core-go v0.0.0-20240620100717-817296a010e2 h1:6+cgNJd+MjlHer8jtnhODr4wlvpzdNlmlach1pHe3eg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240620100717-817296a010e2/go.mod h1:2+fC2xU0ai2zw1NhZS5h1lhv6mYTKorAh6xv3OnDKE4= +github.com/Two-Hearts/notation-go v0.0.0-20240620100629-0697044fdb65 h1:eQIiksJcUp7zhKpSVikZFKIslUq/kZjL6G+ijl0Ymfo= +github.com/Two-Hearts/notation-go v0.0.0-20240620100629-0697044fdb65/go.mod h1:EmaTp3qStFG4Dy2LoDG5yycOXj6hQ8yuepeM56w7C4c= github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 h1:AV5JQ4TOXFoAKgjq68j3VQJNId5CPIp7x+HUUadiyhc= github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= From a860d8b9b4d1fdb5b652bc9fe75a77eb0da81534 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 21 Jun 2024 18:09:09 +0800 Subject: [PATCH 24/80] updated timestamp Signed-off-by: Patrick Zheng --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 35fbfa882..42a3cf20a 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240621095541-22fd76ec5c45 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240620100717-817296a010e2 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240621095806-e751e91c74bc -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240620100629-0697044fdb65 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240621100144-b256493e8029 diff --git a/go.sum b/go.sum index 531e42a7b..bcb88b302 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240620100717-817296a010e2 h1:6+cgNJd+MjlHer8jtnhODr4wlvpzdNlmlach1pHe3eg= -github.com/Two-Hearts/notation-core-go v0.0.0-20240620100717-817296a010e2/go.mod h1:2+fC2xU0ai2zw1NhZS5h1lhv6mYTKorAh6xv3OnDKE4= -github.com/Two-Hearts/notation-go v0.0.0-20240620100629-0697044fdb65 h1:eQIiksJcUp7zhKpSVikZFKIslUq/kZjL6G+ijl0Ymfo= -github.com/Two-Hearts/notation-go v0.0.0-20240620100629-0697044fdb65/go.mod h1:EmaTp3qStFG4Dy2LoDG5yycOXj6hQ8yuepeM56w7C4c= -github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 h1:AV5JQ4TOXFoAKgjq68j3VQJNId5CPIp7x+HUUadiyhc= -github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240621095806-e751e91c74bc h1:ZMwU6xLBShKcskNBLhPeADbIF1hCU029aSsXR93h1GA= +github.com/Two-Hearts/notation-core-go v0.0.0-20240621095806-e751e91c74bc/go.mod h1:8sJ1/g7FGm434RgpoIdd6x81YVAlp9h4asLYwqmRMT0= +github.com/Two-Hearts/notation-go v0.0.0-20240621100144-b256493e8029 h1:+9XfuezjiTNYhSGmdhog3/L60ph6IgCztU2P6Uoee+g= +github.com/Two-Hearts/notation-go v0.0.0-20240621100144-b256493e8029/go.mod h1:ONKWYJdhLkEhkWX8ulaVag9kq08ENezYvXlwsBCOCig= +github.com/Two-Hearts/tspclient-go v0.0.0-20240621095541-22fd76ec5c45 h1:HkEtw8GJ9aKmFjyBfvGvyCpH06Ox/5X7bpmIG+v+bjM= +github.com/Two-Hearts/tspclient-go v0.0.0-20240621095541-22fd76ec5c45/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From 9ecbb9a1e66455ed14097e74b05c877e3673b0c6 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 13:21:10 +0800 Subject: [PATCH 25/80] adding tests Signed-off-by: Patrick Zheng --- cmd/notation/cert/add.go | 3 +++ cmd/notation/cert/delete.go | 3 +++ cmd/notation/cert/list.go | 3 +++ cmd/notation/cert/show.go | 3 +++ test/e2e/suite/command/sign.go | 21 +++++++++++++++++++++ test/e2e/suite/command/verify.go | 10 ++++++++++ 6 files changed, 43 insertions(+) diff --git a/cmd/notation/cert/add.go b/cmd/notation/cert/add.go index 4796436ae..c4d489d31 100644 --- a/cmd/notation/cert/add.go +++ b/cmd/notation/cert/add.go @@ -48,6 +48,9 @@ Example - Add a certificate to the "ca" type of a named store "acme-rockets": Example - Add a certificate to the "signingAuthority" type of a named store "wabbit-networks": notation cert add --type signingAuthority --store wabbit-networks wabbit-networks.pem + +Example - Add a certificate to the "tsa" type of a named store "timestamp": + notation cert add --type tsa --store timestamp wabbit-networks-timestamp.pem `, RunE: func(cmd *cobra.Command, args []string) error { return addCerts(opts) diff --git a/cmd/notation/cert/delete.go b/cmd/notation/cert/delete.go index 8b917b653..044f240c0 100644 --- a/cmd/notation/cert/delete.go +++ b/cmd/notation/cert/delete.go @@ -59,6 +59,9 @@ Example - Delete certificate "cert1.pem" with "signingAuthority" type from trust Example - Delete all certificates with "ca" type from the trust store "acme-rockets", without prompt for confirmation: notation cert delete --type ca --store acme-rockets -y --all + +Example - Delete certificate "wabbit-networks-timestamp.pem" with "tsa" type from trust store timestamp: + notation cert delete --type tsa --store timestamp wabbit-networks-timestamp.pem -y `, RunE: func(cmd *cobra.Command, args []string) error { return deleteCerts(opts) diff --git a/cmd/notation/cert/list.go b/cmd/notation/cert/list.go index bcaceebc3..6321ff7b8 100644 --- a/cmd/notation/cert/list.go +++ b/cmd/notation/cert/list.go @@ -54,6 +54,9 @@ Example - List all certificate files from trust store of type "ca" Example - List all certificate files from trust store "wabbit-networks" of type "signingAuthority" notation cert ls --type signingAuthority --store "wabbit-networks" + +Example - List all certificate files from trust store of type "tsa" + notation cert ls --type tsa `, RunE: func(cmd *cobra.Command, args []string) error { return listCerts(cmd.Context(), opts) diff --git a/cmd/notation/cert/show.go b/cmd/notation/cert/show.go index f8d561b7d..cc0ff1464 100644 --- a/cmd/notation/cert/show.go +++ b/cmd/notation/cert/show.go @@ -57,6 +57,9 @@ Example - Show details of certificate "cert1.pem" with type "ca" from trust stor Example - Show details of certificate "cert2.pem" with type "signingAuthority" from trust store "wabbit-networks": notation cert show --type signingAuthority --store wabbit-networks cert2.pem + +Example - Show details of certificate "wabbit-networks-timestamp.pem" with type "tsa" from trust store "timestamp": + notation cert show --type tsa --store timestamp wabbit-networks-timestamp.pem `, RunE: func(cmd *cobra.Command, args []string) error { return showCerts(cmd.Context(), opts) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 8354d8696..478523217 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -257,4 +257,25 @@ var _ = Describe("notation sign", func() { MatchKeyWords(VerifySuccessfully) }) }) + + It("with timestamping", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + }) + }) + + It("with invalid tsa server", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--tsa-url", "http://invalid.com", artifact.ReferenceWithDigest()). + MatchErrKeyWords(SignSuccessfully) + }) + }) + + It("with SHA1-RSA cert signature algorithm", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", artifact.ReferenceWithDigest()). + MatchErrKeyWords(SignSuccessfully) + }) + }) }) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index f27384301..8d72633ff 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -211,4 +211,14 @@ var _ = Describe("notation verify", func() { MatchKeyWords(VerifySuccessfully) }) }) + + It("with timestamp countersignature", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) }) From ad1fb956035dbb8c83c043548c1adb7ec6965e01 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 13:27:55 +0800 Subject: [PATCH 26/80] fix tests Signed-off-by: Patrick Zheng --- test/e2e/suite/command/sign.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 478523217..648591434 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -268,14 +268,15 @@ var _ = Describe("notation sign", func() { It("with invalid tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--tsa-url", "http://invalid.com", artifact.ReferenceWithDigest()). - MatchErrKeyWords(SignSuccessfully) + MatchErrKeyWords("Error: timestamp: Post \"http://invalid.com\""). + MatchErrKeyWords("server misbehaving") }) }) - It("with SHA1-RSA cert signature algorithm", func() { + It("with cannot retrieve any tsa root certificate", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", artifact.ReferenceWithDigest()). - MatchErrKeyWords(SignSuccessfully) + MatchErrKeyWords("Error: timestamp: failed to verify signed token: failed to set up root certificate pool: cannot retrieve any tsa root certificate") }) }) }) From e148bbaf6c080603ee64053c2e2ee3937e8f0583 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 14:05:19 +0800 Subject: [PATCH 27/80] fix tests Signed-off-by: Patrick Zheng --- test/e2e/internal/notation/host.go | 21 +++++++++++++++++++ test/e2e/suite/command/verify.go | 5 +++-- .../trustpolicies/timestamp_trustpolicy.json | 17 +++++++++++++++ 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 test/e2e/testdata/config/trustpolicies/timestamp_trustpolicy.json diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go index 4a93b9de0..363e71441 100644 --- a/test/e2e/internal/notation/host.go +++ b/test/e2e/internal/notation/host.go @@ -129,6 +129,17 @@ func BaseOptions() []utils.HostOption { ) } +// BaseTimestampOptions returns a list of base timestamp Options for a valid +// notation testing environment. +func BaseTimestampOptions() []utils.HostOption { + return Opts( + AuthOption("", ""), + AddKeyOption("e2e.key", "e2e.crt"), + AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), + AddTrustPolicyOption("timestamp_trustpolicy.json"), + ) +} + func BaseOptionsWithExperimental() []utils.HostOption { return Opts( AuthOption("", ""), @@ -189,6 +200,16 @@ func AddTrustStoreOption(namedstore string, srcCertPath string) utils.HostOption } } +// AddTimestampTrustStoreOption adds the test tsa cert to the trust store. +func AddTimestampTrustStoreOption(namedstore string, srcCertPath string) utils.HostOption { + return func(vhost *utils.VirtualHost) error { + vhost.Executor. + Exec("cert", "add", "--type", "tsa", "--store", namedstore, srcCertPath). + MatchKeyWords("Successfully added following certificates") + return nil + } +} + // AddTrustPolicyOption adds a valid trust policy for testing. func AddTrustPolicyOption(trustpolicyName string) utils.HostOption { return func(vhost *utils.VirtualHost) error { diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 8d72633ff..a8b7e37f8 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -212,13 +212,14 @@ var _ = Describe("notation verify", func() { }) }) - It("with timestamp countersignature", func() { + It("with timestamp verification disabled", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) + MatchKeyWords(VerifySuccessfully). + MatchKeyWords("Timestamp verification disabled") }) }) }) diff --git a/test/e2e/testdata/config/trustpolicies/timestamp_trustpolicy.json b/test/e2e/testdata/config/trustpolicies/timestamp_trustpolicy.json new file mode 100644 index 000000000..d210233b2 --- /dev/null +++ b/test/e2e/testdata/config/trustpolicies/timestamp_trustpolicy.json @@ -0,0 +1,17 @@ +{ + "version": "1.0", + "trustPolicies": [ + { + "name": "e2e", + "registryScopes": [ "*" ], + "signatureVerification": { + "level" : "strict", + "verifyTimestamp": "always" + }, + "trustStores": [ "ca:e2e", "tsa:e2e" ], + "trustedIdentities": [ + "*" + ] + } + ] +} \ No newline at end of file From d7e51866f22304e40fbabbec47afa1e4410cd217 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 14:24:23 +0800 Subject: [PATCH 28/80] added more e2e tests Signed-off-by: Patrick Zheng --- test/e2e/internal/notation/host.go | 2 +- test/e2e/suite/command/verify.go | 11 +++++++++++ .../config/timestamp/globalsignTSARoot.cer | Bin 0 -> 1415 bytes 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 test/e2e/testdata/config/timestamp/globalsignTSARoot.cer diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go index 363e71441..2c5697721 100644 --- a/test/e2e/internal/notation/host.go +++ b/test/e2e/internal/notation/host.go @@ -135,7 +135,7 @@ func BaseTimestampOptions() []utils.HostOption { return Opts( AuthOption("", ""), AddKeyOption("e2e.key", "e2e.crt"), - AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), + AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.crt")), AddTrustPolicyOption("timestamp_trustpolicy.json"), ) } diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index a8b7e37f8..6862618c1 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -222,4 +222,15 @@ var _ = Describe("notation verify", func() { MatchKeyWords("Timestamp verification disabled") }) }) + + It("with timestamp verification", func() { + Host(BaseTimestampOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully). + MatchKeyWords("Timestamp range:") + }) + }) }) diff --git a/test/e2e/testdata/config/timestamp/globalsignTSARoot.cer b/test/e2e/testdata/config/timestamp/globalsignTSARoot.cer new file mode 100644 index 0000000000000000000000000000000000000000..3492b9555d8a927fc048accbdfd510d973a4bf8a GIT binary patch literal 1415 zcmXqLVr@2PV$NQ`%*4pV#OL~KH*>S`;nq}-Xa8LT4S3l&wc0$|zVk9N@~|=(_!ue} z$gwepvTzHFyXWL5CFTTYrspXH<>!|uI6ErnDg>Ds3L6N5RB#D%AymKwnUMtzrbf z7RhT}D$uKbzGw38+~7wZH9Z3C7XQ;Wl_%Ccc-3RGYRi&upQm~WvFHBn+0=Rd!h*!| z6A>jFt|(i5kF`3r==NOBd$BIM6FxSc4WIO@ZchM9vdR7I$rAgr%{Ey+S)*dM{loih zGQ#1Lx82+H<5BDO;zc`5SGj(AFxPBhen{8HqOd%@j-!E2E}~Q3Ek0^7ZML6Z6u0|l zHZ#w1gFS`jPnW$>4}38Fd-9e>uasbWK_l0SS*5b`tlC%^=G|_%ruy>^>pb;H zpEAqnS3j37ywS{m@&A1T!JnWsAklyin0{sX85#exumCd!n*l$FFAUt}2QM&?2T3clNEnDUU{`>etANRnk)c`j?Td?lrv{y!cYtNV z#LQ-Z{64y*oN&oy5m`>wTczfjL3M=6i0;sxcI$G64QH=U6C z7a^^oy&`9ATM4e8`Et>2H?s`?&tUywgCL-KSq* zf7`U1Go!Z543}AQX18c(@Gc!z{wGJ~Np6%dx#}}_*W2&%>s6+*RIFg${jTxpt@xU5 zuZ0szRF`kI^FE;yw)gmn_ZE+0CVi;XtY?ygew1xBAHBZk2sXLxY73M8i@v-TJt6k1Drt4hk L&8$%;mk0m=(y?My literal 0 HcmV?d00001 From 388d223c8d8c3bf481f4783c7e94b7e807fbd763 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 14:36:20 +0800 Subject: [PATCH 29/80] fix e2e Signed-off-by: Patrick Zheng --- test/e2e/internal/notation/host.go | 2 +- test/e2e/suite/command/verify.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go index 2c5697721..2ed6fc029 100644 --- a/test/e2e/internal/notation/host.go +++ b/test/e2e/internal/notation/host.go @@ -135,7 +135,7 @@ func BaseTimestampOptions() []utils.HostOption { return Opts( AuthOption("", ""), AddKeyOption("e2e.key", "e2e.crt"), - AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.crt")), + AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer")), AddTrustPolicyOption("timestamp_trustpolicy.json"), ) } diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 6862618c1..9c92c7cc0 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -219,7 +219,7 @@ var _ = Describe("notation verify", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully). - MatchKeyWords("Timestamp verification disabled") + MatchErrKeyWords("Timestamp verification disabled") }) }) From e34897c67694f43ef553de3bab4e2fe365da4987 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 14:39:08 +0800 Subject: [PATCH 30/80] fix e2e Signed-off-by: Patrick Zheng --- test/e2e/internal/notation/host.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go index 2ed6fc029..f75ff14b9 100644 --- a/test/e2e/internal/notation/host.go +++ b/test/e2e/internal/notation/host.go @@ -135,6 +135,7 @@ func BaseTimestampOptions() []utils.HostOption { return Opts( AuthOption("", ""), AddKeyOption("e2e.key", "e2e.crt"), + AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer")), AddTrustPolicyOption("timestamp_trustpolicy.json"), ) From c7debce6fc8f6d816818044903f52ff9d74b73a0 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 14:43:21 +0800 Subject: [PATCH 31/80] fix e2e Signed-off-by: Patrick Zheng --- test/e2e/suite/command/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 9c92c7cc0..bc8aded15 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -230,7 +230,7 @@ var _ = Describe("notation verify", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully). - MatchKeyWords("Timestamp range:") + MatchErrKeyWords("Timestamp range:") }) }) }) From c8c4a093de4bfabfff8030494ddd5e47931300aa Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 24 Jun 2024 20:32:49 +0800 Subject: [PATCH 32/80] added tsa-root-cert Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 42 ++++++++++++++++++++++++-------- go.mod | 6 ++--- go.sum | 12 ++++----- test/e2e/suite/command/sign.go | 11 +++++---- test/e2e/suite/command/verify.go | 5 ++-- 5 files changed, 50 insertions(+), 26 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 0f3480cb9..8313e86c9 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -20,6 +20,7 @@ import ( "strings" "time" + corex509 "github.com/notaryproject/notation-core-go/x509" "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" @@ -34,15 +35,16 @@ type signOpts struct { cmd.LoggingFlagOpts cmd.SignerFlagOpts SecureFlagOpts - expiry time.Duration - pluginConfig []string - userMetadata []string - reference string - allowReferrersAPI bool - forceReferrersTag bool - ociLayout bool - inputType inputType - tsaServerURL string + expiry time.Duration + pluginConfig []string + userMetadata []string + reference string + allowReferrersAPI bool + forceReferrersTag bool + ociLayout bool + inputType inputType + tsaServerURL string + tsaRootCertificatePath string } func signCommand(opts *signOpts) *cobra.Command { @@ -96,6 +98,14 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced return nil }, PreRunE: func(cmd *cobra.Command, args []string) error { + if cmd.Flags().Changed("tsa-url") { + if opts.tsaServerURL == "" { + return errors.New("tsa-url is set with empty value") + } + if opts.tsaRootCertificatePath == "" { + return errors.New("tsa root certificate path cannot be empty") + } + } if opts.ociLayout { opts.inputType = inputTypeOCILayout } @@ -122,9 +132,11 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) command.Flags().StringVar(&opts.tsaServerURL, "tsa-url", "", "timestamp authority server URL") + command.Flags().StringVar(&opts.tsaRootCertificatePath, "tsa-root-cert", "", "filepath of trusted tsa root certificate") cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") + command.MarkFlagsRequiredTogether("tsa-url", "tsa-root-cert") experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } @@ -188,9 +200,19 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { SignatureMediaType: mediaType, ExpiryDuration: opts.expiry, PluginConfig: pluginConfig, - TSAServerURL: opts.tsaServerURL, }, UserMetadata: userMetadata, } + if opts.tsaRootCertificatePath != "" { + rootCerts, err := corex509.ReadCertificateFile(opts.tsaRootCertificatePath) + if err != nil { + return notation.SignOptions{}, err + } + if len(rootCerts) == 0 { + return notation.SignOptions{}, fmt.Errorf("cannot read tsa root certificate from %q", opts.tsaRootCertificatePath) + } + signOpts.TSAServerURL = opts.tsaServerURL + signOpts.TSARootCertificate = rootCerts[0] + } return signOpts, nil } diff --git a/go.mod b/go.mod index 42a3cf20a..fec90e0c0 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240621095541-22fd76ec5c45 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240624080215-1284fbf408ce -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240621095806-e751e91c74bc +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240624084736-28b80547d251 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240621100144-b256493e8029 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240624090216-329760b186ae diff --git a/go.sum b/go.sum index bcb88b302..2d872643f 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240621095806-e751e91c74bc h1:ZMwU6xLBShKcskNBLhPeADbIF1hCU029aSsXR93h1GA= -github.com/Two-Hearts/notation-core-go v0.0.0-20240621095806-e751e91c74bc/go.mod h1:8sJ1/g7FGm434RgpoIdd6x81YVAlp9h4asLYwqmRMT0= -github.com/Two-Hearts/notation-go v0.0.0-20240621100144-b256493e8029 h1:+9XfuezjiTNYhSGmdhog3/L60ph6IgCztU2P6Uoee+g= -github.com/Two-Hearts/notation-go v0.0.0-20240621100144-b256493e8029/go.mod h1:ONKWYJdhLkEhkWX8ulaVag9kq08ENezYvXlwsBCOCig= -github.com/Two-Hearts/tspclient-go v0.0.0-20240621095541-22fd76ec5c45 h1:HkEtw8GJ9aKmFjyBfvGvyCpH06Ox/5X7bpmIG+v+bjM= -github.com/Two-Hearts/tspclient-go v0.0.0-20240621095541-22fd76ec5c45/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240624084736-28b80547d251 h1:DsSiFI1r5pxwqgpJq739UTW+r2HZWVhDfKzCGPAuC8E= +github.com/Two-Hearts/notation-core-go v0.0.0-20240624084736-28b80547d251/go.mod h1:ziEtD5U/wCeZNoRJo8JeRJxQgl0AxajLb+v/Hv8p5lM= +github.com/Two-Hearts/notation-go v0.0.0-20240624090216-329760b186ae h1:36x3mYjO7/OJAeIYoelhBO2TJUcKKW5CUHhncqCPvy8= +github.com/Two-Hearts/notation-go v0.0.0-20240624090216-329760b186ae/go.mod h1:l+2645JOPs06s6mKIQi5w5zujIxMUDicXeTs3m0I6v4= +github.com/Two-Hearts/tspclient-go v0.0.0-20240624080215-1284fbf408ce h1:2AP1Rk5iOUQETSeBwst7ZzDsdHTEllMC46FfUBMUGr4= +github.com/Two-Hearts/tspclient-go v0.0.0-20240624080215-1284fbf408ce/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 648591434..c4a2a5056 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -15,6 +15,7 @@ package command import ( "fmt" + "path/filepath" "time" . "github.com/notaryproject/notation/test/e2e/internal/notation" @@ -260,23 +261,23 @@ var _ = Describe("notation sign", func() { It("with timestamping", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) }) }) It("with invalid tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "http://invalid.com", artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--tsa-url", "http://invalid.