feat: add sign blob commands #856
Conversation
rrsemlani
requested review from
gokarnm,
JeyJeyGao,
justincormack,
NiazFK,
priteshbandi,
rgnote,
shizhMSFT,
SteveLasker and
Two-Hearts
as code owners
Signed-off-by: Rishab Semlani <rrsemlani@gmail.com>
rrsemlani
force-pushed
the
rsemlani_notation
branch
from
ad53a80
to
2ed55c6
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #856 +/- ##
==========================================
+ Coverage 64.09% 64.45% +0.35%
==========================================
Files 40 46 +6
Lines 2284 2788 +504
==========================================
+ Hits 1464 1797 +333
- Misses 698 835 +137
- Partials 122 156 +34 ☔ View full report in Codecov by Sentry. |
cmd/notation/main.go
Outdated
| @@ -35,6 +35,7 @@ func main() { | |||
| } | |||
| cmd.AddCommand( | |||
| signCommand(nil), | |||
| blobSignCommand(nil), | |||
There was a problem hiding this comment.
nit: put all blob commends at one place for readability
cmd/notation/blob.go
Outdated
| "github.com/spf13/cobra" | ||
| ) | ||
|
|
||
| func blobSignCommand(opts *signOpts) *cobra.Command { |
There was a problem hiding this comment.
signOpts defined in sign.go has more flags than what is needed for notation blob sign command. Can we have a separate signOpts for blob signing?
cmd/notation/blob.go
Outdated
| func blobSignCommand(opts *signOpts) *cobra.Command { | ||
| if opts == nil { | ||
| opts = &signOpts{ | ||
| inputType: inputTypeRegistry, // remote registry by default |
There was a problem hiding this comment.
Registries do not apply to blobs. Lets remove this.
cmd/notation/blob.go
Outdated
| inputType: inputTypeRegistry, // remote registry by default | ||
| } | ||
| } | ||
| longMessage := `Sign artifacts |
There was a problem hiding this comment.
Can you use the log message as is from notation blob sign section in https://github.com/notaryproject/notation/pull/811/files?diff=unified&w=0?
cmd/notation/blob.go
Outdated
| ` | ||
|
|
||
| command := &cobra.Command{ | ||
| Use: "blob sign [flags] <reference>", |
cmd/notation/blob.go
Outdated
| longMessage := `Inspect all signatures associated with the signed artifact. | ||
|
|
||
| Example - Inspect signatures on an BLOB artifact identified by a digest: | ||
| notation blob inspect <registry>/<repository>@<digest> |
Signed-off-by: Rishab Semlani <rrsemlani@gmail.com>
cmd/notation/blob.go
Outdated
| @@ -0,0 +1,232 @@ | |||
| // Copyright The Notary Project Authors. | |||
There was a problem hiding this comment.
Please move this inside blob directory similar to cert, plugin etc. Also, rename file to sign.go.
cmd/notation/blob.go
Outdated
| type blobOpts struct { | ||
| cmd.LoggingFlagOpts | ||
| cmd.SignerFlagOpts | ||
| SecureFlagOpts |
There was a problem hiding this comment.
Do we need SecureFlagOpts ?
cmd/notation/blob.go
Outdated
| pluginConfig []string | ||
| userMetadata []string | ||
| blobPath string | ||
| signaturePath string |
There was a problem hiding this comment.
| signaturePath string | |
| signatureDirectory string |
cmd/notation/blob.go
Outdated
| Long: longMessage, | ||
| Args: func(cmd *cobra.Command, args []string) error { | ||
| if len(args) == 0 { | ||
| return errors.New("missing blob_path") |
There was a problem hiding this comment.
What is blob_path ? How will user interpret it?
cmd/notation/blob.go
Outdated
| desc ocispec.Descriptor | ||
| sigRepo registry.Repository |
There was a problem hiding this comment.
Why do we need this ?
cmd/notation/blob.go
Outdated
| userMetadata []string | ||
| blobPath string | ||
| signaturePath string | ||
| outputFormat string |
There was a problem hiding this comment.
are we missing option for some flags like --force ?
cmd/notation/blob.go
Outdated
|
|
||
| func blobSignCommand(opts *blobOpts) *cobra.Command { | ||
| if opts == nil { | ||
| opts = &blobOpts{} |
cmd/notation/blob.go
Outdated
| return blobOpts, nil | ||
| } | ||
|
|
||
| func blobInspectCommand(opts *blobOpts) *cobra.Command { |
There was a problem hiding this comment.
