Conversation
SteveLasker
reviewed
Aug 10, 2020
Collaborator
SteveLasker
left a comment
SteveLasker
left a comment
There was a problem hiding this comment.
Great updates for the signature format.
I did have one question on the mediaType parameter.
| --username value, -u value username for generic remote access | ||
| --password value, -p value password for generic remote access | ||
| --insecure enable insecure remote access (default: false) | ||
| --media-type value specify the media type of the manifest read from file or stdin (default: "application/vnd.docker.distribution.manifest.v2+json") |
Collaborator
There was a problem hiding this comment.
Curious why we need to specify the mediaType. Does it matter when evaluating an nv2 signature?
Owner
Author
There was a problem hiding this comment.
When the manifest comes from a file or stdin, the nv2 does not know the media type of the manifest. It can be a docker manfiest or oci manifest or even a list. Therefore, you need to specify the media type. If you get the manifest by docker:// or oci:, the nv2 will set the media type for you.
Since the media type is there with size and digest, it is also verified when evaluating a nv2 signature.
Collaborator
There was a problem hiding this comment.
I'm not sure I follow the flow. It seems we're asking for a redundant parameter as the user is specifying the reference, either oci:// and the named reference. We can quickly determine if it's an index or manifest.
Assuming we really need it, can we make it --mediaType?
But, I'm still wondering why.
Signed-off-by: Shiwei Zhang <shizh@microsoft.com>
shizhMSFT
added a commit
that referenced
this pull request
Sep 10, 2021
Signed-off-by: Shiwei Zhang <shizh@microsoft.com>
shizhMSFT
added a commit
that referenced
this pull request
Sep 16, 2021
* Initial prototype * Distribution api proposal * Formating fix * JWT based system (#16) * Fix paging api link * Resolve spelling errors * Fix examples to include full descriptor * Use library implementation * refactor network transport * add makefile * update dependency * push signature support * pull signature support * integrate sign and push * no output on sign-then-push by default * better ux for signature info * make install better * update notary library * update dependencies * Multiple signatures support (#52) * pull signatures when pulling images (#54) * Explicit add original references when signing (#57) * create parent folders before create config file (#59) * Add git clone steps to building.md * Ci 2 (#49) * Add basic workflow that compiles the binary * Add dependabot for Go dependencies * Add dependabot for github-actions * Update workflow to use Makefile * extract `list` from `pull --peek` * rename digest to sigDigests for code readability * update doc for building * refine doc for building * plain http in config * no default trust on generated cert * clean up media type * refine docker-notation * cached pull * refactor notation code * fix reference print * refactor docker-notation code * compare registry host case insensitively * refine docker-notation pull output * safer prune * prepare for v0.5.2 release * update notation-go-lib dependency * update release for go releaser * update notation-go-lib dependency * make github workflow consistent * output stderr for docker-generate * move implementations to the correct package * Include .editorconfig compatible with go fmt * Run CI on go 1.16 * Since go 1.16 some ioutil functions are deprecated and moved into the io package. Therefore can't build with previous versions of Go anymore * Add help task to Makefile * Add CI status badge * Notation CLI Alpha * bump notation-go-lib * prepare for 0.5.1 release * refine notation sign * Bump actions/cache from 2.1.4 to 2.1.6 * Bumps [actions/cache](https://github.com/actions/cache) from 2.1.4 to 2.1.6. * [Release notes](https://github.com/actions/cache/releases) * [Commits](actions/cache@v2.1.4...v2.1.6) This is a joint commit of - Shiwei Zhang - Aviral Takkar - Sajay Antony - Steve Lasker - Marco Franssen Signed-off-by: Steve Lasker <stevenlasker@hotmail.com> Signed-off-by: Shiwei Zhang <shizh@microsoft.com> Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In this PR, the signature is basically a JWT. Therefore, the signature file is no longer a JSON file.
Additionally, media type is required for the manifest and is verified.
Signed-off-by: Shiwei Zhang shizh@microsoft.com