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: timestamp: Post \"http://invalid.com\""). MatchErrKeyWords("server misbehaving") }) }) - It("with cannot retrieve any tsa root certificate", func() { + It("with empty tsa root certificate path", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", artifact.ReferenceWithDigest()). - MatchErrKeyWords("Error: timestamp: failed to verify signed token: failed to set up root certificate pool: cannot retrieve any tsa root certificate") + notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", "", artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: tsa root certificate path cannot be empty") }) }) }) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index bc8aded15..be640c7f4 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -15,6 +15,7 @@ package command import ( "fmt" + "path/filepath" . "github.com/notaryproject/notation/test/e2e/internal/notation" "github.com/notaryproject/notation/test/e2e/internal/utils" @@ -214,7 +215,7 @@ var _ = Describe("notation verify", func() { It("with timestamp verification disabled", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). @@ -225,7 +226,7 @@ var _ = Describe("notation verify", func() { It("with timestamp verification", func() { Host(BaseTimestampOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). From 7ef3850f940b24be62d63107cdc23367ac2a33a2 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 25 Jun 2024 16:12:06 +0800 Subject: [PATCH 33/80] updated e2e tests Signed-off-by: Patrick Zheng --- go.mod | 6 ++--- go.sum | 12 ++++----- test/e2e/internal/notation/host.go | 16 ++++++++--- test/e2e/suite/command/verify.go | 25 +++++++++++++++++- .../timestamp/DigiCertTSARootSHA384.cer | Bin 0 -> 1428 bytes ...mestamp_after_cert_expiry_trustpolicy.json | 17 ++++++++++++ ...timestamp_skip_revocation_trustpolicy.json | 18 +++++++++++++ 7 files changed, 81 insertions(+), 13 deletions(-) create mode 100644 test/e2e/testdata/config/timestamp/DigiCertTSARootSHA384.cer create mode 100644 test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json create mode 100644 test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json diff --git a/go.mod b/go.mod index fec90e0c0..e2462aebe 100644 --- a/go.mod +++ b/go.mod @@ -32,8 +32,8 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240624080215-1284fbf408ce +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240624084736-28b80547d251 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240624090216-329760b186ae +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240625072006-ac78ce19b1a7 diff --git a/go.sum b/go.sum index 2d872643f..cc1dc47c5 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,11 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240624084736-28b80547d251 h1:DsSiFI1r5pxwqgpJq739UTW+r2HZWVhDfKzCGPAuC8E= -github.com/Two-Hearts/notation-core-go v0.0.0-20240624084736-28b80547d251/go.mod h1:ziEtD5U/wCeZNoRJo8JeRJxQgl0AxajLb+v/Hv8p5lM= -github.com/Two-Hearts/notation-go v0.0.0-20240624090216-329760b186ae h1:36x3mYjO7/OJAeIYoelhBO2TJUcKKW5CUHhncqCPvy8= -github.com/Two-Hearts/notation-go v0.0.0-20240624090216-329760b186ae/go.mod h1:l+2645JOPs06s6mKIQi5w5zujIxMUDicXeTs3m0I6v4= -github.com/Two-Hearts/tspclient-go v0.0.0-20240624080215-1284fbf408ce h1:2AP1Rk5iOUQETSeBwst7ZzDsdHTEllMC46FfUBMUGr4= -github.com/Two-Hearts/tspclient-go v0.0.0-20240624080215-1284fbf408ce/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 h1:l5T/KFTnK+UIlyGKUgLcp2Up5IXVO1iOuQSrjR5jTt0= +github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899/go.mod h1:DaE3dTbfW9bLOquUENRPwtAE8He+5Oz2lWy3oCpn4RE= +github.com/Two-Hearts/notation-go v0.0.0-20240625072006-ac78ce19b1a7 h1:VFTLvhUgtDeHzj9P1EsDX9Nwh2h3sSIg9+lk6RXNQJU= +github.com/Two-Hearts/notation-go v0.0.0-20240625072006-ac78ce19b1a7/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= +github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d h1:PJ4BkFIkKpRYFtuJsE5oOaJt4LY5zf0Zjjd3UE/JhmM= +github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go index f75ff14b9..d42f19ebd 100644 --- a/test/e2e/internal/notation/host.go +++ b/test/e2e/internal/notation/host.go @@ -129,15 +129,25 @@ func BaseOptions() []utils.HostOption { ) } -// BaseTimestampOptions returns a list of base timestamp Options for a valid +// TimestampOptions returns a list of timestamp Options for a valid // notation testing environment. -func BaseTimestampOptions() []utils.HostOption { +func TimestampOptions(verifyTimestamp string, skipTimestampingRevocationCheck bool) []utils.HostOption { + var trustPolicyOption utils.HostOption + if skipTimestampingRevocationCheck { + trustPolicyOption = AddTrustPolicyOption("timestamp_skip_revocation_trustpolicy.json") + } else { + trustPolicyOption = AddTrustPolicyOption("timestamp_trustpolicy.json") + } + if verifyTimestamp == "afterCertExpiry" { + trustPolicyOption = AddTrustPolicyOption("timestamp_after_cert_expiry_trustpolicy") + } + return Opts( AuthOption("", ""), AddKeyOption("e2e.key", "e2e.crt"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer")), - AddTrustPolicyOption("timestamp_trustpolicy.json"), + trustPolicyOption, ) } diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index be640c7f4..786c25f29 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -225,7 +225,7 @@ var _ = Describe("notation verify", func() { }) It("with timestamp verification", func() { - Host(BaseTimestampOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + Host(TimestampOptions("", false), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) @@ -234,4 +234,27 @@ var _ = Describe("notation verify", func() { MatchErrKeyWords("Timestamp range:") }) }) + + It("with timestamp verification skipping tsa cert chain revocation check", func() { + Host(TimestampOptions("", true), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully). + MatchErrKeyWords("Timestamp range:"). + NoMatchErrKeyWords("Checking timestamping certificate chain revocation...") + }) + }) + + It("with timestamp verification after cert expiry", func() { + Host(TimestampOptions("afterCertExpiry", false), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully). + MatchErrKeyWords("Timestamp verification disabled: verifyTimestamp is set to \"afterCertExpiry\" and signing cert chain unexpired") + }) + }) }) diff --git a/test/e2e/testdata/config/timestamp/DigiCertTSARootSHA384.cer b/test/e2e/testdata/config/timestamp/DigiCertTSARootSHA384.cer new file mode 100644 index 0000000000000000000000000000000000000000..99bcc84b7e68b5b28e4444f6fa21bc7c2baf497d GIT binary patch literal 1428 zcmXqLVx3^n#9Xm}nTe5!Nq}{>bojhJMWaWS?0c7&m&O?IvTn?JkswJuAWqo zP1e*s_a@Ho#N;1}iL*^!vmT3k6D_sp^~v*R*O)lOZ>&mtSAN1{MOt|H{E&z~9_{V^ z%MEUZy*pJM`*`h1|G1~7&kaxCnjCkhufO5ewuv(wCR84-IKFM;k*!%07R&;@H?Ej3 z(PORc_}XMAFtK2DXp^JS_1i4PT6q&0YZQI1>{%zxTpC-EcGJqxWtOqSeva!=o=Xlr zTe%?p?h^Gq3;iv(3Py;3SBY`!Px*c@v!iTAnQdgOQ(1fG^vo)c4-XazNvF*!Id#ul z?m1ubx@TA3Pnu*k&-M<(6Ia#FZL?e?wd)Q{*>Wi{_qFlOqxZd87|ztnOg-HHU2)SU z!R@>2KV9u9&~Z#ywJ}-3WvWzJQr)+P4ZmNcEHl2?$^LNf_GivZBz7z-XMD&%g-20# zQ;4Q&XUw*5U*l71pZrEK z{)j?gcK*iIZQcHduDQm~Rrs?|?&yL3MH}n5)MkEtlBqvKR`=`8m78RrN;5GtGB7T7 zGH@{92PS7(VMfOPEUX61K+1p*B)|_6U;*Z-HUn7@pN~b1MdZ!($4!?CV^e(Y>!sU2 z-!)^M48K2eDg$OPU@Bu|*qwN@c4f{!@gozZ4=-HA(EB(ggFozi`MQFie`k5k+~v@ z;|G_o$XKF&XYNn+bq1|Fzoq+H+4VTN((ZIU8a!-?Xwiwjs2;$JM? zvV8rD@42RPYNEQXEwY&TxuW}v?-ZoX1m*e!D1M{-ku zW1+3RZ-H_fkJp{XOJ|IxwD59pPM7gN@Ge`S#Ng5cOA~=sMNvkM7okS?3O#RXhzIyS z+vj_+bj^iRza4itFI{!{FsqBdj@j%-zaF{nP!7&v%TEujciZY?pQjO3sdj0}ilph6 zfR&$*WHWvetKHnrfA0t)=$1ze_=^}`TkG{L*Rlgt&`^}&Rl)f&LXk-+o%1iN!lfsC)s~w6 z?Tp>inj~vqxWQ7QGU@KxG3!Bhh+^5 ouE}lQ!_OaFs=4ZwaQTyaJ&lTM*#+DM*S6cTUo72o{&QL#0GZBIfB*mh literal 0 HcmV?d00001 diff --git a/test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json b/test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json new file mode 100644 index 000000000..d210233b2 --- /dev/null +++ b/test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json @@ -0,0 +1,17 @@ +{ + "version": "1.0", + "trustPolicies": [ + { + "name": "e2e", + "registryScopes": [ "*" ], + "signatureVerification": { + "level" : "strict", + "verifyTimestamp": "always" + }, + "trustStores": [ "ca:e2e", "tsa:e2e" ], + "trustedIdentities": [ + "*" + ] + } + ] +} \ No newline at end of file diff --git a/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json b/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json new file mode 100644 index 000000000..1b0ce36de --- /dev/null +++ b/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json @@ -0,0 +1,18 @@ +{ + "version": "1.0", + "trustPolicies": [ + { + "name": "e2e", + "registryScopes": [ "*" ], + "signatureVerification": { + "level" : "strict", + "verifyTimestamp": "always", + "skipTimestampRevocationCheck": true + }, + "trustStores": [ "ca:e2e", "tsa:e2e" ], + "trustedIdentities": [ + "*" + ] + } + ] +} \ No newline at end of file From 03f3303e7c1303c2a22ad06efcf1cb532ef72866 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 25 Jun 2024 16:17:05 +0800 Subject: [PATCH 34/80] fixed e2e tests Signed-off-by: Patrick Zheng --- test/e2e/internal/notation/host.go | 3 ++- .../trustpolicies/timestamp_after_cert_expiry_trustpolicy.json | 2 +- .../trustpolicies/timestamp_skip_revocation_trustpolicy.json | 1 - 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go index d42f19ebd..16ded3daa 100644 --- a/test/e2e/internal/notation/host.go +++ b/test/e2e/internal/notation/host.go @@ -139,7 +139,7 @@ func TimestampOptions(verifyTimestamp string, skipTimestampingRevocationCheck bo trustPolicyOption = AddTrustPolicyOption("timestamp_trustpolicy.json") } if verifyTimestamp == "afterCertExpiry" { - trustPolicyOption = AddTrustPolicyOption("timestamp_after_cert_expiry_trustpolicy") + trustPolicyOption = AddTrustPolicyOption("timestamp_after_cert_expiry_trustpolicy.json") } return Opts( @@ -147,6 +147,7 @@ func TimestampOptions(verifyTimestamp string, skipTimestampingRevocationCheck bo AddKeyOption("e2e.key", "e2e.crt"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer")), + AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer")), trustPolicyOption, ) } diff --git a/test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json b/test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json index d210233b2..1d45bce1c 100644 --- a/test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json +++ b/test/e2e/testdata/config/trustpolicies/timestamp_after_cert_expiry_trustpolicy.json @@ -6,7 +6,7 @@ "registryScopes": [ "*" ], "signatureVerification": { "level" : "strict", - "verifyTimestamp": "always" + "verifyTimestamp": "afterCertExpiry" }, "trustStores": [ "ca:e2e", "tsa:e2e" ], "trustedIdentities": [ diff --git a/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json b/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json index 1b0ce36de..24abeb7e3 100644 --- a/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json +++ b/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json @@ -6,7 +6,6 @@ "registryScopes": [ "*" ], "signatureVerification": { "level" : "strict", - "verifyTimestamp": "always", "skipTimestampRevocationCheck": true }, "trustStores": [ "ca:e2e", "tsa:e2e" ], From 8e0f32c0bde9d8c846010c847451ec5ffcde3971 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 25 Jun 2024 16:31:45 +0800 Subject: [PATCH 35/80] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/suite/command/verify.go | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index e2462aebe..553e82794 100644 --- a/go.mod +++ b/go.mod @@ -36,4 +36,4 @@ replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240625072006-ac78ce19b1a7 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240625082559-925801f5ceb3 diff --git a/go.sum b/go.sum index cc1dc47c5..d8ea5ec4d 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 h1:l5T/KFTnK+UIlyGKUgLcp2Up5IXVO1iOuQSrjR5jTt0= github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899/go.mod h1:DaE3dTbfW9bLOquUENRPwtAE8He+5Oz2lWy3oCpn4RE= -github.com/Two-Hearts/notation-go v0.0.0-20240625072006-ac78ce19b1a7 h1:VFTLvhUgtDeHzj9P1EsDX9Nwh2h3sSIg9+lk6RXNQJU= -github.com/Two-Hearts/notation-go v0.0.0-20240625072006-ac78ce19b1a7/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= +github.com/Two-Hearts/notation-go v0.0.0-20240625082559-925801f5ceb3 h1:R374090q6OdW/P+kcO4q+HcMLGI2HvI3AD+Q44vsUBc= +github.com/Two-Hearts/notation-go v0.0.0-20240625082559-925801f5ceb3/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d h1:PJ4BkFIkKpRYFtuJsE5oOaJt4LY5zf0Zjjd3UE/JhmM= github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 786c25f29..94ee9968c 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -215,7 +215,7 @@ var _ = Describe("notation verify", func() { It("with timestamp verification disabled", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). @@ -226,7 +226,7 @@ var _ = Describe("notation verify", func() { It("with timestamp verification", func() { Host(TimestampOptions("", false), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). @@ -249,12 +249,12 @@ var _ = Describe("notation verify", func() { It("with timestamp verification after cert expiry", func() { Host(TimestampOptions("afterCertExpiry", false), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully). - MatchErrKeyWords("Timestamp verification disabled: verifyTimestamp is set to \"afterCertExpiry\" and signing cert chain unexpired") + MatchErrKeyWords("Timestamp verification disabled: verifyTimestamp is set to \\\"afterCertExpiry\\\" and signing cert chain unexpired") }) }) }) From 480bd4b6ad04ecab6a1078d2a30102048f730d1b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 25 Jun 2024 16:43:33 +0800 Subject: [PATCH 36/80] updated CLI spec for timestamping Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 3 +++ specs/commandline/sign.md | 9 +++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 8313e86c9..5faac6eb5 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -77,6 +77,9 @@ Example - Sign an OCI artifact stored in a registry and specify the signature ex Example - Sign an OCI artifact and store signature using the Referrers API. If it's not supported, fallback to the Referrers tag schema notation sign --force-referrers-tag=false /@ + +Example - Sign an OCI artifact with timestamping: + notation sign --tsa-url --tsa-root-cert /@ ` experimentalExamples := ` Example - [Experimental] Sign an OCI artifact referenced in an OCI layout diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 0806c9650..e9c55afa8 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -42,6 +42,7 @@ Flags: --plugin string signing plugin name. This is mutually exclusive with the --key flag --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") + --tsa-root-cert string filepath of trusted tsa root certificate --tsa-url string timestamp authority server URL -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload @@ -160,10 +161,14 @@ Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da ```shell # Prerequisites: -# A default signing key is configured using CLI "notation key" +# A default signing key is configured using CLI "notation key". +# Signer knows the TSA url that they want to use to require a RFC 3161 timestamp. +# Signer has downloaded the TSA's root certificate in their file system. # Use option "--tsa-url" to specify the timestamp authority URL. -notation sign --tsa-url /@ +# Use option "--tsa-root-cert" to specify the filepath of the trusted tsa root +# certificate. +notation sign --tsa-url --tsa-root-cert /@ ``` ### [Experimental] Sign container images stored in OCI layout directory From 7cd46ab01eb3ac17ba070270fb113d4aca1533c5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 26 Jun 2024 18:35:02 +0800 Subject: [PATCH 37/80] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 553e82794..6b4205c26 100644 --- a/go.mod +++ b/go.mod @@ -36,4 +36,4 @@ replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240625082559-925801f5ceb3 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240626102206-c1621e267e61 diff --git a/go.sum b/go.sum index d8ea5ec4d..5451350e1 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 h1:l5T/KFTnK+UIlyGKUgLcp2Up5IXVO1iOuQSrjR5jTt0= github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899/go.mod h1:DaE3dTbfW9bLOquUENRPwtAE8He+5Oz2lWy3oCpn4RE= -github.com/Two-Hearts/notation-go v0.0.0-20240625082559-925801f5ceb3 h1:R374090q6OdW/P+kcO4q+HcMLGI2HvI3AD+Q44vsUBc= -github.com/Two-Hearts/notation-go v0.0.0-20240625082559-925801f5ceb3/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= +github.com/Two-Hearts/notation-go v0.0.0-20240626102206-c1621e267e61 h1:4qZM7UdTqxGPNFq/M7iN4AGcE42Pu9phYKTYv1EPoag= +github.com/Two-Hearts/notation-go v0.0.0-20240626102206-c1621e267e61/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d h1:PJ4BkFIkKpRYFtuJsE5oOaJt4LY5zf0Zjjd3UE/JhmM= github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= From 92b5ce9dab02fa55a402c1c8bbaa79c68a35f331 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Jun 2024 09:34:37 +0800 