Plugin interface for signing. #124
Conversation
|
Can you please run markdown linter on the change. |
gokarnm
changed the title
specs/plugin-extensibility.md
Outdated
| * Each plugin executable and dependencies are installed under directory `~/.notation/plugins/{plugin-name}` with an executable under that directory `~/.notation/plugins/{plugin-name}/notation-{plugin-name}`. The executable can be a shim which calls plugin dependecies installed elsewhere on the file system. | ||
| * To use a plugin for signing, the user associates the plugin as part of registering a signing key. E.g. | ||
| * `notation key add --name "mysigningkey" --id "keyid" --plugin "com.amazonaws.signer.nv2plugin"` | ||
| * In the example, the command registers a signing key in `/notation/config.json`, where `mysigningkey` is a friendly key name to refer during signing operation, `id` is an AWS resource identifier that is used for signing, and the value of `plugin` specifies it's using a plugin located at `~/.notation/plugins/com.amazonaws.signer.nv2plugin/notation-com.amazonaws.signer.nv2plugin`. |
There was a problem hiding this comment.
Nitpicking.
com.amazonaws.signer.nv2plugin repetitive in `~/.notation/plugins/com.amazonaws.signer.nv2plugin/notation-com.amazonaws.signer.nv2plugin
There was a problem hiding this comment.
That was the intent, /plugin has a child dir called {plugin-name}, which contains an executable called notation-{plugin-name}.
There was a problem hiding this comment.
~/.notation/plugins/com.amazonaws.signer.nv2plugin/notation-com.amazonaws.signer.nv2plugin => ~/.notation/plugins/com.amazonaws.signer/nv2
Your call though.
There was a problem hiding this comment.
I'd prefer to keep the existing convention, I agree it's repetitive, though it does not directly impact the end user experience. Initially the executable name was {plugin-name}, then we prefixed notation following docker's convention for CLI plugins. @sajayantony let me know if you have any feedback to simplify this.
|
@aramase, can you help here? |
| ### Plugin installation and config | ||
|
|
||
| * Plugin publisher will provide instructions to download and install the plugin. Plugins intended for public distribution should also include instructions for users to verify the authenticity of the plugin. | ||
| * Each plugin executable and dependencies are installed under directory `~/.notation/plugins/{plugin-name}` with an executable under that directory `~/.notation/plugins/{plugin-name}/notation-{plugin-name}`. The executable can be a shim which calls plugin dependecies installed elsewhere on the file system. |
There was a problem hiding this comment.
nit: The notation in notation-{plugin-name} of ~/.notation/plugins/{plugin-name}/notation-{plugin-name} is redundant.
There was a problem hiding this comment.
Similar pattern for executables can be found in application bundles.
| * ACCESS_DENIED - Authentication/authorization error to use given key. | ||
| * TIMEOUT - The operation to generate signature timed out and can be retried by Notation. | ||
| * THROTTLED - The operation to generate signature was throttles and can be retried by Notation. | ||
| * ERROR - Any general error that does not fall into previous error categories. |
There was a problem hiding this comment.
s/ERROR/INTERNAL_ERROR ?
There was a problem hiding this comment.
This is supposed to be a catch all error that would cover any known, and unhandled plugin errors that do not fall into other categories.
specs/plugin-extensibility.md
Outdated
| 1. Determine if the registered key uses a plugin | ||
| 1. Execute the plugin with `discover` command | ||
| 1. If plugin supports capability `SIGNATURE_ENVELOPE_GENERATOR` | ||
| 1. Execute the plugin with `generate-envelope` command, set `request.key` to key definition (from `/notation/config.json`), `request.payload` to base64 encoded descriptor, `request.payloadType` to `application/vnd.oci.descriptor.v1+json` and `request.signatureEnvelopeType` to `application/vnd.cncf.notary.v2.jws.v1`. |
There was a problem hiding this comment.
Will Notation generate timestamp signature for Signature Envelope Generator plugin or its responsibility of plugin publisher?
There was a problem hiding this comment.