Please create new .go file for inspect.
cmd/notation/blob.go
Outdated
|
|
||
| output := inspectOutput{MediaType: opts.desc.MediaType, Signatures: []signatureOutput{}} | ||
|
|
||
| sigBlob, _, _ := opts.sigRepo.FetchSignatureBlob(ctx, opts.desc) |
There was a problem hiding this comment.
we dont have sigRepo in case of blob signing.
cmd/notation/notation
Outdated
There was a problem hiding this comment.
nit:
We should not include the go build notation binary in the PR.
Two-Hearts
changed the title
cmd/notation/blob.go
Outdated
| var errorPushSignatureFailed notation.ErrorPushSignatureFailed | ||
| if errors.As(err, &errorPushSignatureFailed) && strings.Contains(err.Error(), referrersTagSchemaDeleteError) { |
There was a problem hiding this comment.
For blob signing, there's no more notation.ErrorPushSignatureFailed and referrersTagSchemaDeleteError because they are OCI specific errors.
cmd/notation/notation
Outdated
cmd/notation/main.go
Outdated
| @@ -45,6 +46,7 @@ func main() { | |||
| logoutCommand(nil), | |||
| versionCommand(), | |||
| inspectCommand(nil), | |||
| blob.SignCommand(nil), | |||
There was a problem hiding this comment.
Please follow pattern likecert.Cmd, policy.Cmd().
rrsemlani
force-pushed
the
rsemlani_notation
branch
from
1c81aa3
to
211d186
Compare
rrsemlani
changed the title
rrsemlani
force-pushed
the
rsemlani_notation
branch
from
211d186
to
48102ef
Compare
rrsemlani
force-pushed
the
rsemlani_notation
branch
from
48102ef
to
440cfd1
Compare
Signed-off-by: Rishab Semlani <rrsemlani@gmail.com>
rrsemlani
force-pushed
the
rsemlani_notation
branch
from
440cfd1
to
696d4a4
Compare
| Long: longMessage, | ||
| Args: func(cmd *cobra.Command, args []string) error { | ||
| if len(args) == 0 { | ||
| return errors.New("missing blob file path to the artifact: use `notation blob sign --help` to see what parameters are required") |
There was a problem hiding this comment.
| return errors.New("missing blob file path to the artifact: use `notation blob sign --help` to see what parameters are required") | |
| return errors.New("missing file path use `notation blob sign --help` to see what parameters are required") |
| // Todo: we will need to replace signer with actual blob signer implementation in notation-go | ||
| // initialize |
There was a problem hiding this comment.
As discussed on Monday, for signing we dont need a TODO as code has already been merged on notation-go.
|
|
||
| // Todo: we will need to replace signer with actual blob signer implementation in notation-go | ||
| // initialize | ||
| signer, err := cmd.GetSigner(ctx, &cmdOpts.SignerFlagOpts) |
There was a problem hiding this comment.
cmd.GetSigner returns notation.Signer which doesnt supports for BlobSigning.
| blobOpts := notation.SignOptions{ | ||
| SignerSignOptions: notation.SignerSignOptions{ | ||
| SignatureMediaType: mediaType, | ||
| ExpiryDuration: opts.expiry, | ||
| PluginConfig: pluginConfig, | ||
| }, | ||
| UserMetadata: userMetadata, |
There was a problem hiding this comment.
Please use blob related opts
| if err != nil { | ||
| return err | ||
| } | ||
| contents, err := os.ReadFile(cmdOpts.blobPath) |
There was a problem hiding this comment.
Dont read file; pass the reader to SignBlob.
| return err | ||
| } | ||
| // core process | ||
| _, _, err = notation.SignBlob(ctx, signer, strings.NewReader(string(contents)), blobOpts) //PlaceHolder |
There was a problem hiding this comment.
Can we please add implementation to write signature file?
|
This PR is stale because it has been opened for 45 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days. |
Adding sign blob commands.
Spec Pr used for ref: #811