Subject: [PATCH 38/80] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6b4205c26..1dadc3fed 100644 --- a/go.mod +++ b/go.mod @@ -36,4 +36,4 @@ replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240626102206-c1621e267e61 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240627005958-12b393e36153 diff --git a/go.sum b/go.sum index 5451350e1..d9742505c 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 h1:l5T/KFTnK+UIlyGKUgLcp2Up5IXVO1iOuQSrjR5jTt0= github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899/go.mod h1:DaE3dTbfW9bLOquUENRPwtAE8He+5Oz2lWy3oCpn4RE= -github.com/Two-Hearts/notation-go v0.0.0-20240626102206-c1621e267e61 h1:4qZM7UdTqxGPNFq/M7iN4AGcE42Pu9phYKTYv1EPoag= -github.com/Two-Hearts/notation-go v0.0.0-20240626102206-c1621e267e61/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= +github.com/Two-Hearts/notation-go v0.0.0-20240627005958-12b393e36153 h1:Zy3zTBRzaD9CzTKUsJXpWuClmZKhbV7cLdhsUU1ojWs= +github.com/Two-Hearts/notation-go v0.0.0-20240627005958-12b393e36153/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d h1:PJ4BkFIkKpRYFtuJsE5oOaJt4LY5zf0Zjjd3UE/JhmM= github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= From f9ca8292b54443df163d09b5d1dc009c34e4792b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Jun 2024 10:01:05 +0800 Subject: [PATCH 39/80] test Signed-off-by: Patrick Zheng --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bc95246c7..70faec009 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,6 +59,6 @@ jobs: make e2e-covdata fi - name: Upload coverage to codecov.io - uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 + uses: codecov/codecov-action@4 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} From 1a8fe7b998482d893fc32e848f84be1faa174725 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Jun 2024 10:02:09 +0800 Subject: [PATCH 40/80] test Signed-off-by: Patrick Zheng --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 70faec009..cbda1367c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,6 +59,6 @@ jobs: make e2e-covdata fi - name: Upload coverage to codecov.io - uses: codecov/codecov-action@4 + uses: codecov/codecov-action@v4 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} From 1526dbeae49fb7a1332c58051ea2acc7a49b195e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Jun 2024 10:34:55 +0800 Subject: [PATCH 41/80] add more tests Signed-off-by: Patrick Zheng --- test/e2e/suite/command/sign.go | 14 ++++++++++++++ test/e2e/testdata/config/timestamp/invalid.crt | 2 ++ 2 files changed, 16 insertions(+) create mode 100644 test/e2e/testdata/config/timestamp/invalid.crt diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index c4a2a5056..a54024af7 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -266,6 +266,13 @@ var _ = Describe("notation sign", func() { }) }) + It("with empty tsa server", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--tsa-url", "", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: tsa-url is set with empty value") + }) + }) + It("with invalid tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--tsa-url", "http://invalid.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). @@ -274,6 +281,13 @@ var _ = Describe("notation sign", func() { }) }) + It("with invalid tsa root certificate", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "invalid.crt"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: timestamp: Post \"http://invalid.com\"") + }) + }) + It("with empty tsa root certificate path", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", "", artifact.ReferenceWithDigest()). diff --git a/test/e2e/testdata/config/timestamp/invalid.crt b/test/e2e/testdata/config/timestamp/invalid.crt new file mode 100644 index 000000000..c412709aa --- /dev/null +++ b/test/e2e/testdata/config/timestamp/invalid.crt @@ -0,0 +1,2 @@ +-----BEGIN CERTIFICATE----- +-----END CERTIFICATE----- From f78ee813a37336acb3f7a2bc269ccc867a7353c8 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Jun 2024 10:40:27 +0800 Subject: [PATCH 42/80] fix e2e Signed-off-by: Patrick Zheng --- test/e2e/suite/command/sign.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index a54024af7..bdc95a89b 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -284,7 +284,7 @@ var _ = Describe("notation sign", func() { It("with invalid tsa root certificate", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "invalid.crt"), artifact.ReferenceWithDigest()). - MatchErrKeyWords("Error: timestamp: Post \"http://invalid.com\"") + MatchErrKeyWords("Error: x509: malformed certificate") }) }) From 670e39d699034c4ca7592cb975305d8b09d9dd6c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 27 Jun 2024 18:35:26 +0800 Subject: [PATCH 43/80] updated tspclient-go Signed-off-by: Patrick Zheng --- go.mod | 8 +++----- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 1dadc3fed..19871a235 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect - github.com/notaryproject/tspclient-go v0.0.0-20240122083733-a373599795a2 // indirect + github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/crypto v0.24.0 // indirect @@ -32,8 +32,6 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315 -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 - -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240627005958-12b393e36153 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240627102530-13006cec009a diff --git a/go.sum b/go.sum index d9742505c..52611d067 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899 h1:l5T/KFTnK+UIlyGKUgLcp2Up5IXVO1iOuQSrjR5jTt0= -github.com/Two-Hearts/notation-core-go v0.0.0-20240625061446-64bf87aaf899/go.mod h1:DaE3dTbfW9bLOquUENRPwtAE8He+5Oz2lWy3oCpn4RE= -github.com/Two-Hearts/notation-go v0.0.0-20240627005958-12b393e36153 h1:Zy3zTBRzaD9CzTKUsJXpWuClmZKhbV7cLdhsUU1ojWs= -github.com/Two-Hearts/notation-go v0.0.0-20240627005958-12b393e36153/go.mod h1:WTIyTMsBTKSn26534EpunZc+OOCQXwvWwn+orQsaT+Q= -github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d h1:PJ4BkFIkKpRYFtuJsE5oOaJt4LY5zf0Zjjd3UE/JhmM= -github.com/Two-Hearts/tspclient-go v0.0.0-20240625051139-b86a837d928d/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315 h1:8wDwsk1Rcs+7dmFFlSNzmj2tgBmD0m/vjjVh6eaozcM= +github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315/go.mod h1:4b60hxCB4gB0q1K2QRxycj0TGhLvylSSR1RWCG0ilYs= +github.com/Two-Hearts/notation-go v0.0.0-20240627102530-13006cec009a h1:sN8aDf7eBhvPi4RWI/EvyszPgg3QT9dJA5j+6j44hko= +github.com/Two-Hearts/notation-go v0.0.0-20240627102530-13006cec009a/go.mod h1:4eG7HflGMaLsHeuNXV95h89+6OgvRjvem0wtnlTayfY= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -43,6 +41,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= +github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe h1:1psX5fHzB0ZGshHkaGlERh0eBX4EapizcVyQwX+YydE= +github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= From a11b692949d28292f5bed382df2d05565c85e93a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 1 Jul 2024 11:10:49 +0800 Subject: [PATCH 44/80] updated timestamping Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 4 +++- go.mod | 8 +++++--- go.sum | 16 ++++++++-------- test/e2e/suite/trustpolicy/multi_statements.go | 6 +++--- test/e2e/suite/trustpolicy/registry_scope.go | 4 ++-- 5 files changed, 21 insertions(+), 17 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 5faac6eb5..f04279e95 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -14,6 +14,7 @@ package main import ( + "crypto/x509" "errors" "fmt" "os" @@ -215,7 +216,8 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { return notation.SignOptions{}, fmt.Errorf("cannot read tsa root certificate from %q", opts.tsaRootCertificatePath) } signOpts.TSAServerURL = opts.tsaServerURL - signOpts.TSARootCertificate = rootCerts[0] + signOpts.TSARootCAs = x509.NewCertPool() + signOpts.TSARootCAs.AddCert(rootCerts[0]) } return signOpts, nil } diff --git a/go.mod b/go.mod index 19871a235..09b478aa9 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.6.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ldap/ldap/v3 v3.4.8 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect @@ -32,6 +32,8 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240627102530-13006cec009a +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240701024944-938762ed78bf + +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 diff --git a/go.sum b/go.sum index 52611d067..3104431cf 100644 --- a/go.sum +++ b/go.sum @@ -1,17 +1,19 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315 h1:8wDwsk1Rcs+7dmFFlSNzmj2tgBmD0m/vjjVh6eaozcM= -github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315/go.mod h1:4b60hxCB4gB0q1K2QRxycj0TGhLvylSSR1RWCG0ilYs= -github.com/Two-Hearts/notation-go v0.0.0-20240627102530-13006cec009a h1:sN8aDf7eBhvPi4RWI/EvyszPgg3QT9dJA5j+6j44hko= -github.com/Two-Hearts/notation-go v0.0.0-20240627102530-13006cec009a/go.mod h1:4eG7HflGMaLsHeuNXV95h89+6OgvRjvem0wtnlTayfY= +github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e h1:yDGu0wnuX+3xSDLXeIPV751jaBaTjMjcpVz5NwTypm4= +github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e/go.mod h1:hXbhc81hiH9tQOZ4w5pI+Z83y8qhpXKbsLXHWA/74TE= +github.com/Two-Hearts/notation-go v0.0.0-20240701024944-938762ed78bf h1:OrrmkZr3E9uHtNLNB9lh62Pdp18LF0lXjFlBxroC9rc= +github.com/Two-Hearts/notation-go v0.0.0-20240701024944-938762ed78bf/go.mod h1:Ci+EoNk2HP1WGoKYDqRkJjq7mQ46IYYglWtTcqi58R8= +github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 h1:ME+WMRNcucfmJ9Le8eCtdV1gR3Xc8ve6Ab/cPnN/z48= +github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= -github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ= @@ -41,8 +43,6 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe h1:1psX5fHzB0ZGshHkaGlERh0eBX4EapizcVyQwX+YydE= -github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= diff --git a/test/e2e/suite/trustpolicy/multi_statements.go b/test/e2e/suite/trustpolicy/multi_statements.go index 2c8341f17..6364123b6 100644 --- a/test/e2e/suite/trustpolicy/multi_statements.go +++ b/test/e2e/suite/trustpolicy/multi_statements.go @@ -30,7 +30,7 @@ var _ = Describe("notation trust policy multi-statements test", func() { // test localhost:5000/test-repo notation.Exec("sign", artifact.ReferenceWithDigest()).MatchKeyWords(SignSuccessfully) notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest()). - MatchErrContent("Error: registry scope \"localhost:5000/test-repo8\" is present in multiple trust policy statements, one registry scope value can only be associated with one statement\n") + MatchErrContent("Error: registry scope \"localhost:5000/test-repo8\" is present in multiple oci trust policy statements, one registry scope value can only be associated with one statement\n") }) }) @@ -56,7 +56,7 @@ var _ = Describe("notation trust policy multi-statements test", func() { // test localhost:5000/test-repo notation.Exec("sign", artifact.ReferenceWithDigest()).MatchKeyWords(SignSuccessfully) notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest()). - MatchErrContent("Error: multiple trust policy statements use the same name \"e2e\", statement names must be unique\n") + MatchErrContent("Error: multiple oci trust policy statements use the same name \"e2e\", statement names must be unique\n") }) }) @@ -68,7 +68,7 @@ var _ = Describe("notation trust policy multi-statements test", func() { // test localhost:5000/test-repo notation.Exec("sign", artifact.ReferenceWithDigest()).MatchKeyWords(SignSuccessfully) notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest()). - MatchErrContent("Error: registry scope \"*\" is present in multiple trust policy statements, one registry scope value can only be associated with one statement\n") + MatchErrContent("Error: registry scope \"*\" is present in multiple oci trust policy statements, one registry scope value can only be associated with one statement\n") }) }) }) diff --git a/test/e2e/suite/trustpolicy/registry_scope.go b/test/e2e/suite/trustpolicy/registry_scope.go index 7faa985e8..f99a031c6 100644 --- a/test/e2e/suite/trustpolicy/registry_scope.go +++ b/test/e2e/suite/trustpolicy/registry_scope.go @@ -111,7 +111,7 @@ var _ = Describe("notation trust policy registryScope test", func() { // test localhost:5000/test-repo OldNotation().Exec("sign", artifact.ReferenceWithDigest()).MatchKeyWords(SignSuccessfully) notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest()). - MatchErrKeyWords("registry scope \"localhost:5000/test-repo6\" is present in multiple trust policy statements") + MatchErrKeyWords("registry scope \"localhost:5000/test-repo6\" is present in multiple oci trust policy statements") }) }) @@ -137,7 +137,7 @@ var _ = Describe("notation trust policy registryScope test", func() { // test localhost:5000/test-repo OldNotation().Exec("sign", artifact.ReferenceWithDigest()).MatchKeyWords(SignSuccessfully) notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest()). - MatchErrContent(fmt.Sprintf("Error: signature verification failed: artifact %q has no applicable trust policy. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: %s\n", artifact.ReferenceWithDigest(), trustPolicyLink)) + MatchErrContent(fmt.Sprintf("Error: signature verification failed: artifact %q has no applicable oci trust policy. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: %s\n", artifact.ReferenceWithDigest(), trustPolicyLink)) }) }) }) From 10a2b636f358cd67e6321785d8a0053fe87d8fd6 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 1 Jul 2024 11:16:38 +0800 Subject: [PATCH 45/80] fixed E2E test Signed-off-by: Patrick Zheng --- test/e2e/suite/trustpolicy/registry_scope.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/suite/trustpolicy/registry_scope.go b/test/e2e/suite/trustpolicy/registry_scope.go index f99a031c6..7eb19a5f4 100644 --- a/test/e2e/suite/trustpolicy/registry_scope.go +++ b/test/e2e/suite/trustpolicy/registry_scope.go @@ -137,7 +137,7 @@ var _ = Describe("notation trust policy registryScope test", func() { // test localhost:5000/test-repo OldNotation().Exec("sign", artifact.ReferenceWithDigest()).MatchKeyWords(SignSuccessfully) notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest()). - MatchErrContent(fmt.Sprintf("Error: signature verification failed: artifact %q has no applicable oci trust policy. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: %s\n", artifact.ReferenceWithDigest(), trustPolicyLink)) + MatchErrContent(fmt.Sprintf("Error: signature verification failed: artifact %q has no applicable oci trust policy statement. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: %s\n", artifact.ReferenceWithDigest(), trustPolicyLink)) }) }) }) From bd7212d2e9e8e9795c7b0d934bb66d4781ca633f Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 3 Jul 2024 14:37:03 +0800 Subject: [PATCH 46/80] updated timestamping Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 12 ++++++++++-- go.mod | 8 +++----- go.sum | 12 ++++++------ 3 files changed, 19 insertions(+), 13 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index f04279e95..c7cdc8518 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -17,6 +17,7 @@ import ( "crypto/x509" "errors" "fmt" + "net/http" "os" "strings" "time" @@ -26,6 +27,7 @@ import ( "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" + "github.com/notaryproject/tspclient-go" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" ) @@ -207,7 +209,14 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { }, UserMetadata: userMetadata, } - if opts.tsaRootCertificatePath != "" { + if opts.tsaServerURL != "" { + // timestamping + fmt.Printf("Timestamping with TSA %q\n", opts.tsaServerURL) + signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(&http.Client{Timeout: 5 * time.Second}, opts.tsaServerURL) + if err != nil { + return notation.SignOptions{}, fmt.Errorf("cannot get http timestamper for timestamping: %v", err) + } + rootCerts, err := corex509.ReadCertificateFile(opts.tsaRootCertificatePath) if err != nil { return notation.SignOptions{}, err @@ -215,7 +224,6 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { if len(rootCerts) == 0 { return notation.SignOptions{}, fmt.Errorf("cannot read tsa root certificate from %q", opts.tsaRootCertificatePath) } - signOpts.TSAServerURL = opts.tsaServerURL signOpts.TSARootCAs = x509.NewCertPool() signOpts.TSARootCAs.AddCert(rootCerts[0]) } diff --git a/go.mod b/go.mod index 09b478aa9..8a76f8504 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.22 require ( github.com/notaryproject/notation-core-go v1.0.3 github.com/notaryproject/notation-go v1.1.1 + github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/sirupsen/logrus v1.9.3 @@ -23,7 +24,6 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect - github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/crypto v0.24.0 // indirect @@ -32,8 +32,6 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18 -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240701024944-938762ed78bf - -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240703061359-5aeef6851f90 diff --git a/go.sum b/go.sum index 3104431cf..05a178b45 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e h1:yDGu0wnuX+3xSDLXeIPV751jaBaTjMjcpVz5NwTypm4= -github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e/go.mod h1:hXbhc81hiH9tQOZ4w5pI+Z83y8qhpXKbsLXHWA/74TE= -github.com/Two-Hearts/notation-go v0.0.0-20240701024944-938762ed78bf h1:OrrmkZr3E9uHtNLNB9lh62Pdp18LF0lXjFlBxroC9rc= -github.com/Two-Hearts/notation-go v0.0.0-20240701024944-938762ed78bf/go.mod h1:Ci+EoNk2HP1WGoKYDqRkJjq7mQ46IYYglWtTcqi58R8= -github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 h1:ME+WMRNcucfmJ9Le8eCtdV1gR3Xc8ve6Ab/cPnN/z48= -github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18 h1:lYX4Y5ZkbWbsAJkdMCSfg0Nc3lxsKWmOaHtnKejoIMY= +github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= +github.com/Two-Hearts/notation-go v0.0.0-20240703061359-5aeef6851f90 h1:0it2UpgFWP65TkOigTrxatdbEGHGDgtcc6ihG1sCVz4= +github.com/Two-Hearts/notation-go v0.0.0-20240703061359-5aeef6851f90/go.mod h1:6GeF4h/9rfOXgaKdk7XTg3iZirpy41np8ccnxVS2bXc= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -43,6 +41,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= +github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc= +github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= From b241460b857919ab0a2a6532f2d64d1e78526b71 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 3 Jul 2024 14:54:45 +0800 Subject: [PATCH 47/80] updated timestamping Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index c7cdc8518..13cbbe44e 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -34,6 +34,10 @@ import ( const referrersTagSchemaDeleteError = "failed to delete dangling referrers index" +// TimestampingTimeout is the timeout when requesting timestamp countersignature +// from a TSA +const TimestampingTimeout = 5 * time.Second + type signOpts struct { cmd.LoggingFlagOpts cmd.SignerFlagOpts @@ -212,7 +216,7 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { if opts.tsaServerURL != "" { // timestamping