Good point, will address in next rev.
|
|
||
| *plugin-name* - Plugin name uses reverse domain name notation to avoid plugin name collisions. | ||
|
|
||
| *supported-contract-versions* - The list of contract versions supported by the plugin. Currently this list must include only one version, per major version. Post initial release, Notation may add new features through plugins, in the form of new commands (e.g. tsa-sign for timestamping), or additional request and response parameters. Notation will publish updates to plugin interface along with appropriate contract version update. Backwards compatible changes (changes for which older version of plugin continue to work with versions of Notation using newer contract version) like new optional parameters on existing contracts, and new commands will be supported through minor version contract updates, breaking changes through major version updates. Plugin `discover` command returns the contract version a plugin supports. Notation will evaluate the minimum plugin version required to satisfy a user's request, and reject the request if the plugin does not support the required version. |
There was a problem hiding this comment.
Do we also need to define the supportability contract for major and minor versions? How long will a particular minor version be supported in notation when there are multiple minor versions?
There was a problem hiding this comment.
@priteshbandi @aramase, plugin publishers specify the major.minor version of contract interface, for each major version. We are only putting in place mechanisms to support breaking and non breaking changes to plugin interface. These will not rev at the same rate as Notation updates. Notation should ideally support all minor versions of contract. The intent is plugin publishers can choose to implement the latest version of contract, but we don't want to break support for plugins implementing older minor versions of contract (within the major version).
| * VALIDATION_ERROR - Any of the required request fields was empty, or a value was malformed/invalid. Includes condition where the key referenced by `keyId` was not found. | ||
| * UNSUPPORTED_CONTRACT_VERSION - The contract version used in the request is unsupported. | ||
| * ACCESS_DENIED - Authentication/authorization error to use given key. | ||
| * TIMEOUT - The operation to generate signature timed out and can be retried by Notation. | ||
| * THROTTLED - The operation to generate signature was throttles and can be retried by Notation. | ||
| * ERROR - Any general error that does not fall into previous error categories. |
There was a problem hiding this comment.
These error codes are good to be surfaced out but IMO notation should not perform any retry action. In case of throttled requests, it's possible request can only be retried after a certain time defined in retry-after header. The plugin can decide to (1) retry the request internally before giving up and returning an error or (2) return the retry-after header info as part of error message, so the user can retry the request after the time has elapsed.
There was a problem hiding this comment.
This also makes me think there should be a context defined with timeout as part of the request to the plugin. We can use CommandContext to ensure the request doesn't hang indefinitely
There was a problem hiding this comment.
Agreed, Notation should not retry. The errors would be surfaced to caller invoking Notation, and it can decide to retry if needed.
There was a problem hiding this comment.
Can you provide more details about the context with timeout as part of the request, maybe with an example, I didn't understand that.
| // SIGNATURE_GENERATOR or | ||
| // SIGNATURE_ENVELOPE_GENERATOR |
There was a problem hiding this comment.
If SIGNATURE_GENERATOR and SIGNATURE_ENVELOPE_GENERATOR are supported by the plugin which one takes precedence when notation sign is invoked?
There was a problem hiding this comment.
Currently we expect a signing plugin to implement one of the signing interfaces not both. Let me know if this does not work for a specific case.
| ### Plugin installation and config | ||
|
|
||
| * Plugin publisher will provide instructions to download and install the plugin. Plugins intended for public distribution should also include instructions for users to verify the authenticity of the plugin. | ||
| * Each plugin executable and dependencies are installed under directory `~/.notation/plugins/{plugin-name}` with an executable under that directory `~/.notation/plugins/{plugin-name}/notation-{plugin-name}`. The executable can be a shim which calls plugin dependecies installed elsewhere on the file system. |
There was a problem hiding this comment.
Similar pattern for executables can be found in application bundles.
Signed-off-by: Milind Gokarn <gokarnm@amazon.com> Co-authored-by: Pritesh Bandi <priteshbandi@gmail.com> Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com> Co-authored-by: Shiwei Zhang <shizh@microsoft.com>
|
Addressed review feedback, linked open issues for verification plugin and threat model, and squashed commits. |
Related issue notaryproject/roadmap/issues/26.
Signed-off-by: Milind Gokarn gokarnm@amazon.com