Pass expiry to generate-envelope plugin

[priteshbandi]

Pass expiry to envelope generator plugin so that it can be used for generating signature.
Issue: notaryproject/notation#443

Signed-off-by: Pritesh Bandi pritesb@amazon.com

[gokarnm]

LGTM!

[shizhMSFT]

Taking a look at the current notation.SignOptions, the expriy is a time.Time and not a time.Duration. Therefore, this field should also be a time field.

[priteshbandi]

In notation cli user pass expiry as duration 24h5m, so notaiton.SignOptions should use time.Duration instead of time.Time because actual expiry should be calculated as close as possible to sign operation.

Scenario: user called notation sign $Image -e 1m with plugin and if the plugin execute took 30 secs, the user got the expiry only of 30 sec not 1 minute.

[shizhMSFT]

This is exactly I am worried about. The expiry should be deterministic and is not based on the signature generation time and influenced by any possible time skew.

For example, I want to sign an artifact for deployment and let it expire immediately after Thanksgiving 12:00AM sharp time. Therefore, I calculate the duration based on my local time and run notation sign. The signing process takes 30s and due a time skew between my machine and the server, the signature will actually be expired on the Thanksgiving Day 11:55 PM.

Therefore, expiry should be an exact date time for all internal component communication. The duration-typed expiry at the notation CLI side is for user experience, which can be reviewed later.

[yizha1]

Maybe we should remove expiry from CLI for now, if we didn't think through the behavior. Once it is released, it's a breaking change if we want to change the behaviors.

[shizhMSFT]

LGTM as discussed in the community meeting that expiry in the signing options should be duration all of the places.