fmt.Printf("Timestamping with TSA %q\n", opts.tsaServerURL) - signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(&http.Client{Timeout: 5 * time.Second}, opts.tsaServerURL) + signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(&http.Client{Timeout: TimestampingTimeout}, opts.tsaServerURL) if err != nil { return notation.SignOptions{}, fmt.Errorf("cannot get http timestamper for timestamping: %v", err) } From 89008723eb6a5c1d0db50f4bb4e3a755d9eff88f Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 3 Jul 2024 15:23:22 +0800 Subject: [PATCH 48/80] updated timestamping Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 18 ++++++++++-------- test/e2e/suite/command/sign.go | 30 ++++++++++++++++++++++-------- 2 files changed, 32 insertions(+), 16 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 13cbbe44e..d44b9b8ca 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -108,20 +108,22 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced return nil }, PreRunE: func(cmd *cobra.Command, args []string) error { - if cmd.Flags().Changed("tsa-url") { - if opts.tsaServerURL == "" { - return errors.New("tsa-url is set with empty value") - } - if opts.tsaRootCertificatePath == "" { - return errors.New("tsa root certificate path cannot be empty") - } - } if opts.ociLayout { opts.inputType = inputTypeOCILayout } return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { + // timestamping + if cmd.Flags().Changed("tsa-url") { + if opts.tsaServerURL == "" { + return errors.New("timestamping: tsa url cannot be empty") + } + if opts.tsaRootCertificatePath == "" { + return errors.New("timestamping: tsa root certificate path cannot be empty") + } + } + // allow-referrers-api flag is set if cmd.Flags().Changed("allow-referrers-api") { if opts.allowReferrersAPI { diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index bdc95a89b..1b3701d84 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -266,10 +266,31 @@ var _ = Describe("notation sign", func() { }) }) + It("with tsa-root-cert but no tsa-url", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: if any flags in the group [tsa-url tsa-root-cert] are set they must all be set; missing [tsa-url]") + }) + }) + + It("with tsa-url but no tsa-root-cert", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: if any flags in the group [tsa-url tsa-root-cert] are set they must all be set; missing [tsa-root-cert]") + }) + }) + It("with empty tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--tsa-url", "", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). - MatchErrKeyWords("Error: tsa-url is set with empty value") + MatchErrKeyWords("Error: timestamping: tsa url cannot be empty") + }) + }) + + It("with empty tsa root cert", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--tsa-url", "dummy", "--tsa-root-cert", "", artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: timestamping: tsa root certificate path cannot be empty") }) }) @@ -287,11 +308,4 @@ var _ = Describe("notation sign", func() { MatchErrKeyWords("Error: x509: malformed certificate") }) }) - - It("with empty tsa root certificate path", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", "", artifact.ReferenceWithDigest()). - MatchErrKeyWords("Error: tsa root certificate path cannot be empty") - }) - }) }) From bdf1264a72ede7ff252b9d5d10ba12b3212bc24f Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 8 Jul 2024 13:54:26 +0800 Subject: [PATCH 49/80] updated notation-go Signed-off-by: Patrick Zheng --- go.mod | 6 ++---- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 8a76f8504..bdb8786b1 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation go 1.22 require ( - github.com/notaryproject/notation-core-go v1.0.3 + github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 github.com/notaryproject/notation-go v1.1.1 github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 github.com/opencontainers/go-digest v1.0.0 @@ -32,6 +32,4 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18 - -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240703061359-5aeef6851f90 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240708053958-78999aaba718 diff --git a/go.sum b/go.sum index 05a178b45..bbad52ed7 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18 h1:lYX4Y5ZkbWbsAJkdMCSfg0Nc3lxsKWmOaHtnKejoIMY= -github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= -github.com/Two-Hearts/notation-go v0.0.0-20240703061359-5aeef6851f90 h1:0it2UpgFWP65TkOigTrxatdbEGHGDgtcc6ihG1sCVz4= -github.com/Two-Hearts/notation-go v0.0.0-20240703061359-5aeef6851f90/go.mod h1:6GeF4h/9rfOXgaKdk7XTg3iZirpy41np8ccnxVS2bXc= +github.com/Two-Hearts/notation-go v0.0.0-20240708053958-78999aaba718 h1:9zWXJEbZSPBd+TlE+cCRxU38eDcdGXYXuiRCPUBjqB8= +github.com/Two-Hearts/notation-go v0.0.0-20240708053958-78999aaba718/go.mod h1:vvCMHkJ7wTRb8RiVbO9u/7G9K84VNGEbc43EOxQ+NM8= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -39,6 +37,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= +github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= +github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc= From 04579ca2f63183956dd4d7bdbbb42e6e88c8e249 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 9 Jul 2024 10:16:57 +0800 Subject: [PATCH 50/80] updated notation-go Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/go.mod | 5 +++-- test/e2e/go.sum | 14 +++++++----- test/e2e/internal/notation/host.go | 9 +++----- test/e2e/plugin/go.mod | 11 ++++++---- test/e2e/plugin/go.sum | 22 ++++++++++--------- test/e2e/suite/command/verify.go | 18 +++------------ ...timestamp_skip_revocation_trustpolicy.json | 17 -------------- 9 files changed, 39 insertions(+), 63 deletions(-) delete mode 100644 test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json diff --git a/go.mod b/go.mod index bdb8786b1..d7c2c6ea2 100644 --- a/go.mod +++ b/go.mod @@ -32,4 +32,4 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240708053958-78999aaba718 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 diff --git a/go.sum b/go.sum index bbad52ed7..6a4c99929 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240708053958-78999aaba718 h1:9zWXJEbZSPBd+TlE+cCRxU38eDcdGXYXuiRCPUBjqB8= -github.com/Two-Hearts/notation-go v0.0.0-20240708053958-78999aaba718/go.mod h1:vvCMHkJ7wTRb8RiVbO9u/7G9K84VNGEbc43EOxQ+NM8= +github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 h1:U0dVPBGnOyZZ9KZipHbst9P9GwXKHl4ESun2Nwpxo1I= +github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938/go.mod h1:vvCMHkJ7wTRb8RiVbO9u/7G9K84VNGEbc43EOxQ+NM8= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 78ae34e26..c09211238 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation/test/e2e go 1.21 require ( - github.com/notaryproject/notation-core-go v1.0.3 + github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/opencontainers/image-spec v1.1.0 @@ -11,11 +11,12 @@ require ( ) require ( - github.com/fxamacker/cbor/v2 v2.6.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 // indirect + github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 92491efed..574c7400a 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -1,8 +1,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= -github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= @@ -13,8 +13,10 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9tRnGuw+ZVCB3FazXODD6JE1R8= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= -github.com/notaryproject/notation-core-go v1.0.3 h1:FCgvULSypEFrrNgvDRdHbKAGAgbXK43n/jKD9q2WECA= -github.com/notaryproject/notation-core-go v1.0.3/go.mod h1:eDo5/LTUp23mB7w0CckJLnl+p93oGdyiKDzzggpqTH4= +github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= +github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= +github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc= +github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= @@ -33,8 +35,8 @@ github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4 github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go index 16ded3daa..168015a2b 100644 --- a/test/e2e/internal/notation/host.go +++ b/test/e2e/internal/notation/host.go @@ -131,15 +131,12 @@ func BaseOptions() []utils.HostOption { // TimestampOptions returns a list of timestamp Options for a valid // notation testing environment. -func TimestampOptions(verifyTimestamp string, skipTimestampingRevocationCheck bool) []utils.HostOption { +func TimestampOptions(verifyTimestamp string) []utils.HostOption { var trustPolicyOption utils.HostOption - if skipTimestampingRevocationCheck { - trustPolicyOption = AddTrustPolicyOption("timestamp_skip_revocation_trustpolicy.json") - } else { - trustPolicyOption = AddTrustPolicyOption("timestamp_trustpolicy.json") - } if verifyTimestamp == "afterCertExpiry" { trustPolicyOption = AddTrustPolicyOption("timestamp_after_cert_expiry_trustpolicy.json") + } else { + trustPolicyOption = AddTrustPolicyOption("timestamp_trustpolicy.json") } return Opts( diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 3ae596dcc..5a695c784 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/notaryproject/notation-core-go v1.0.3 + github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 github.com/notaryproject/notation-go v1.1.1 github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/spf13/cobra v1.7.0 @@ -12,19 +12,22 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.6.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ldap/ldap/v3 v3.4.8 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.23.0 // indirect - golang.org/x/mod v0.17.0 // indirect + golang.org/x/crypto v0.24.0 // indirect + golang.org/x/mod v0.18.0 // indirect golang.org/x/sync v0.6.0 // indirect oras.land/oras-go/v2 v2.5.0 // indirect ) + +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index f90f155d3..e94888be5 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -1,13 +1,15 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 h1:U0dVPBGnOyZZ9KZipHbst9P9GwXKHl4ESun2Nwpxo1I= +github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938/go.mod h1:vvCMHkJ7wTRb8RiVbO9u/7G9K84VNGEbc43EOxQ+NM8= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= -github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ= @@ -37,12 +39,12 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.0.3 h1:FCgvULSypEFrrNgvDRdHbKAGAgbXK43n/jKD9q2WECA= -github.com/notaryproject/notation-core-go v1.0.3/go.mod h1:eDo5/LTUp23mB7w0CckJLnl+p93oGdyiKDzzggpqTH4= -github.com/notaryproject/notation-go v1.1.1 h1:EAY8ERBWhrdaG9MIumSZ9xyUHktgr6OkCByd75HR+FA= -github.com/notaryproject/notation-go v1.1.1/go.mod h1:XykI2i5jHb6cGf+bcG/cIeNfNO2u4Xoy2mkuOKHjVVI= +github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= +github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= +github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc= +github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -72,12 +74,12 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= +golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 94ee9968c..58ed46403 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -225,7 +225,7 @@ var _ = Describe("notation verify", func() { }) It("with timestamp verification", func() { - Host(TimestampOptions("", false), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + Host(TimestampOptions(""), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) @@ -235,20 +235,8 @@ var _ = Describe("notation verify", func() { }) }) - It("with timestamp verification skipping tsa cert chain revocation check", func() { - Host(TimestampOptions("", true), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully). - MatchErrKeyWords("Timestamp range:"). - NoMatchErrKeyWords("Checking timestamping certificate chain revocation...") - }) - }) - - It("with timestamp verification after cert expiry", func() { - Host(TimestampOptions("afterCertExpiry", false), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + It("with verifyTimestamp set as afterCertExpiry", func() { + Host(TimestampOptions("afterCertExpiry"), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) diff --git a/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json b/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json deleted file mode 100644 index 24abeb7e3..000000000 --- a/test/e2e/testdata/config/trustpolicies/timestamp_skip_revocation_trustpolicy.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "version": "1.0", - "trustPolicies": [ - { - "name": "e2e", - "registryScopes": [ "*" ], - "signatureVerification": { - "level" : "strict", - "skipTimestampRevocationCheck": true - }, - "trustStores": [ "ca:e2e", "tsa:e2e" ], - "trustedIdentities": [ - "*" - ] - } - ] -} \ No newline at end of file From 52f7052195ca770e2833900a480c86443f4d09dd Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 11 Jul 2024 11:05:58 +0800 Subject: [PATCH 51/80] updated notation-go Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- test/e2e/plugin/go.mod | 4 ++-- test/e2e/plugin/go.sum | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index d7c2c6ea2..7b4cba7c4 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22 require ( github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 github.com/notaryproject/notation-go v1.1.1 - github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 + github.com/notaryproject/tspclient-go v0.1.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/sirupsen/logrus v1.9.3 @@ -32,4 +32,4 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a diff --git a/go.sum b/go.sum index 6a4c99929..8e77f2190 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 h1:U0dVPBGnOyZZ9KZipHbst9P9GwXKHl4ESun2Nwpxo1I= -github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938/go.mod h1:vvCMHkJ7wTRb8RiVbO9u/7G9K84VNGEbc43EOxQ+NM8= +github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a h1:dnDyhQUVxC7KT6KtaX1EGYxpt77y4d0oRe6ztC4AruI= +github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -41,8 +41,8 @@ github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc= -github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= +github.com/notaryproject/tspclient-go v0.1.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 5a695c784..d78ec7732 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -18,7 +18,7 @@ require ( github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 // indirect + github.com/notaryproject/tspclient-go v0.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect @@ -30,4 +30,4 @@ require ( oras.land/oras-go/v2 v2.5.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index e94888be5..c6bddd3f1 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938 h1:U0dVPBGnOyZZ9KZipHbst9P9GwXKHl4ESun2Nwpxo1I= -github.com/Two-Hearts/notation-go v0.0.0-20240709014026-1235960e1938/go.mod h1:vvCMHkJ7wTRb8RiVbO9u/7G9K84VNGEbc43EOxQ+NM8= +github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a h1:dnDyhQUVxC7KT6KtaX1EGYxpt77y4d0oRe6ztC4AruI= +github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -43,8 +43,8 @@ github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc= -github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= +github.com/notaryproject/tspclient-go v0.1.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= From 1e4422d95d4c3892de3900dd35d2556327483b7a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 11 Jul 2024 13:38:49 +0800 Subject: [PATCH 52/80] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/plugin/go.mod | 2 +- test/e2e/plugin/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 7b4cba7c4..9d1e8120c 100644 --- a/go.mod +++ b/go.mod @@ -32,4 +32,4 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 diff --git a/go.sum b/go.sum index 8e77f2190..053c7039c 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a h1:dnDyhQUVxC7KT6KtaX1EGYxpt77y4d0oRe6ztC4AruI= -github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= +github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 h1:qvbti05IeI/P3svyqkAgDzAdXZARLQLiyK+rNE68D1A= +github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index d78ec7732..c89aa28d0 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -30,4 +30,4 @@ require ( oras.land/oras-go/v2 v2.5.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index c6bddd3f1..b0566f924 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a h1:dnDyhQUVxC7KT6KtaX1EGYxpt77y4d0oRe6ztC4AruI= -github.com/Two-Hearts/notation-go v0.0.0-20240711021409-d8498e52d53a/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= +github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 h1:qvbti05IeI/P3svyqkAgDzAdXZARLQLiyK+rNE68D1A= +github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From 34e2f1f7931cfd476e291b7da4343cd9149738d6 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 11 Jul 2024 15:58:14 +0800 Subject: [PATCH 53/80] updated notation-go Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/plugin/go.mod | 2 +- test/e2e/plugin/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 9d1e8120c..20234a167 100644 --- a/go.mod +++ b/go.mod @@ -32,4 +32,4 @@ require ( golang.org/x/sys v0.21.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 diff --git a/go.sum b/go.sum index 053c7039c..31e149bea 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 h1:qvbti05IeI/P3svyqkAgDzAdXZARLQLiyK+rNE68D1A= -github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= +github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 h1:kK9B+m2/PpfSHRv4kVjmy9NnF4CzSL9SXHj7aZR81IU= +github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index c89aa28d0..8586253cb 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -30,4 +30,4 @@ require ( oras.land/oras-go/v2 v2.5.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index b0566f924..03b299705 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7 h1:qvbti05IeI/P3svyqkAgDzAdXZARLQLiyK+rNE68D1A= -github.com/Two-Hearts/notation-go v0.0.0-20240711051939-a601fceb37c7/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= +github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 h1:kK9B+m2/PpfSHRv4kVjmy9NnF4CzSL9SXHj7aZR81IU= +github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From ec602c0fb9fb9843417f5f5ffb3a3099519394d7 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 12 Jul 2024 16:40:41 +0800 Subject: [PATCH 54/80] updated notation-go Signed-off-by: Patrick Zheng --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- test/e2e/plugin/go.mod | 6 +++--- test/e2e/plugin/go.sum | 12 ++++++------ 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/go.mod b/go.mod index 20234a167..fce62e1b7 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - golang.org/x/term v0.21.0 + golang.org/x/term v0.22.0 oras.land/oras-go/v2 v2.5.0 ) @@ -26,10 +26,10 @@ require ( github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.24.0 // indirect - golang.org/x/mod v0.18.0 // indirect + golang.org/x/crypto v0.25.0 // indirect + golang.org/x/mod v0.19.0 // indirect golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.21.0 // indirect + golang.org/x/sys v0.22.