doc: update notation sign and verify spec for metadata #498
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Byron Chien <chienb@amazon.com>
byronchien
force-pushed
the
attestations
branch
from
4405424
to
9eebe91
Compare
byronchien
changed the title
priteshbandi
reviewed
Jan 3, 2023
Signed-off-by: Byron Chien <chienb@amazon.com>
byronchien
force-pushed
the
attestations
branch
from
1f4bcf5
to
c7c5128
Compare
Codecov Report
@@ Coverage Diff @@
## main #498 +/- ##
=======================================
Coverage 29.57% 29.57%
=======================================
Files 26 26
Lines 1515 1515
=======================================
Hits 448 448
Misses 1050 1050
Partials 17 17 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
shizhMSFT
changed the title
yizha1
reviewed
Jan 4, 2023
There was a problem hiding this comment.
Thanks @byronchien for the contribution. I have provided my comments.
shizhMSFT
reviewed
Jan 5, 2023
Signed-off-by: Byron Chien <chienb@amazon.com>
yizha1
approved these changes
Jan 6, 2023
specs/commandline/verify.md
Outdated
| An example of output messages for an unsuccessful verification: | ||
|
|
||
| ```text | ||
| Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 |
There was a problem hiding this comment.
If the verification failure is due to metadata, there should be error log like you shared under the debug logging.
"Error: specified metadata is not present in the signature."
Signed-off-by: Byron Chien <chienb@amazon.com>
specs/commandline/verify.md
Outdated
| @@ -16,6 +16,17 @@ Warning: The resolved digest may not point to the same signed artifact, since ta | |||
| Successfully verified signature for <registry>/<repository>@<digest> | |||
| ``` | |||
|
|
|||
| The signed descriptor may have user defined metadata attached. If the signature for the OCI artifact contains any metadata, the output message is as follows: | |||
There was a problem hiding this comment.
Suggested change
| The signed descriptor may have user defined metadata attached. If the signature for the OCI artifact contains any metadata, the output message is as follows: | |
| A signature can have user defined metadata. If the signature for the OCI artifact contains any metadata, the output message is as follows: |
specs/commandline/verify.md
Outdated
| ```text | ||
| Successfully verified signature for <registry>/<repository>@<digest> | ||
|
|
||
| The artifact is signed with the following user metadata. |
There was a problem hiding this comment.
Suggested change
| The artifact is signed with the following user metadata. | |
| The artifact was signed with the following user metadata: |
specs/commandline/verify.md
Outdated
Comment on lines
155
to
176
| An example of output messages for an unsuccessful verification with verbose logging enabled: | ||
|
|
||
| ```text | ||
| INFO Checking whether signature verification should be skipped or not | ||
| INFO Check over. Trust policy is not configured to skip signature verification | ||
| INFO Processing signature with digest: sha256:dbb22c0686b714ccbb53e4579771ee0f9ab9d37cd77cadb767549322742979f3 | ||
| INFO User Metadata flag is present. Checking signature metadata for specified values. | ||
| Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 | ||
| Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 | ||
| ``` | ||
|
|
||
| An example of output messages for an unsuccessful verification with debug logging enabled: | ||
|
|
||
| ```text | ||
| ... | ||
| INFO User Metadata flag is present. Checking signature metadata for specified values. | ||
| DEBU[2023-01-05T11:35:07-08:00] Verifying that metadata { "io.wabbit-networks.buildId":"123" } is present in signature metadata. | ||
| DEBU[2023-01-05T11:35:07-08:00] Signature metadata: { "io.wabbit-networks.buildId":"321" } | ||
| DEBU[2023-01-05T11:35:07-08:00] Error: specified metadata is not present in the signature. | ||
| Error: unable to find specified metadata in any signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 | ||
| Error: signature verification failed for all the signatures associated with localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 | ||
| ``` |
There was a problem hiding this comment.
I wouldn't add verbose and debug usecases in the spec as this can change during implementation.
There was a problem hiding this comment.
ok, will remove, also matches existing spec that doesn't have verbose/debug examples
Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
approved these changes
Jan 12, 2023
This was referenced Jan 13, 2023
priteshbandi
pushed a commit
to priteshbandi/notation
that referenced
this pull request
Feb 1, 2023
…#498) Spec update to support notaryproject/roadmap#67 `notation sign`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that will be signed as part of the payload. `notation verify`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that must be present in the signature to pass verification. Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
pushed a commit
to priteshbandi/notation
that referenced
this pull request
Feb 1, 2023
…#498) Spec update to support notaryproject/roadmap#67 `notation sign`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that will be signed as part of the payload. `notation verify`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that must be present in the signature to pass verification. Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
pushed a commit
to priteshbandi/notation
that referenced
this pull request
Feb 1, 2023
…#498) Spec update to support notaryproject/roadmap#67 `notation sign`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that will be signed as part of the payload. `notation verify`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that must be present in the signature to pass verification. Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
pushed a commit
to priteshbandi/notation
that referenced
this pull request
Feb 1, 2023
…#498) Spec update to support notaryproject/roadmap#67 `notation sign`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that will be signed as part of the payload. `notation verify`: - user will be able to specify additional key value pairs with the `--user-metadata` flag (`-um` short) that must be present in the signature to pass verification. Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
pushed a commit
to notaryproject/notation-go
that referenced
this pull request
Feb 8, 2023
Adds support for signed user metadata in `notation sign` and `notation verify`. [Relevant spec](notaryproject/notation#498) example sign usage: notation % notation sign $IMAGE --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=123 Successfully signed localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b example verification: ``` notation % notation verify $IMAGE --user-metadata io.wabbit-networks.buildTime=123 Successfully verified signature for localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b The artifact was signed with the following user metadata. KEY VALUE io.wabbit-networks.buildTime 123 io.wabbit-networks.buildId 123 ``` Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
pushed a commit
that referenced
this pull request
Feb 8, 2023
…y cmds (#507) Adds support for signed user metadata in `notation sign` and `notation verify`. [Relevant spec](#498) example sign usage: chienb@a07817b52895 notation % notation sign $IMAGE --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=123 Successfully signed localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b --------------- example verification: chienb@a07817b52895 notation % notation verify $IMAGE --user-metadata io.wabbit-networks.buildTime=123 Resolved artifact tag `v1` to digest `sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b` before verification. Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. Successfully verified signature for localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b The artifact was signed with the following user metadata. KEY VALUE io.wabbit-networks.buildTime 123 io.wabbit-networks.buildId 123 ----- Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
pushed a commit
that referenced
this pull request
Feb 10, 2023
allows json output for `notation verify`. Fixes notaryproject/roadmap#67 and #498 chienb@a07817b52895 notation % ./bin/notation verify $IMAGE --output json { "reference": "localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b", "userMetadata": { "foo": "bar" }, "result": "Success" } Signed-off-by: Byron Chien <chienb@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Spec update to support notaryproject/roadmap#67
notation sign:--user-metadataflag (-umshort) that will be signed as part of the payload.notation verify:--user-metadataflag (-umshort) that must be present in the signature to pass verification.--outputflag (-oshort)