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 diff --git a/go.sum b/go.sum index 31e149bea..13c9d135c 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 h1:kK9B+m2/PpfSHRv4kVjmy9NnF4CzSL9SXHj7aZR81IU= -github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= +github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 h1:6ufypfCsR509zGh7AUirJkPWYVIq8jfmFN1xXQX8Fw8= +github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -75,12 +75,12 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= @@ -106,16 +106,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= -golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 8586253cb..0563686af 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -24,10 +24,10 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.24.0 // indirect - golang.org/x/mod v0.18.0 // indirect + golang.org/x/crypto v0.25.0 // indirect + golang.org/x/mod v0.19.0 // indirect golang.org/x/sync v0.6.0 // indirect oras.land/oras-go/v2 v2.5.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 03b299705..2446f46b9 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2 h1:kK9B+m2/PpfSHRv4kVjmy9NnF4CzSL9SXHj7aZR81IU= -github.com/Two-Hearts/notation-go v0.0.0-20240711072943-45f34958dfa2/go.mod h1:jTde0t1tP8WnvUQOrEoDWWQcD6SXBnzTn4LSSXVB274= +github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 h1:6ufypfCsR509zGh7AUirJkPWYVIq8jfmFN1xXQX8Fw8= +github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -74,12 +74,12 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= From e4564a3958036784a428546f50d95846e4645503 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 12 Jul 2024 16:45:55 +0800 Subject: [PATCH 55/80] fixed e2e Signed-off-by: Patrick Zheng --- test/e2e/suite/command/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 58ed46403..ae9935cc0 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -231,7 +231,7 @@ var _ = Describe("notation verify", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully). - MatchErrKeyWords("Timestamp range:") + MatchErrKeyWords("Performing timestamp verification...") }) }) From f5a4ad96be0325f8455d6f981c05796b80615886 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 12 Jul 2024 17:26:05 +0800 Subject: [PATCH 56/80] updated notation-go Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/plugin/go.mod | 2 +- test/e2e/plugin/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index a226713e1..487f0f239 100644 --- a/go.mod +++ b/go.mod @@ -32,4 +32,4 @@ require ( golang.org/x/sys v0.22.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e diff --git a/go.sum b/go.sum index a0b50b869..130ff40f0 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 h1:6ufypfCsR509zGh7AUirJkPWYVIq8jfmFN1xXQX8Fw8= -github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= +github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e h1:IpL7TUZHZ5qJZyl83v+s7oLcbIIeXQA7FLRS0qP4pZU= +github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 0563686af..12b1c6dc5 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -30,4 +30,4 @@ require ( oras.land/oras-go/v2 v2.5.0 // indirect ) -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 +replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 2446f46b9..9aed689c9 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90 h1:6ufypfCsR509zGh7AUirJkPWYVIq8jfmFN1xXQX8Fw8= -github.com/Two-Hearts/notation-go v0.0.0-20240712083015-e50cf0a1ca90/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= +github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e h1:IpL7TUZHZ5qJZyl83v+s7oLcbIIeXQA7FLRS0qP4pZU= +github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= From aa35f19d7531abbcd16f71b4f5b7f06cf6ced68d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jul 2024 13:28:52 +0800 Subject: [PATCH 57/80] updated dependencies Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- go.mod | 4 +--- go.sum | 4 ++-- test/e2e/plugin/go.mod | 4 +--- test/e2e/plugin/go.sum | 4 ++-- 5 files changed, 7 insertions(+), 11 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index d44b9b8ca..f1826c7d1 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -36,7 +36,7 @@ const referrersTagSchemaDeleteError = "failed to delete dangling referrers index // TimestampingTimeout is the timeout when requesting timestamp countersignature // from a TSA -const TimestampingTimeout = 5 * time.Second +const TimestampingTimeout = 15 * time.Second type signOpts struct { cmd.LoggingFlagOpts diff --git a/go.mod b/go.mod index 487f0f239..b251cef90 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.22 require ( github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 - github.com/notaryproject/notation-go v1.1.1 + github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b github.com/notaryproject/tspclient-go v0.1.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 @@ -31,5 +31,3 @@ require ( golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.22.0 // indirect ) - -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e diff --git a/go.sum b/go.sum index 130ff40f0..16b84db7b 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e h1:IpL7TUZHZ5qJZyl83v+s7oLcbIIeXQA7FLRS0qP4pZU= -github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -39,6 +37,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= +github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc= +github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 12b1c6dc5..16d3a846c 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -5,7 +5,7 @@ go 1.21 require ( github.com/golang-jwt/jwt v3.2.2+incompatible github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 - github.com/notaryproject/notation-go v1.1.1 + github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/spf13/cobra v1.7.0 ) @@ -29,5 +29,3 @@ require ( golang.org/x/sync v0.6.0 // indirect oras.land/oras-go/v2 v2.5.0 // indirect ) - -replace github.com/notaryproject/notation-go => github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 9aed689c9..3d7eb762e 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -1,7 +1,5 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e h1:IpL7TUZHZ5qJZyl83v+s7oLcbIIeXQA7FLRS0qP4pZU= -github.com/Two-Hearts/notation-go v0.0.0-20240712090932-b94b3fd1fa8e/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -41,6 +39,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= +github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc= +github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= From 1a82b194f317ff40d0e48451730f0feb1392f7d0 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jul 2024 13:30:22 +0800 Subject: [PATCH 58/80] updated dependencies Signed-off-by: Patrick Zheng --- test/e2e/go.mod | 2 +- test/e2e/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/go.mod b/test/e2e/go.mod index c09211238..479c3afb0 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -16,7 +16,7 @@ require ( github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 // indirect - github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 // indirect + github.com/notaryproject/tspclient-go v0.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 574c7400a..af9795130 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -15,8 +15,8 @@ github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9 github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= -github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc= -github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= +github.com/notaryproject/tspclient-go v0.1.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= From abcc08917f9ab9211422e804f6c1e0ab6d98ad6c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jul 2024 13:49:16 +0800 Subject: [PATCH 59/80] updated verify spec Signed-off-by: Patrick Zheng --- specs/commandline/verify.md | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 1d177fc31..17fc60a34 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -77,7 +77,29 @@ An example of `trustpolicy.json`: "level": "strict" }, "trustStores": [ "ca:wabbit-networks" ], // The trust stores that contains the X.509 trusted roots. - "trustedIdentities": [ // Identities that are trusted to sign the artifact. + "trustedIdentities": [ // Identities that are trusted to sign the artifact. It only includes identities of `ca` and `signingAuthority`. + "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Finance, CN=SecureBuilder" + ] + } + ] +} +``` + +An example of `trustpolicy.json` with RFC 3161 timestamp verification support: + +```jsonc +{ + "version": "1.0", + "trustPolicies": [ + { + "name": "wabbit-networks-images", + "registryScopes": [ "localhost:5000/net-monitor" ], + "signatureVerification": { + "level": "strict", + "verifyTimestamp": "afterCertExpiry" // Only verify timestamp countersignatures if any code signing certificate has expired. + }, + "trustStores": [ "ca:wabbit-networks", "tsa:wabbit-networks-timestamp" ], // To enable timestamp verification, trust store type `tsa` MUST be configured. + "trustedIdentities": [ "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Finance, CN=SecureBuilder" ] } @@ -175,11 +197,14 @@ Warning: Always verify the artifact using digest(@sha256:...) rather than a tag Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` -### Verify timestamp countersignature at the time point been stamped +### Verify signatures with RFC 3161 timestamp countersignature on an OCI artifact ```shell -# Verify timestamp countersignature at the time point been stamped -notation verify --at-timestamped-time localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 +# Prerequisites: Configure TSA trust store by adding the root certificate of the TSA into trust store named "wabbit-network-timestamp" of type "tsa" +notation certificate add --type tsa --store wabbit-networks-timestamp wabbit-networks-tsa.crt + +# Verify signatures on an OCI artifact +notation verify localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` An example of output messages for a successful verification: From 940a728911366157f12b47d8dbd31ff4cf741ae1 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jul 2024 13:52:55 +0800 Subject: [PATCH 60/80] updated verify spec Signed-off-by: Patrick Zheng --- specs/commandline/verify.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 17fc60a34..9996a8f7f 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -96,7 +96,7 @@ An example of `trustpolicy.json` with RFC 3161 timestamp verification support: "registryScopes": [ "localhost:5000/net-monitor" ], "signatureVerification": { "level": "strict", - "verifyTimestamp": "afterCertExpiry" // Only verify timestamp countersignatures if any code signing certificate has expired. + "verifyTimestamp": "afterCertExpiry" // Only verify timestamp countersignatures if any code signing certificate has expired. }, "trustStores": [ "ca:wabbit-networks", "tsa:wabbit-networks-timestamp" ], // To enable timestamp verification, trust store type `tsa` MUST be configured. "trustedIdentities": [ @@ -200,7 +200,7 @@ Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b993 ### Verify signatures with RFC 3161 timestamp countersignature on an OCI artifact ```shell -# Prerequisites: Configure TSA trust store by adding the root certificate of the TSA into trust store named "wabbit-network-timestamp" of type "tsa" +# Prerequisites: Configure TSA trust store by adding the root certificate of the trusted TSA into trust store named "wabbit-network-timestamp" of type "tsa" notation certificate add --type tsa --store wabbit-networks-timestamp wabbit-networks-tsa.crt # Verify signatures on an OCI artifact From 63322243713c19cbf255a10725cafce0e19aaf3e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jul 2024 14:06:53 +0800 Subject: [PATCH 61/80] updated specs Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 4 ++-- specs/commandline/sign.md | 6 +++--- specs/commandline/verify.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index f1826c7d1..cf563edc5 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -86,7 +86,7 @@ Example - Sign an OCI artifact and store signature using the Referrers API. If i notation sign --force-referrers-tag=false /@ Example - Sign an OCI artifact with timestamping: - notation sign --tsa-url --tsa-root-cert /@ + notation sign --tsa-url --tsa-root-cert /@ ` experimentalExamples := ` Example - [Experimental] Sign an OCI artifact referenced in an OCI layout @@ -144,7 +144,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) command.Flags().StringVar(&opts.tsaServerURL, "tsa-url", "", "timestamp authority server URL") - command.Flags().StringVar(&opts.tsaRootCertificatePath, "tsa-root-cert", "", "filepath of trusted tsa root certificate") + command.Flags().StringVar(&opts.tsaRootCertificatePath, "tsa-root-cert", "", "filepath of timestamp authority root certificate") cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index e9c55afa8..d2f83033f 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -42,7 +42,7 @@ Flags: --plugin string signing plugin name. This is mutually exclusive with the --key flag --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") - --tsa-root-cert string filepath of trusted tsa root certificate + --tsa-root-cert string filepath of timestamp authority root certificate --tsa-url string timestamp authority server URL -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload @@ -166,9 +166,9 @@ Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da # Signer has downloaded the TSA's root certificate in their file system. # Use option "--tsa-url" to specify the timestamp authority URL. -# Use option "--tsa-root-cert" to specify the filepath of the trusted tsa root +# Use option "--tsa-root-cert" to specify the filepath of the tsa root # certificate. -notation sign --tsa-url --tsa-root-cert /@ +notation sign --tsa-url --tsa-root-cert /@ ``` ### [Experimental] Sign container images stored in OCI layout directory diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 9996a8f7f..99d474716 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -96,7 +96,7 @@ An example of `trustpolicy.json` with RFC 3161 timestamp verification support: "registryScopes": [ "localhost:5000/net-monitor" ], "signatureVerification": { "level": "strict", - "verifyTimestamp": "afterCertExpiry" // Only verify timestamp countersignatures if any code signing certificate has expired. + "verifyTimestamp": "afterCertExpiry" // Only verify timestamp countersignatures if any code signing certificate has expired. DEFAULT: `always` }, "trustStores": [ "ca:wabbit-networks", "tsa:wabbit-networks-timestamp" ], // To enable timestamp verification, trust store type `tsa` MUST be configured. "trustedIdentities": [ From 79599528d5a3e8a798bf5dcc739fc6c6899fa466 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jul 2024 19:00:39 +0800 Subject: [PATCH 62/80] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index cf563edc5..a3ca17df7 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -34,9 +34,9 @@ import ( const referrersTagSchemaDeleteError = "failed to delete dangling referrers index" -// TimestampingTimeout is the timeout when requesting timestamp countersignature +// timestampingTimeout is the timeout when requesting timestamp countersignature // from a TSA -const TimestampingTimeout = 15 * time.Second +const timestampingTimeout = 15 * time.Second type signOpts struct { cmd.LoggingFlagOpts @@ -217,10 +217,10 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { } if opts.tsaServerURL != "" { // timestamping - fmt.Printf("Timestamping with TSA %q\n", opts.tsaServerURL) - signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(&http.Client{Timeout: TimestampingTimeout}, opts.tsaServerURL) + fmt.Printf("Configured to timestamp with TSA %q\n", opts.tsaServerURL) + signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(&http.Client{Timeout: timestampingTimeout}, opts.tsaServerURL) if err != nil { - return notation.SignOptions{}, fmt.Errorf("cannot get http timestamper for timestamping: %v", err) + return notation.SignOptions{}, fmt.Errorf("cannot get http timestamper for timestamping: %w", err) } rootCerts, err := corex509.ReadCertificateFile(opts.tsaRootCertificatePath) @@ -230,8 +230,9 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { if len(rootCerts) == 0 { return notation.SignOptions{}, fmt.Errorf("cannot read tsa root certificate from %q", opts.tsaRootCertificatePath) } - signOpts.TSARootCAs = x509.NewCertPool() - signOpts.TSARootCAs.AddCert(rootCerts[0]) + rootCAs := x509.NewCertPool() + rootCAs.AddCert(rootCerts[0]) + signOpts.TSARootCAs = rootCAs } return signOpts, nil } From efa5a28df81878c2428240f52fca28fa1b5ce8e6 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Jul 2024 12:41:26 +0800 Subject: [PATCH 63/80] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 4 ++-- specs/commandline/sign.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index a3ca17df7..d810ee5f5 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -143,7 +143,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) - command.Flags().StringVar(&opts.tsaServerURL, "tsa-url", "", "timestamp authority server URL") + command.Flags().StringVar(&opts.tsaServerURL, "tsa-url", "", "RFC3161 Timestamping Authority (TSA) server URL") command.Flags().StringVar(&opts.tsaRootCertificatePath, "tsa-root-cert", "", "filepath of timestamp authority root certificate") cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") @@ -228,7 +228,7 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { return notation.SignOptions{}, err } if len(rootCerts) == 0 { - return notation.SignOptions{}, fmt.Errorf("cannot read tsa root certificate from %q", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("cannot find any tsa root certificate from %q. Expecting x509 certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } rootCAs := x509.NewCertPool() rootCAs.AddCert(rootCerts[0]) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index d2f83033f..6a75908af 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -43,7 +43,7 @@ Flags: --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") --tsa-root-cert string filepath of timestamp authority root certificate - --tsa-url string timestamp authority server URL + --tsa-url string RFC3161 Timestamping Authority (TSA) server URL -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload -v, --verbose verbose mode @@ -157,7 +157,7 @@ Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag( Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` -### Sign an OCI artifact and timestamp the signature with user specified timestamp authority +### Sign an OCI artifact and timestamp the signature with user specified RFC3161 Timestamp Authority (TSA) ```shell # Prerequisites: From a95b98717010804ad7e3e7ad4259b2decf7778d9 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Jul 2024 15:41:38 +0800 Subject: [PATCH 64/80] update Signed-off-by: Patrick Zheng --- internal/httputil/client.go | 38 ++++++++++++++++++++++++++++++------- internal/trace/client.go | 27 ++++++++++++++++++++++++++ internal/trace/transport.go | 13 +++---------- 3 files changed, 61 insertions(+), 17 deletions(-) create mode 100644 internal/trace/client.go diff --git a/internal/httputil/client.go b/internal/httputil/client.go index ee0324ed5..1a13f97e1 100644 --- a/internal/httputil/client.go +++ b/internal/httputil/client.go @@ -22,14 +22,38 @@ import ( "oras.land/oras-go/v2/registry/remote/auth" ) -// NewAuthClient returns an *auth.Client -func NewAuthClient(ctx context.Context, httpClient *http.Client) *auth.Client { - client := &auth.Client{ - Client: httpClient, +// NewClient returns an *http.Client with debug log and user agent set +func NewClient(ctx context.Context, client *http.Client) *http.Client { + client = trace.SetHTTPDebugLog(ctx, client) + client.Transport = SetUserAgent(client.Transport) + return client +} + +// NewAuthClient returns an *auth.Client with debug log and user agent set +func NewAuthClient(ctx context.Context, client *http.Client) *auth.Client { + return &auth.Client{ + Client: NewClient(ctx, client), Cache: auth.NewCache(), ClientID: "notation", } - client.SetUserAgent("notation/" + version.GetVersion()) - trace.SetHTTPDebugLog(ctx, client) - return client +} + +type userAgentTransport struct { + base http.RoundTripper +} + +func (t *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error) { + r := req.Clone(req.Context()) + if r.Header == nil { + r.Header = http.Header{} + } + r.Header.Set("User-Agent", "notation/"+version.GetVersion()) + return t.base.RoundTrip(r) +} + +// SetUserAgent sets the user agent for all out-going requests. +func SetUserAgent(rt http.RoundTripper) http.RoundTripper { + return &userAgentTransport{ + base: rt, + } } diff --git a/internal/trace/client.go b/internal/trace/client.go new file mode 100644 index 000000000..f3dfb1902 --- /dev/null +++ b/internal/trace/client.go @@ -0,0 +1,27 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package trace + +import "net/http" + +func NewHTTPClient(client *http.Client) *http.Client { + if client == nil { + client = &http.Client{} + } + if client.Transport == nil { + client.Transport = http.DefaultTransport + } + client.Transport = NewTransport(client.Transport) + return client +} diff --git a/internal/trace/transport.go b/internal/trace/transport.go index a83ebda19..b3afe8140 100644 --- a/internal/trace/transport.go +++ b/internal/trace/transport.go @@ -36,7 +36,6 @@ import ( "github.com/notaryproject/notation-go/log" "github.com/sirupsen/logrus" - "oras.land/oras-go/v2/registry/remote/auth" ) // Transport is an http.RoundTripper that keeps track of the in-flight @@ -87,15 +86,9 @@ func logHeader(header http.Header, e log.Logger) { } // SetHTTPDebugLog sets up http debug log with logrus.Logger -func SetHTTPDebugLog(ctx context.Context, authClient *auth.Client) { +func SetHTTPDebugLog(ctx context.Context, client *http.Client) *http.Client { if logrusLog, ok := log.GetLogger(ctx).(*logrus.Logger); !ok || logrusLog.Level != logrus.DebugLevel { - return + return client } - if authClient.Client == nil { - authClient.Client = &http.Client{} - } - if authClient.Client.Transport == nil { - authClient.Client.Transport = http.DefaultTransport - } - authClient.Client.Transport = NewTransport(authClient.Client.Transport) + return NewHTTPClient(client) } From 76ee7c74adf0d59448438d6b37244788a05bac63 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Jul 2024 15:57:45 +0800 Subject: [PATCH 65/80] fix Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 8 +++++--- go.mod | 1 + internal/httputil/client.go | 3 +++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index d810ee5f5..e1f9b6e42 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -27,9 +27,11 @@ import ( "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" + "github.com/notaryproject/notation/internal/httputil" "github.com/notaryproject/tspclient-go" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" + "golang.org/x/net/context" ) const referrersTagSchemaDeleteError = "failed to delete dangling referrers index" @@ -166,7 +168,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { if err != nil { return err } - signOpts, err := prepareSigningOpts(cmdOpts) + signOpts, err := prepareSigningOpts(ctx, cmdOpts) if err != nil { return err } @@ -194,7 +196,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { return nil } -func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { +func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptions, error) { mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { return notation.SignOptions{}, err @@ -218,7 +220,7 @@ func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { if opts.tsaServerURL != "" { // timestamping fmt.Printf("Configured to timestamp with TSA %q\n", opts.tsaServerURL) - signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(&http.Client{Timeout: timestampingTimeout}, opts.tsaServerURL) + signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(httputil.NewClient(ctx, &http.Client{Timeout: timestampingTimeout}), opts.tsaServerURL) if err != nil { return notation.SignOptions{}, fmt.Errorf("cannot get http timestamper for timestamping: %w", err) } diff --git a/go.mod b/go.mod index b251cef90..e9c9682ae 100644 --- a/go.mod +++ b/go.mod @@ -11,6 +11,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 + golang.org/x/net v0.22.0 golang.org/x/term v0.22.0 oras.land/oras-go/v2 v2.5.0 ) diff --git a/internal/httputil/client.go b/internal/httputil/client.go index 1a13f97e1..01dae52df 100644 --- a/internal/httputil/client.go +++ b/internal/httputil/client.go @@ -24,6 +24,9 @@ import ( // NewClient returns an *http.Client with debug log and user agent set func NewClient(ctx context.Context, client *http.Client) *http.Client { + if client == nil { + client = &http.Client{} + } client = trace.SetHTTPDebugLog(ctx, client) client.Transport = SetUserAgent(client.Transport) return client From 4364750d58c672754dc5c0dd58b2da8df463b48c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Jul 2024 16:01:47 +0800 Subject: [PATCH 66/80] update dependencies Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 8 ++++---- test/e2e/go.mod | 4 ++-- test/e2e/go.sum | 12 ++++++------ test/e2e/plugin/go.mod | 4 ++-- test/e2e/plugin/go.sum | 8 ++++---- 6 files changed, 20 insertions(+), 20 deletions(-) diff --git a/go.mod b/go.mod index e9c9682ae..444b3f597 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,9 @@ module github.com/notaryproject/notation go 1.22 require ( - github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 + github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b - github.com/notaryproject/tspclient-go v0.1.0 + github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/sirupsen/logrus v1.9.3 diff --git a/go.sum b/go.sum index 16b84db7b..e40a11dc3 100644 --- a/go.sum +++ b/go.sum @@ -35,14 +35,14 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc= github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= -github.com/notaryproject/tspclient-go v0.1.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 479c3afb0..3ec40e084 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation/test/e2e go 1.21 require ( - github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 + github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/opencontainers/image-spec v1.1.0 @@ -16,7 +16,7 @@ require ( github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 // indirect - github.com/notaryproject/tspclient-go v0.1.0 // indirect + github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index af9795130..90c7a3af3 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -13,10 +13,10 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9tRnGuw+ZVCB3FazXODD6JE1R8= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= -github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= -github.com/notaryproject/tspclient-go v0.1.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= @@ -35,8 +35,8 @@ github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4 github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 16d3a846c..21f7839a9 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 + github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/spf13/cobra v1.7.0 @@ -18,7 +18,7 @@ require ( github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/notaryproject/tspclient-go v0.1.0 // indirect + github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 3d7eb762e..ee6207dd3 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -37,14 +37,14 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc= github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= -github.com/notaryproject/tspclient-go v0.1.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= From ebebefe1bc06404af502597558db6aac7fb4f830 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Jul 2024 16:48:56 +0800 Subject: [PATCH 67/80] update Signed-off-by: Patrick Zheng --- internal/httputil/client.go | 40 ++++++++++++++++++++++--------------- internal/trace/client.go | 27 ------------------------- internal/trace/transport.go | 9 ++++++++- 3 files changed, 32 insertions(+), 44 deletions(-) delete mode 100644 internal/trace/client.go diff --git a/internal/httputil/client.go b/internal/httputil/client.go index 01dae52df..cff1d8bbe 100644 --- a/internal/httputil/client.go +++ b/internal/httputil/client.go @@ -22,23 +22,24 @@ import ( "oras.land/oras-go/v2/registry/remote/auth" ) -// NewClient returns an *http.Client with debug log and user agent set -func NewClient(ctx context.Context, client *http.Client) *http.Client { - if client == nil { - client = &http.Client{} - } - client = trace.SetHTTPDebugLog(ctx, client) - client.Transport = SetUserAgent(client.Transport) - return client -} +var userAgent = "notation/" + version.GetVersion() // NewAuthClient returns an *auth.Client with debug log and user agent set -func NewAuthClient(ctx context.Context, client *http.Client) *auth.Client { - return &auth.Client{ - Client: NewClient(ctx, client), +func NewAuthClient(ctx context.Context, httpClient *http.Client) *auth.Client { + httpClient = trace.SetHTTPDebugLog(ctx, httpClient) + client := &auth.Client{ + Client: httpClient, Cache: auth.NewCache(), ClientID: "notation", } + client.SetUserAgent(userAgent) + return client +} + +// NewClient returns an *http.Client with debug log and user agent set +func NewClient(ctx context.Context, client *http.Client) *http.Client { + client = trace.SetHTTPDebugLog(ctx, client) + return SetUserAgent(client) } type userAgentTransport struct { @@ -50,13 +51,20 @@ func (t *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error if r.Header == nil { r.Header = http.Header{} } - r.Header.Set("User-Agent", "notation/"+version.GetVersion()) + r.Header.Set("User-Agent", userAgent) return t.base.RoundTrip(r) } // SetUserAgent sets the user agent for all out-going requests. -func SetUserAgent(rt http.RoundTripper) http.RoundTripper { - return &userAgentTransport{ - base: rt, +func SetUserAgent(client *http.Client) *http.Client { + if client == nil { + client = &http.Client{} + } + if client.Transport == nil { + client.Transport = http.DefaultTransport } + client.Transport = &userAgentTransport{ + base: client.Transport, + } + return client } diff --git a/internal/trace/client.go b/internal/trace/client.go deleted file mode 100644 index f3dfb1902..000000000 --- a/internal/trace/client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright The Notary Project Authors. -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package trace - -import "net/http" - -func NewHTTPClient(client *http.Client) *http.Client { - if client == nil { - client = &http.Client{} - } - if client.Transport == nil { - client.Transport = http.DefaultTransport - } - client.Transport = NewTransport(client.Transport) - return client -} diff --git a/internal/trace/transport.go b/internal/trace/transport.go index b3afe8140..6d6f9546c 100644 --- a/internal/trace/transport.go +++ b/internal/trace/transport.go @@ -90,5 +90,12 @@ func SetHTTPDebugLog(ctx context.Context, client *http.Client) *http.Client { if logrusLog, ok := log.GetLogger(ctx).(*logrus.Logger); !ok || logrusLog.Level != logrus.DebugLevel { return client } - return NewHTTPClient(client) + if client == nil { + client = &http.Client{} + } + if client.Transport == nil { + client.Transport = http.DefaultTransport + } + client.Transport = NewTransport(client.Transport) + return client } From 41b5551e225c69f5a32dca6a1448b46492c3e38c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 17 Jul 2024 09:57:44 +0800 Subject: [PATCH 68/80] naming Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 10 +++++----- specs/commandline/sign.md | 10 +++++----- test/e2e/suite/command/sign.go | 22 +++++++++++----------- test/e2e/suite/command/verify.go | 6 +++--- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index e1f9b6e42..ed21f6fb7 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -88,7 +88,7 @@ Example - Sign an OCI artifact and store signature using the Referrers API. If i notation sign --force-referrers-tag=false /@ Example - Sign an OCI artifact with timestamping: - notation sign --tsa-url --tsa-root-cert /@ + notation sign --timestamp-url --timestamp-root-cert /@ ` experimentalExamples := ` Example - [Experimental] Sign an OCI artifact referenced in an OCI layout @@ -117,7 +117,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced }, RunE: func(cmd *cobra.Command, args []string) error { // timestamping - if cmd.Flags().Changed("tsa-url") { + if cmd.Flags().Changed("timestamp-url") { if opts.tsaServerURL == "" { return errors.New("timestamping: tsa url cannot be empty") } @@ -145,12 +145,12 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) - command.Flags().StringVar(&opts.tsaServerURL, "tsa-url", "", "RFC3161 Timestamping Authority (TSA) server URL") - command.Flags().StringVar(&opts.tsaRootCertificatePath, "tsa-root-cert", "", "filepath of timestamp authority root certificate") + command.Flags().StringVar(&opts.tsaServerURL, "timestamp-url", "", "RFC3161 Timestamping Authority (TSA) server URL") + command.Flags().StringVar(&opts.tsaRootCertificatePath, "timestamp-root-cert", "", "filepath of timestamp authority root certificate") cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") - command.MarkFlagsRequiredTogether("tsa-url", "tsa-root-cert") + command.MarkFlagsRequiredTogether("timestamp-url", "timestamp-root-cert") experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 6a75908af..64c818de0 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -42,8 +42,8 @@ Flags: --plugin string signing plugin name. This is mutually exclusive with the --key flag --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") - --tsa-root-cert string filepath of timestamp authority root certificate - --tsa-url string RFC3161 Timestamping Authority (TSA) server URL + --timestamp-root-cert string filepath of timestamp authority root certificate + --timestamp-url string RFC3161 Timestamping Authority (TSA) server URL -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload -v, --verbose verbose mode @@ -165,10 +165,10 @@ Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da # Signer knows the TSA url that they want to use to require a RFC 3161 timestamp. # Signer has downloaded the TSA's root certificate in their file system. -# Use option "--tsa-url" to specify the timestamp authority URL. -# Use option "--tsa-root-cert" to specify the filepath of the tsa root +# Use option "--timestamp-url" to specify the timestamp authority URL. +# Use option "--timestamp-root-cert" to specify the filepath of the tsa root # certificate. -notation sign --tsa-url --tsa-root-cert /@ +notation sign --timestamp-url --timestamp-root-cert /@ ``` ### [Experimental] Sign container images stored in OCI layout directory diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 1b3701d84..774a9d5ad 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -261,42 +261,42 @@ var _ = Describe("notation sign", func() { It("with timestamping", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + notation.Exec("sign", "--timestamp-url", "http://rfc3161timestamp.globalsign.com/advanced", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) }) }) - It("with tsa-root-cert but no tsa-url", func() { + It("with timestamp-root-cert but no timestamp-url", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). - MatchErrKeyWords("Error: if any flags in the group [tsa-url tsa-root-cert] are set they must all be set; missing [tsa-url]") + notation.ExpectFailure().Exec("sign", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: if any flags in the group [timestamp-url timestamp-root-cert] are set they must all be set; missing [timestamp-url]") }) }) - It("with tsa-url but no tsa-root-cert", func() { + It("with timestamp-url but no timestamp-root-cert", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). - MatchErrKeyWords("Error: if any flags in the group [tsa-url tsa-root-cert] are set they must all be set; missing [tsa-root-cert]") + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://rfc3161timestamp.globalsign.com/advanced", artifact.ReferenceWithDigest()). + MatchErrKeyWords("Error: if any flags in the group [timestamp-url timestamp-root-cert] are set they must all be set; missing [timestamp-root-cert]") }) }) It("with empty tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--timestamp-url", "", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: timestamping: tsa url cannot be empty") }) }) It("with empty tsa root cert", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "dummy", "--tsa-root-cert", "", artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--timestamp-url", "dummy", "--timestamp-root-cert", "", artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: timestamping: tsa root certificate path cannot be empty") }) }) It("with invalid tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "http://invalid.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://invalid.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: timestamp: Post \"http://invalid.com\""). MatchErrKeyWords("server misbehaving") }) @@ -304,7 +304,7 @@ var _ = Describe("notation sign", func() { It("with invalid tsa root certificate", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "invalid.crt"), artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "invalid.crt"), artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: x509: malformed certificate") }) }) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index ae9935cc0..f5f8aa333 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -215,7 +215,7 @@ var _ = Describe("notation verify", func() { It("with timestamp verification disabled", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). + notation.Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). @@ -226,7 +226,7 @@ var _ = Describe("notation verify", func() { It("with timestamp verification", func() { Host(TimestampOptions(""), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). + notation.Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). @@ -237,7 +237,7 @@ var _ = Describe("notation verify", func() { It("with verifyTimestamp set as afterCertExpiry", func() { Host(TimestampOptions("afterCertExpiry"), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--tsa-url", "http://timestamp.digicert.com", "--tsa-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). + notation.Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). From 81f01bad54506321a91141164146394b4dc28e9a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 17 Jul 2024 10:00:57 +0800 Subject: [PATCH 69/80] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- internal/httputil/client.go | 1 + specs/commandline/sign.md | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index ed21f6fb7..67761e86d 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -145,7 +145,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) - command.Flags().StringVar(&opts.tsaServerURL, "timestamp-url", "", "RFC3161 Timestamping Authority (TSA) server URL") + command.Flags().StringVar(&opts.tsaServerURL, "timestamp-url", "", "RFC 3161 Timestamping Authority (TSA) server URL") command.Flags().StringVar(&opts.tsaRootCertificatePath, "timestamp-root-cert", "", "filepath of timestamp authority root certificate") cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") diff --git a/internal/httputil/client.go b/internal/httputil/client.go index cff1d8bbe..c9c39f676 100644 --- a/internal/httputil/client.go +++ b/internal/httputil/client.go @@ -46,6 +46,7 @@ type userAgentTransport struct { base http.RoundTripper } +// RoundTrip returns t.Base.RoundTrip with user agent set in the request Header func (t *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error) { r := req.Clone(req.Context()) if r.Header == nil { diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 64c818de0..d5bec74ab 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -43,7 +43,7 @@ Flags: --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. --signature-format string signature envelope format, options: "jws", "cose" (default "jws") --timestamp-root-cert string filepath of timestamp authority root certificate - --timestamp-url string RFC3161 Timestamping Authority (TSA) server URL + --timestamp-url string RFC 3161 Timestamping Authority (TSA) server URL -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload -v, --verbose verbose mode From 1b975407d5ffb4bc9f3bf2f45b7fb1967943150d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 17 Jul 2024 10:56:00 +0800 Subject: [PATCH 70/80] update Signed-off-by: Patrick Zheng --- specs/commandline/sign.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index d5bec74ab..efc5dd6c0 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -30,23 +30,23 @@ Usage: notation sign [flags] Flags: - --force-referrers-tag force to store signatures using the referrers tag schema (default true) - -d, --debug debug mode - -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m - -h, --help help for sign - --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag - --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing - -k, --key string signing key name, for a key previously added to notation's key list. This is mutually exclusive with the --id and --plugin flags - --oci-layout [Experimental] sign the artifact stored as OCI image layout - -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) - --plugin string signing plugin name. This is mutually exclusive with the --key flag - --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. - --signature-format string signature envelope format, options: "jws", "cose" (default "jws") - --timestamp-root-cert string filepath of timestamp authority root certificate - --timestamp-url string RFC 3161 Timestamping Authority (TSA) server URL - -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) - -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload - -v, --verbose verbose mode + --force-referrers-tag force to store signatures using the referrers tag schema (default true) + -d, --debug debug mode + -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m + -h, --help help for sign + --id string key id (required if --plugin is set). This is mutually exclusive with the --key flag + --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing + -k, --key string signing key name, for a key previously added to notation's key list. This is mutually exclusive with the --id and --plugin flags + --oci-layout [Experimental] sign the artifact stored as OCI image layout + -p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified) + --plugin string signing plugin name. This is mutually exclusive with the --key flag + --plugin-config stringArray {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values. + --signature-format string signature envelope format, options: "jws", "cose" (default "jws") + --timestamp-root-cert string filepath of timestamp authority root certificate + --timestamp-url string RFC 3161 Timestamping Authority (TSA) server URL + -u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified) + -m, --user-metadata stringArray {key}={value} pairs that are added to the signature payload + -v, --verbose verbose mode ``` ### Set config property for OCI image manifest From 49c8b81dc1ac12df1791cacf396e205c726df4e9 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 11:13:29 +0800 Subject: [PATCH 71/80] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 5 +- internal/testdata/intermediate.pem | 17 ++++++ internal/testdata/self-signed.crt | 20 +++++++ internal/testdata/tsaRootCA.cer | Bin 0 -> 1428 bytes internal/x509/cert.go | 30 ++++++++++ internal/x509/cert_test.go | 54 ++++++++++++++++++ test/e2e/suite/command/sign.go | 16 ++++++ .../testdata/config/timestamp/CertChain.pem | 22 +++++++ test/e2e/testdata/config/timestamp/Empty.txt | 0 9 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 internal/testdata/intermediate.pem create mode 100644 internal/testdata/self-signed.crt create mode 100644 internal/testdata/tsaRootCA.cer create mode 100644 internal/x509/cert.go create mode 100644 internal/x509/cert_test.go create mode 100644 test/e2e/testdata/config/timestamp/CertChain.pem create mode 100644 test/e2e/testdata/config/timestamp/Empty.txt diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 67761e86d..d57a1ab3a 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -230,7 +230,10 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio return notation.SignOptions{}, err } if len(rootCerts) == 0 { - return notation.SignOptions{}, fmt.Errorf("cannot find any tsa root certificate from %q. Expecting x509 certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting one x509 certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + } + if len(rootCerts) > 1 { + return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting one x509 certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } rootCAs := x509.NewCertPool() rootCAs.AddCert(rootCerts[0]) diff --git a/internal/testdata/intermediate.pem b/internal/testdata/intermediate.pem new file mode 100644 index 000000000..83e1ccece --- /dev/null +++ b/internal/testdata/intermediate.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 +MCAXDTIyMDYzMDE5MjAwM1oYDzMwMjExMDMxMTkyMDAzWjAYMRYwFAYDVQQDDA1J +bnRlcm1lZGlhdGUxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1JTs +aiC/7+bho43kMVyHDwCsuocYp4PvYahB59NsKDR4QbrImU5ziaQ94D0DQqthe9pm +qOW0SxN/vSRJAZFELxacrB9hc1y4MjiDYaRSt/LVx7astylBV/QRpmxWSEqp0Avu +6nMJivIa1sD0WIEchizx6jG9BI5ULr9LbJICYvMgDalQR+0JGG+rKWnf1mPZyxEu +9zEh215LCg5K56P3W5kC8fKBXSdSgTqZAvHzp6u78qet9S8gARtOEfS03A/7y7MC +U0Sn2wdQyQdci0PBsR2sTZvUw179Cr93r5aRbb3I6jXgMWHAP2vvIndb9CM9ePyY +yEy4Je7oWVVfMQ3CWQIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud +DwEB/wQEAwICBDANBgkqhkiG9w0BAQsFAAOCAQEALR0apUQVbWGmagLUz4Y/bRsl +mY9EJJXCiLuSxVWd3offjZfQTlGkQkCAW9FOQnm7JhEtaaHF1+AEVLo56/Gsd/hk +sXsrBagYGi72jun7QTb6j7iZ3X9zanrP3SjdkpjVnqxRfH83diSh0r68Xruq1NSK +qhUy1V+KQaXF0SSEutPqdTCoXUyxyXohVLU78uqZX/jx9Nc1XDuW9AZd+hMsLdk8 +qGJqHYFvj2vOHGMTeYk8dWgMBthQeL0wdsg2AvKtAvn6FQXCN7mKCWjpFTtYsU8v +NsesS9M/i+geJjR/8/DDT3RP7S100BtCMm4XfHfmKcjXVaBh5evQVqGsa6TKLw== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/internal/testdata/self-signed.crt b/internal/testdata/self-signed.crt new file mode 100644 index 000000000..dd0094e90 --- /dev/null +++ b/internal/testdata/self-signed.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIBeTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL +MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEP +MA0GA1UEAxMGYWxwaW5lMB4XDTIzMDUwOTA0NTUxMloXDTMzMDUxMDA0NTUxMlow +TjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8w +DQYDVQQKEwZOb3RhcnkxDzANBgNVBAMTBmFscGluZTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAK5hpq1229GGLjMK6i9KZhuUO+SV7rUFnWIDiIPO5yWx +YDkl+bGroeAvJYu6MVCMQ6FMRXD9jhnG6R+sAHwY7gVgcJ1OXak87PkLp/Ii1Cr7 +XkkySZeD+Br1vSQzfxs3pFG+iBCeVVkeZdsg+xqwnAlqAILXwIbTGRyJP1Xiu9nw +OeuX1YmxPl2m29Pt1EtfVCL9COsVKt5LgOVyWP/9ISWevOBqSCU9bk35HFo9VTeU +f6+ffhSMjv0Y9uwkFFOKXpcV8Sa3ArqyBmgQlUfGg1iwYlqiDE0fTYxiB3gLgETA +lmTm50J+WB9LoDrnrQpbXFLoegm+JV+uSD8J8H7DL2sCAwEAAaMnMCUwDgYDVR0P +AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB +AQAt0Nvna1c4pPn8kzoN5VvmFmeIgdO/BJpmdhdg0WIQ9aeN/xPXXaVjPp1Mk7ed +XHAvBwQr0Gyzqyy7g/h0gdnAFG7f6blrRNzbrRBCq6cNqX8iwgK/9+2OYKxk1QWj +8Gx0cvu1DN1aXjPPGgQ2j3tHjJvJv32J/zuZa8gU40RPPSLaBlc5ZjpFmyi29sKl +TeeZ+F/Ssic51qXXw2CsYGGWK5yQ3xSCxbw6bb2G/s/YI7/KlWg9BktBJHzRu04Z +NR77W7/dyJ3Lj17PlW1XKmMOFHsQivagXeRCbmYZ43fX4ugFRFKL7KE0EgmGOWpJ +0xv+6ig93sqHzQ/0uv1YgFov +-----END CERTIFICATE----- diff --git a/internal/testdata/tsaRootCA.cer b/internal/testdata/tsaRootCA.cer new file mode 100644 index 0000000000000000000000000000000000000000..99bcc84b7e68b5b28e4444f6fa21bc7c2baf497d GIT binary patch literal 1428 zcmXqLVx3^n#9Xm}nTe5!Nq}{>bojhJMWaWS?0c7&m&O?IvTn?JkswJuAWqo zP1e*s_a@Ho#N;1}iL*^!vmT3k6D_sp^~v*R*O)lOZ>&mtSAN1{MOt|H{E&z~9_{V^ z%MEUZy*pJM`*`h1|G1~7&kaxCnjCkhufO5ewuv(wCR84-IKFM;k*!%07R&;@H?Ej3 z(PORc_}XMAFtK2DXp^JS_1i4PT6q&0YZQI1>{%zxTpC-EcGJqxWtOqSeva!=o=Xlr zTe%?p?h^Gq3;iv(3Py;3SBY`!Px*c@v!iTAnQdgOQ(1fG^vo)c4-XazNvF*!Id#ul z?m1ubx@TA3Pnu*k&-M<(6Ia#FZL?e?wd)Q{*>Wi{_qFlOqxZd87|ztnOg-HHU2)SU z!R@>2KV9u9&~Z#ywJ}-3WvWzJQr)+P4ZmNcEHl2?$^LNf_GivZBz7z-XMD&%g-20# zQ;4Q&XUw*5U*l71pZrEK z{)j?gcK*iIZQcHduDQm~Rrs?|?&yL3MH}n5)MkEtlBqvKR`=`8m78RrN;5GtGB7T7 zGH@{92PS7(VMfOPEUX61K+1p*B)|_6U;*Z-HUn7@pN~b1MdZ!($4!?CV^e(Y>!sU2 z-!)^M48K2eDg$OPU@Bu|*qwN@c4f{!@gozZ4=-HA(EB(ggFozi`MQFie`k5k+~v@ z;|G_o$XKF&XYNn+bq1|Fzoq+H+4VTN((ZIU8a!-?Xwiwjs2;$JM? zvV8rD@42RPYNEQXEwY&TxuW}v?-ZoX1m*e!D1M{-ku zW1+3RZ-H_fkJp{XOJ|IxwD59pPM7gN@Ge`S#Ng5cOA~=sMNvkM7okS?3O#RXhzIyS z+vj_+bj^iRza4itFI{!{FsqBdj@j%-zaF{nP!7&v%TEujciZY?pQjO3sdj0}ilph6 zfR&$*WHWvetKHnrfA0t)=$1ze_=^}`TkG{L*Rlgt&`^}&Rl)f&LXk-+o%1iN!lfsC)s~w6 z?Tp>inj~vqxWQ7QGU@KxG3!Bhh+^5 ouE}lQ!_OaFs=4ZwaQTyaJ&lTM*#+DM*S6cTUo72o{&QL#0GZBIfB*mh literal 0 HcmV?d00001 diff --git a/internal/x509/cert.go b/internal/x509/cert.go new file mode 100644 index 000000000..d3e8a38f9 --- /dev/null +++ b/internal/x509/cert.go @@ -0,0 +1,30 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package x509 + +import ( + "bytes" + "crypto/x509" +) + +// IsRootCertificate returns true if cert is a root certificate. +// A root certificate MUST be a self-signed and self-issued CA certificate with +// valid BasicConstraints. +func IsRootCertificate(cert *x509.Certificate) (bool, error) { + // CheckSignatureFrom also checks cert.BasicConstraintsValid + if err := cert.CheckSignatureFrom(cert); err != nil { + return false, err + } + return cert.IsCA && bytes.Equal(cert.RawSubject, cert.RawIssuer), nil +} diff --git a/internal/x509/cert_test.go b/internal/x509/cert_test.go new file mode 100644 index 000000000..780812629 --- /dev/null +++ b/internal/x509/cert_test.go @@ -0,0 +1,54 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package x509 + +import ( + "testing" + + corex509 "github.com/notaryproject/notation-core-go/x509" +) + +func TestIsRootCertificate(t *testing.T) { + tsaRoot, err := corex509.ReadCertificateFile("../testdata/tsaRootCA.cer") + if err != nil { + t.Fatal(err) + } + isRoot, err := IsRootCertificate(tsaRoot[0]) + if err != nil { + t.Fatal(err) + } + if !isRoot { + t.Fatal("expected IsRootCertificate to return true") + } + + intermediate, err := corex509.ReadCertificateFile("../testdata/intermediate.pem") + if err != nil { + t.Fatal(err) + } + expectedErrMsg := "crypto/rsa: verification error" + _, err = IsRootCertificate(intermediate[0]) + if err == nil || err.Error() != expectedErrMsg { + t.Fatalf("expected %s, but got %s", expectedErrMsg, err) + } + + selfSigned, err := corex509.ReadCertificateFile("../testdata/self-signed.crt") + if err != nil { + t.Fatal(err) + } + expectedErrMsg = "x509: invalid signature: parent certificate cannot sign this kind of certificate" + _, err = IsRootCertificate(selfSigned[0]) + if err == nil || err.Error() != expectedErrMsg { + t.Fatalf("expected %s, but got %s", expectedErrMsg, err) + } +} diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 774a9d5ad..c226b6b8d 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -308,4 +308,20 @@ var _ = Describe("notation sign", func() { MatchErrKeyWords("Error: x509: malformed certificate") }) }) + + It("with more than certificates in tsa root certificate file", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "CertChain.pem"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("find more than one certificates"). + MatchErrKeyWords("Expecting one x509 certificate in PEM or DER format from the file") + }) + }) + + It("with empty tsa root certificate file", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "empty.txt"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("cannot find any certificate from"). + MatchErrKeyWords("Expecting one x509 certificate in PEM or DER format from the file") + }) + }) }) diff --git a/test/e2e/testdata/config/timestamp/CertChain.pem b/test/e2e/testdata/config/timestamp/CertChain.pem new file mode 100644 index 000000000..ca25a329b --- /dev/null +++ b/test/e2e/testdata/config/timestamp/CertChain.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCATugAwIBAgIQJOyDt70f+HOyQMEt06yvpjAKBggqhkjOPQQDAjAkMRAw +DgYDVQQKEwdBY21lIENvMRAwDgYDVQQDEwdSb290IENBMB4XDTIyMDcyMjA1MjEz +N1oXDTIzMDcyMjA1MjEzN1owKDEQMA4GA1UEChMHQWNtZSBDbzEUMBIGA1UEAwwL +dGVzdF9jZXJ0XzEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATnf3lSRtUYOeph +UQZvUm5niB8kpm7kn6iAm2zwCTBeqKbUtgESCbN+x6TTpWZIaEo+CDu1rPUdicB3 +FUwXNzz8o0swSTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw +DAYDVR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwCgYIKoZIzj0EAwID +SQAwRgIhAMgdV/zJnwK0J4ZBXZVwAB6abpgNcESFScDeQQyIzRs8AiEAjjLTfkXp +CuoXnu5/hYy6Li7Smw3UbW3XKkekOELMFYo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBnjCCAUOgAwIBAgIQBUvhbMcjM35qmJzncyZ5tzAKBggqhkjOPQQDAjAkMRAw +DgYDVQQKEwdBY21lIENvMRAwDgYDVQQDEwdSb290IENBMB4XDTIyMDcyMjA1MjEz +N1oXDTIzMDcyMjA1MjEzN1owJDEQMA4GA1UEChMHQWNtZSBDbzEQMA4GA1UEAxMH +Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGmby5GUiBDR+Ge+s/R9 +EqOfoDwEdDBPYU0emJg8j8CPJGM0ldalI1Sk7YMTIi34clvfTqEixE7nDwQj8FjQ +VvCjVzBVMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTcOHZMx0z3I9Hi8oa2Kp0umdXOsTAKBggq +hkjOPQQDAgNJADBGAiEArHTaO3f6vaiI+4IOrR7SYSzeHIAqoFAWFcf1yOzxDA4C +IQDRcDIPWJd7pXvFJT/Q++Vkq9QuUhqrigCQDkgksnxf5w== +-----END CERTIFICATE----- diff --git a/test/e2e/testdata/config/timestamp/Empty.txt b/test/e2e/testdata/config/timestamp/Empty.txt new file mode 100644 index 000000000..e69de29bb From 5c177c0712ca2b970965ec27fa47f6bf98866713 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 11:19:06 +0800 Subject: [PATCH 72/80] fix E2E test Signed-off-by: Patrick Zheng --- test/e2e/suite/command/sign.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index c226b6b8d..89efcc077 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -319,7 +319,7 @@ var _ = Describe("notation sign", func() { It("with empty tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "empty.txt"), artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "Empty.txt"), artifact.ReferenceWithDigest()). MatchErrKeyWords("cannot find any certificate from"). MatchErrKeyWords("Expecting one x509 certificate in PEM or DER format from the file") }) From 7c44b3e846b6481c5f2049a66f20ce49ead472d1 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 11:31:27 +0800 Subject: [PATCH 73/80] update Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index d57a1ab3a..b6cf12618 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -28,6 +28,7 @@ import ( "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" "github.com/notaryproject/notation/internal/httputil" + nx509 "github.com/notaryproject/notation/internal/x509" "github.com/notaryproject/tspclient-go" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/spf13/cobra" @@ -230,13 +231,22 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio return notation.SignOptions{}, err } if len(rootCerts) == 0 { - return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting one x509 certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting one x509 root CA certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } if len(rootCerts) > 1 { - return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting one x509 certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting one x509 root CA certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + } + tsaRootCert := rootCerts[0] + isRoot, err := nx509.IsRootCertificate(tsaRootCert) + if err != nil { + return notation.SignOptions{}, fmt.Errorf("failed to check root certificate with error: %w", err) + } + if !isRoot { + return notation.SignOptions{}, fmt.Errorf("cannot find root CA certificate from %q. Expecting one x509 root CA certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + } rootCAs := x509.NewCertPool() - rootCAs.AddCert(rootCerts[0]) + rootCAs.AddCert(tsaRootCert) signOpts.TSARootCAs = rootCAs } return signOpts, nil From 6aafe3483ce839d40ddc01a2160c5e435197fd1b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 11:32:29 +0800 Subject: [PATCH 74/80] update Signed-off-by: Patrick Zheng --- test/e2e/suite/command/sign.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 89efcc077..c986fcbe2 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -313,7 +313,7 @@ var _ = Describe("notation sign", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "CertChain.pem"), artifact.ReferenceWithDigest()). MatchErrKeyWords("find more than one certificates"). - MatchErrKeyWords("Expecting one x509 certificate in PEM or DER format from the file") + MatchErrKeyWords("Expecting one x509 root CA certificate in PEM or DER format from the file") }) }) @@ -321,7 +321,7 @@ var _ = Describe("notation sign", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "Empty.txt"), artifact.ReferenceWithDigest()). MatchErrKeyWords("cannot find any certificate from"). - MatchErrKeyWords("Expecting one x509 certificate in PEM or DER format from the file") + MatchErrKeyWords("Expecting one x509 root CA certificate in PEM or DER format from the file") }) }) }) From 26bc1d3a28b1ca63029e23533c291c1bc73df739 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 13:01:55 +0800 Subject: [PATCH 75/80] updated E2E tests Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 6 ++--- test/e2e/suite/command/sign.go | 24 ++++++++++++------- .../config/timestamp/intermediate.pem | 17 +++++++++++++ 3 files changed, 36 insertions(+), 11 deletions(-) create mode 100644 test/e2e/testdata/config/timestamp/intermediate.pem diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index b6cf12618..6fb302a0a 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -231,10 +231,10 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio return notation.SignOptions{}, err } if len(rootCerts) == 0 { - return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting one x509 root CA certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting one x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } if len(rootCerts) > 1 { - return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting one x509 root CA certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting one x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } tsaRootCert := rootCerts[0] isRoot, err := nx509.IsRootCertificate(tsaRootCert) @@ -242,7 +242,7 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio return notation.SignOptions{}, fmt.Errorf("failed to check root certificate with error: %w", err) } if !isRoot { - return notation.SignOptions{}, fmt.Errorf("cannot find root CA certificate from %q. Expecting one x509 root CA certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("certificate from %q is not a root certificate. Expecting one x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } rootCAs := x509.NewCertPool() diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index c986fcbe2..e147f1e0b 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -280,21 +280,21 @@ var _ = Describe("notation sign", func() { }) }) - It("with empty tsa server", func() { + It("with timestamping and empty tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: timestamping: tsa url cannot be empty") }) }) - It("with empty tsa root cert", func() { + It("with timestamping and empty tsa root cert", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "dummy", "--timestamp-root-cert", "", artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: timestamping: tsa root certificate path cannot be empty") }) }) - It("with invalid tsa server", func() { + It("with timestamping and invalid tsa server", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://invalid.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: timestamp: Post \"http://invalid.com\""). @@ -302,26 +302,34 @@ var _ = Describe("notation sign", func() { }) }) - It("with invalid tsa root certificate", func() { + It("with timestamping and invalid tsa root certificate", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "invalid.crt"), artifact.ReferenceWithDigest()). MatchErrKeyWords("Error: x509: malformed certificate") }) }) - It("with more than certificates in tsa root certificate file", func() { + It("with timestamping and more than one certificates in tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "CertChain.pem"), artifact.ReferenceWithDigest()). MatchErrKeyWords("find more than one certificates"). - MatchErrKeyWords("Expecting one x509 root CA certificate in PEM or DER format from the file") + MatchErrKeyWords("Expecting one x509 root certificate in PEM or DER format from the file") }) }) - It("with empty tsa root certificate file", func() { + It("with timestamping and empty tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "Empty.txt"), artifact.ReferenceWithDigest()). MatchErrKeyWords("cannot find any certificate from"). - MatchErrKeyWords("Expecting one x509 root CA certificate in PEM or DER format from the file") + MatchErrKeyWords("Expecting one x509 root certificate in PEM or DER format from the file") + }) + }) + + It("with timestamping and intermediate certificate file", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "intermediate.pem"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("is not a root certificate"). + MatchErrKeyWords("Expecting one x509 root certificate in PEM or DER format from the file") }) }) }) diff --git a/test/e2e/testdata/config/timestamp/intermediate.pem b/test/e2e/testdata/config/timestamp/intermediate.pem new file mode 100644 index 000000000..83e1ccece --- /dev/null +++ b/test/e2e/testdata/config/timestamp/intermediate.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 +MCAXDTIyMDYzMDE5MjAwM1oYDzMwMjExMDMxMTkyMDAzWjAYMRYwFAYDVQQDDA1J +bnRlcm1lZGlhdGUxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1JTs +aiC/7+bho43kMVyHDwCsuocYp4PvYahB59NsKDR4QbrImU5ziaQ94D0DQqthe9pm +qOW0SxN/vSRJAZFELxacrB9hc1y4MjiDYaRSt/LVx7astylBV/QRpmxWSEqp0Avu +6nMJivIa1sD0WIEchizx6jG9BI5ULr9LbJICYvMgDalQR+0JGG+rKWnf1mPZyxEu +9zEh215LCg5K56P3W5kC8fKBXSdSgTqZAvHzp6u78qet9S8gARtOEfS03A/7y7MC +U0Sn2wdQyQdci0PBsR2sTZvUw179Cr93r5aRbb3I6jXgMWHAP2vvIndb9CM9ePyY +yEy4Je7oWVVfMQ3CWQIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud +DwEB/wQEAwICBDANBgkqhkiG9w0BAQsFAAOCAQEALR0apUQVbWGmagLUz4Y/bRsl +mY9EJJXCiLuSxVWd3offjZfQTlGkQkCAW9FOQnm7JhEtaaHF1+AEVLo56/Gsd/hk +sXsrBagYGi72jun7QTb6j7iZ3X9zanrP3SjdkpjVnqxRfH83diSh0r68Xruq1NSK +qhUy1V+KQaXF0SSEutPqdTCoXUyxyXohVLU78uqZX/jx9Nc1XDuW9AZd+hMsLdk8 +qGJqHYFvj2vOHGMTeYk8dWgMBthQeL0wdsg2AvKtAvn6FQXCN7mKCWjpFTtYsU8v +NsesS9M/i+geJjR/8/DDT3RP7S100BtCMm4XfHfmKcjXVaBh5evQVqGsa6TKLw== +-----END CERTIFICATE----- \ No newline at end of file From 7b996ec0ccc7f99a4f2967ef25ee063355a445b5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 13:59:06 +0800 Subject: [PATCH 76/80] fixed E2E tests Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 6 ++--- internal/testdata/notSelfIssued.crt | 21 +++++++++++++++ internal/x509/cert_test.go | 13 ++++++++++ test/e2e/suite/command/sign.go | 26 ++++++++++++------- .../config/timestamp/notSelfIssued.crt | 21 +++++++++++++++ 5 files changed, 74 insertions(+), 13 deletions(-) create mode 100644 internal/testdata/notSelfIssued.crt create mode 100644 test/e2e/testdata/config/timestamp/notSelfIssued.crt diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 6fb302a0a..444aac96b 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -231,10 +231,10 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio return notation.SignOptions{}, err } if len(rootCerts) == 0 { - return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting one x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } if len(rootCerts) > 1 { - return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting one x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } tsaRootCert := rootCerts[0] isRoot, err := nx509.IsRootCertificate(tsaRootCert) @@ -242,7 +242,7 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio return notation.SignOptions{}, fmt.Errorf("failed to check root certificate with error: %w", err) } if !isRoot { - return notation.SignOptions{}, fmt.Errorf("certificate from %q is not a root certificate. Expecting one x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("certificate from %q is not a root certificate. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } rootCAs := x509.NewCertPool() diff --git a/internal/testdata/notSelfIssued.crt b/internal/testdata/notSelfIssued.crt new file mode 100644 index 000000000..8f53e9ad5 --- /dev/null +++ b/internal/testdata/notSelfIssued.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJVUzEJ +MAcGA1UECBMAMQkwBwYDVQQHEwAxDzANBgNVBAoTBk5vdGFyeTENMAsGA1UEAxME +dGVzdDAeFw0yNDA3MjIwNTIwMzZaFw0yNDA4MjIwNTIwMzZaMEwxCzAJBgNVBAYT +AlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEPMA0GA1UEChMGTm90 +YXJ5MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAp7XmYGf3p4JS/y5v6AIc/TxQvPTwIRxVmctNmDm5kG3LDUoGAAJbicTUfI/0 +Un38j/PlHNKQz9hKPwV+oYotKuQrVhaA2fft+INl36tvgCAPr8yX3ToOMCLr/UlT +zQ7o9TB7IpnVT9DR9uik9MWfkz0Db5ARG1POquvSy2QM5wseEA58313YJ/7Em/Cq +FCH5s9THCfQKpb09MZ/RTEggNqU4zGADah8e1KieYeZntM/hrw7sW5oeUueKG4D4 +3kvL8o7n1k6C+w8LwaOGhYXCQ51JxTE3lnmTrDdFRuKGObpNFNbLxdJPVLuHT1Nu +bwVxj5APBJQyEyja3jJ9qLQANwIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYD +VR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU +yPScYtI4hs0+ibHaRV9BsgY734AwDQYJKoZIhvcNAQELBQADggEBABJHh3NELq1b +jcJiJX76DwDTx+FGGN96/+T5622FGg1kHeAwuxS6pQODJNrVofbrhGAqaXTDT/Tz +0b0AA5XCohmBFZQRwMh+C5QkFiIcZ9VMMBc6KTQT8DEgjI6Qo/OW2TDGOoFuAhmh +4a1ACHszuHS55Th+0TKLqeZNA6DnL9IBm0RX1FJXbqhjX52ZnRH3Zqe7uML+kxKt +LUdfnxHrpA1G2ugyAj+K7K6vth5QpezwCS1PZD2s5vlJd6clawxm5qRyyU46ow/y +7bpTSEyg6PIWWh/qv4O2t4NMa1OoRkIXx/ppsKH9XwbRg/WZ0VWlGVS6GxBtLSpG +tkyaxSRLdz0= +-----END CERTIFICATE----- diff --git a/internal/x509/cert_test.go b/internal/x509/cert_test.go index 780812629..3fb7fd7e4 100644 --- a/internal/x509/cert_test.go +++ b/internal/x509/cert_test.go @@ -51,4 +51,17 @@ func TestIsRootCertificate(t *testing.T) { if err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) } + + notSelfIssued, err := corex509.ReadCertificateFile("../testdata/notSelfIssued.crt") + if err != nil { + t.Fatal(err) + } + expectedErrMsg = "x509: invalid signature: parent certificate cannot sign this kind of certificate" + isRoot, err = IsRootCertificate(notSelfIssued[0]) + if err != nil { + t.Fatal(err) + } + if isRoot { + t.Fatal("expected IsRootCertificate to return false") + } } diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index e147f1e0b..ccb0a69ba 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -309,27 +309,33 @@ var _ = Describe("notation sign", func() { }) }) - It("with timestamping and more than one certificates in tsa root certificate file", func() { + It("with timestamping and empty tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "CertChain.pem"), artifact.ReferenceWithDigest()). - MatchErrKeyWords("find more than one certificates"). - MatchErrKeyWords("Expecting one x509 root certificate in PEM or DER format from the file") + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "empty.txt"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("cannot find any certificate from"). + MatchErrKeyWords("Expecting single x509 root certificate in PEM or DER format from the file") }) }) - It("with timestamping and empty tsa root certificate file", func() { + It("with timestamping and more than one certificates in tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "Empty.txt"), artifact.ReferenceWithDigest()). - MatchErrKeyWords("cannot find any certificate from"). - MatchErrKeyWords("Expecting one x509 root certificate in PEM or DER format from the file") + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "certChain.pem"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("find more than one certificates"). + MatchErrKeyWords("Expecting single x509 root certificate in PEM or DER format from the file") }) }) It("with timestamping and intermediate certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "intermediate.pem"), artifact.ReferenceWithDigest()). - MatchErrKeyWords("is not a root certificate"). - MatchErrKeyWords("Expecting one x509 root certificate in PEM or DER format from the file") + MatchErrKeyWords("failed to check root certificate with error: crypto/rsa: verification error") + }) + }) + + It("with timestamping and not self-issued certificate file", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "notSelfIssued.crt"), artifact.ReferenceWithDigest()). + MatchErrKeyWords("is not a root certificate. Expecting single x509 root certificate in PEM or DER format from the file") }) }) }) diff --git a/test/e2e/testdata/config/timestamp/notSelfIssued.crt b/test/e2e/testdata/config/timestamp/notSelfIssued.crt new file mode 100644 index 000000000..8f53e9ad5 --- /dev/null +++ b/test/e2e/testdata/config/timestamp/notSelfIssued.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJVUzEJ +MAcGA1UECBMAMQkwBwYDVQQHEwAxDzANBgNVBAoTBk5vdGFyeTENMAsGA1UEAxME +dGVzdDAeFw0yNDA3MjIwNTIwMzZaFw0yNDA4MjIwNTIwMzZaMEwxCzAJBgNVBAYT +AlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEPMA0GA1UEChMGTm90 +YXJ5MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAp7XmYGf3p4JS/y5v6AIc/TxQvPTwIRxVmctNmDm5kG3LDUoGAAJbicTUfI/0 +Un38j/PlHNKQz9hKPwV+oYotKuQrVhaA2fft+INl36tvgCAPr8yX3ToOMCLr/UlT +zQ7o9TB7IpnVT9DR9uik9MWfkz0Db5ARG1POquvSy2QM5wseEA58313YJ/7Em/Cq +FCH5s9THCfQKpb09MZ/RTEggNqU4zGADah8e1KieYeZntM/hrw7sW5oeUueKG4D4 +3kvL8o7n1k6C+w8LwaOGhYXCQ51JxTE3lnmTrDdFRuKGObpNFNbLxdJPVLuHT1Nu +bwVxj5APBJQyEyja3jJ9qLQANwIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYD +VR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU +yPScYtI4hs0+ibHaRV9BsgY734AwDQYJKoZIhvcNAQELBQADggEBABJHh3NELq1b +jcJiJX76DwDTx+FGGN96/+T5622FGg1kHeAwuxS6pQODJNrVofbrhGAqaXTDT/Tz +0b0AA5XCohmBFZQRwMh+C5QkFiIcZ9VMMBc6KTQT8DEgjI6Qo/OW2TDGOoFuAhmh +4a1ACHszuHS55Th+0TKLqeZNA6DnL9IBm0RX1FJXbqhjX52ZnRH3Zqe7uML+kxKt +LUdfnxHrpA1G2ugyAj+K7K6vth5QpezwCS1PZD2s5vlJd6clawxm5qRyyU46ow/y +7bpTSEyg6PIWWh/qv4O2t4NMa1OoRkIXx/ppsKH9XwbRg/WZ0VWlGVS6GxBtLSpG +tkyaxSRLdz0= +-----END CERTIFICATE----- From 7aef357d8b280a9c224fee1f0414bcbd91ab802c Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 14:04:36 +0800 Subject: [PATCH 77/80] fixed E2E tests Signed-off-by: Patrick Zheng --- test/e2e/suite/command/sign.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index ccb0a69ba..14447d6e1 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -311,7 +311,7 @@ var _ = Describe("notation sign", func() { It("with timestamping and empty tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "empty.txt"), artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "Empty.txt"), artifact.ReferenceWithDigest()). MatchErrKeyWords("cannot find any certificate from"). MatchErrKeyWords("Expecting single x509 root certificate in PEM or DER format from the file") }) @@ -319,7 +319,7 @@ var _ = Describe("notation sign", func() { It("with timestamping and more than one certificates in tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "certChain.pem"), artifact.ReferenceWithDigest()). + notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "CertChain.pem"), artifact.ReferenceWithDigest()). MatchErrKeyWords("find more than one certificates"). MatchErrKeyWords("Expecting single x509 root certificate in PEM or DER format from the file") }) From 31967114d83ceaec95c43ef9a4c6168e082baa77 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 14:35:05 +0800 Subject: [PATCH 78/80] fixed E2E tests Signed-off-by: Patrick Zheng --- cmd/notation/sign.go | 2 +- test/e2e/suite/command/sign.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 444aac96b..40c951028 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -234,7 +234,7 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } if len(rootCerts) > 1 { - return notation.SignOptions{}, fmt.Errorf("find more than one certificates from %q. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) + return notation.SignOptions{}, fmt.Errorf("found more than one certificates from %q. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath) } tsaRootCert := rootCerts[0] isRoot, err := nx509.IsRootCertificate(tsaRootCert) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 14447d6e1..334e27e25 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -320,7 +320,7 @@ var _ = Describe("notation sign", func() { It("with timestamping and more than one certificates in tsa root certificate file", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "CertChain.pem"), artifact.ReferenceWithDigest()). - MatchErrKeyWords("find more than one certificates"). + MatchErrKeyWords("found more than one certificates"). MatchErrKeyWords("Expecting single x509 root certificate in PEM or DER format from the file") }) }) From cafc2e1616dd7069f642ba1e19f6a8a5c91c081d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 14:39:39 +0800 Subject: [PATCH 79/80] updated dependencies Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/plugin/go.mod | 2 +- test/e2e/plugin/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 444b3f597..8989c6da8 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.22 require ( github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b - github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b + github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 diff --git a/go.sum b/go.sum index e40a11dc3..d3b526db0 100644 --- a/go.sum +++ b/go.sum @@ -37,8 +37,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw= github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= -github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc= -github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= +github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a h1:o3kYOcQii0dMaDKdxnr1wPlEskXHHkDZDDb3kuss+W0= +github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a/go.mod h1:FwHtZC29bBvFdJu0NYM5MHxSrHJGwhkPRvEgevNo9wo= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 21f7839a9..baf48309a 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -5,7 +5,7 @@ go 1.21 require ( github.com/golang-jwt/jwt v3.2.2+incompatible github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b - github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b + github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/spf13/cobra v1.7.0 ) diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index ee6207dd3..576f3b6ec 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -39,8 +39,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw= github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= -github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc= -github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI= +github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a h1:o3kYOcQii0dMaDKdxnr1wPlEskXHHkDZDDb3kuss+W0= +github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a/go.mod h1:FwHtZC29bBvFdJu0NYM5MHxSrHJGwhkPRvEgevNo9wo= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= From b05572bb820736aa9d728bffb99abeb6ce4b8579 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 22 Jul 2024 18:06:32 +0800 Subject: [PATCH 80/80] updated per code review Signed-off-by: Patrick Zheng --- internal/x509/cert.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/internal/x509/cert.go b/internal/x509/cert.go index d3e8a38f9..c72ef76c4 100644 --- a/internal/x509/cert.go +++ b/internal/x509/cert.go @@ -19,12 +19,10 @@ import ( ) // IsRootCertificate returns true if cert is a root certificate. -// A root certificate MUST be a self-signed and self-issued CA certificate with -// valid BasicConstraints. +// A root certificate MUST be a self-signed and self-issued certificate. func IsRootCertificate(cert *x509.Certificate) (bool, error) { - // CheckSignatureFrom also checks cert.BasicConstraintsValid if err := cert.CheckSignatureFrom(cert); err != nil { return false, err } - return cert.IsCA && bytes.Equal(cert.RawSubject, cert.RawIssuer), nil + return bytes.Equal(cert.RawSubject, cert.RawIssuer), nil }