From 0f556be8057101bdeddaedbde1a66f5b09c710ee Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Apr 2024 14:15:40 +0800 Subject: [PATCH] feat: upgrade to OCI 1.1 (#916) Signed-off-by: Patrick Zheng --- .github/workflows/build.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/release-github.yml | 2 +- building.md | 2 +- cmd/notation/inspect.go | 12 +-- cmd/notation/list.go | 14 +-- cmd/notation/registry.go | 32 +++---- cmd/notation/registry_test.go | 10 -- cmd/notation/sign.go | 32 ++++--- cmd/notation/sign_test.go | 39 +++++--- cmd/notation/verify.go | 14 +-- go.mod | 15 +-- go.sum | 26 +++--- internal/cmd/flags.go | 8 ++ specs/commandline/inspect.md | 1 - specs/commandline/list.md | 1 - specs/commandline/sign.md | 8 +- specs/commandline/verify.md | 1 - test/e2e/go.mod | 8 +- test/e2e/go.sum | 19 ++-- test/e2e/plugin/generate_signature.go | 9 +- test/e2e/plugin/go.mod | 17 ++-- test/e2e/plugin/go.sum | 30 +++--- test/e2e/suite/command/inspect.go | 54 +++++++++++ test/e2e/suite/command/list.go | 72 +++++++++++++++ test/e2e/suite/command/sign.go | 78 ++++++++++++++++ test/e2e/suite/command/verify.go | 44 ++++++++- test/e2e/suite/trustpolicy/trust_store.go | 10 +- .../e2e/suite/trustpolicy/trusted_identity.go | 13 ++- .../suite/trustpolicy/verification_level.go | 92 +++++++++---------- 30 files changed, 469 insertions(+), 198 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e34836c9f..1251b0a71 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ede07273a..84c7a6136 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: security-events: write strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: false steps: - name: Checkout repository diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 8bde5c193..2144822a1 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} diff --git a/building.md b/building.md index 44109c632..34e6222a9 100644 --- a/building.md +++ b/building.md @@ -4,7 +4,7 @@ The notation repo contains the following: - `notation` - A CLI for signing and verifying artifacts with Notation -Building above binaries require [golang](https://golang.org/dl/) with version `>= 1.20`. +Building above binaries require [golang](https://golang.org/dl/) with version `>= 1.22`. ## Windows with WSL or Linux diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index eb442fc46..df91dbea0 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -83,10 +83,6 @@ Example - Inspect signatures on an OCI artifact identified by a tag (Notation w Example - Inspect signatures on an OCI artifact identified by a digest and output as json: notation inspect --output json /@ -` - experimentalExamples := ` -Example - [Experimental] Inspect signatures on an OCI artifact identified by a digest using the Referrers API, if not supported (returns 404), fallback to the Referrers tag schema - notation inspect --allow-referrers-api /@ ` command := &cobra.Command{ Use: "inspect [reference]", @@ -106,6 +102,9 @@ Example - [Experimental] Inspect signatures on an OCI artifact identified by a d if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } + if cmd.Flags().Changed("allow-referrers-api") { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") + } return runInspect(cmd, opts) }, } @@ -115,7 +114,6 @@ Example - [Experimental] Inspect signatures on an OCI artifact identified by a d cmd.SetPflagOutput(command.Flags(), &opts.outputFormat, cmd.PflagOutputUsage) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "inspect")) - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api"}) return command } @@ -129,7 +127,9 @@ func runInspect(command *cobra.Command, opts *inspectOpts) error { // initialize reference := opts.reference - sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, opts.allowReferrersAPI) + // always use the Referrers API, if not supported, automatically fallback to + // the referrers tag schema + sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, false) if err != nil { return err } diff --git a/cmd/notation/list.go b/cmd/notation/list.go index a651386eb..387134907 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -17,6 +17,7 @@ import ( "context" "errors" "fmt" + "os" notationregistry "github.com/notaryproject/notation-go/registry" cmderr "github.com/notaryproject/notation/cmd/notation/internal/errors" @@ -52,9 +53,6 @@ Example - List signatures of an OCI artifact identified by a tag (Notation will notation list /: ` experimentalExamples := ` -Example - [Experimental] List signatures of an OCI artifact using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema - notation list --allow-referrers-api /@ - Example - [Experimental] List signatures of an OCI artifact referenced in an OCI layout notation list --oci-layout "@" @@ -83,6 +81,9 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } + if cmd.Flags().Changed("allow-referrers-api") { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") + } return runList(cmd.Context(), opts) }, } @@ -90,9 +91,8 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag opts.SecureFlagOpts.ApplyFlags(command.Flags()) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "list")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] list signatures stored in OCI image layout") - experimental.HideFlags(command, "", []string{"allow-referrers-api", "oci-layout"}) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } @@ -102,7 +102,9 @@ func runList(ctx context.Context, opts *listOpts) error { // initialize reference := opts.reference - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, opts.allowReferrersAPI) + // always use the Referrers API, if not supported, automatically fallback to + // the referrers tag schema + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, false) if err != nil { return err } diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index d4c748a36..bc9352179 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -21,7 +21,6 @@ import ( "github.com/notaryproject/notation-go/log" notationregistry "github.com/notaryproject/notation-go/registry" - "github.com/notaryproject/notation/cmd/notation/internal/experimental" notationauth "github.com/notaryproject/notation/internal/auth" "github.com/notaryproject/notation/internal/httputil" "github.com/notaryproject/notation/pkg/configutil" @@ -41,10 +40,10 @@ const ( // getRepository returns a notationregistry.Repository given user input // type and user input reference -func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, allowReferrersAPI bool) (notationregistry.Repository, error) { +func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, forceReferrersTag bool) (notationregistry.Repository, error) { switch inputType { case inputTypeRegistry: - return getRemoteRepository(ctx, opts, reference, allowReferrersAPI) + return getRemoteRepository(ctx, opts, reference, forceReferrersTag) case inputTypeOCILayout: layoutPath, _, err := parseOCILayoutReference(reference) if err != nil { @@ -57,17 +56,18 @@ func getRepository(ctx context.Context, inputType inputType, reference string, o } // getRemoteRepository returns a registry.Repository. -// When experimental feature is disabled OR allowReferrersAPI is not set, -// Notation always uses referrers tag schema to store and consume signatures -// by default. -// When experimental feature is enabled AND allowReferrersAPI is set, Notation -// tries the Referrers API, if not supported, fallback to use the Referrers -// tag schema. +// When forceReferrersTag is true, Notation will always generate an image index +// according to the Referrers tag schema to store signature. +// +// When forceReferrersTag is false, Notation will first try to store the +// signature as a referrer according to the Referrers API. If the Referrers API +// is not supported, fallback to use the referrers tag schema. +// This flag is always FALSE when verify/list/inspect signatures. // // References: -// https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers -// https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#referrers-tag-schema -func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, allowReferrersAPI bool) (notationregistry.Repository, error) { +// https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers +// https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#referrers-tag-schema +func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, forceReferrersTag bool) (notationregistry.Repository, error) { logger := log.GetLogger(ctx) ref, err := registry.ParseReference(reference) if err != nil { @@ -82,13 +82,13 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st return nil, err } - if !experimental.IsDisabled() && allowReferrersAPI { - logger.Info("Trying to use the referrers API") - } else { - logger.Info("Using the referrers tag schema") + if forceReferrersTag { + logger.Info("The referrers tag schema is always attempted") if err := remoteRepo.SetReferrersCapability(false); err != nil { return nil, err } + } else { + logger.Info("Allowed to access the referrers API, fallback if not supported") } return notationregistry.NewRepository(remoteRepo), nil } diff --git a/cmd/notation/registry_test.go b/cmd/notation/registry_test.go index 5d5526a1f..ac915eb1c 100644 --- a/cmd/notation/registry_test.go +++ b/cmd/notation/registry_test.go @@ -19,8 +19,6 @@ import ( "net/http/httptest" "net/url" "testing" - - "github.com/notaryproject/notation/cmd/notation/internal/experimental" ) const ( @@ -28,10 +26,6 @@ const ( ) func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { - t.Setenv("NOTATION_EXPERIMENTAL", "1") - if experimental.IsDisabled() { - t.Fatal("failed to enable experimental") - } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusOK) @@ -56,10 +50,6 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { } func TestRegistry_getRemoteRepositoryWithReferrersAPINotSupported(t *testing.T) { - t.Setenv("NOTATION_EXPERIMENTAL", "1") - if experimental.IsDisabled() { - t.Fatal("failed to enable experimental") - } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusNotFound) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 5a1c5c8f7..23b227a49 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -14,7 +14,6 @@ package main import ( - "context" "errors" "fmt" "os" @@ -22,7 +21,6 @@ import ( "time" "github.com/notaryproject/notation-go" - notationregistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" @@ -41,6 +39,7 @@ type signOpts struct { userMetadata []string reference string allowReferrersAPI bool + forceReferrersTag bool ociLayout bool inputType inputType } @@ -72,11 +71,11 @@ Example - Sign an OCI artifact identified by a tag (Notation will resolve tag to Example - Sign an OCI artifact stored in a registry and specify the signature expiry duration, for example 24 hours notation sign --expiry 24h /@ + +Example - Sign an OCI artifact and store signature using the Referrers API. If it's not supported, fallback to the Referrers tag schema + notation sign --force-referrers-tag=false /@ ` experimentalExamples := ` -Example - [Experimental] Sign an OCI artifact and store signature using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema - notation sign --allow-referrers-api /@ - Example - [Experimental] Sign an OCI artifact referenced in an OCI layout notation sign --oci-layout "@" @@ -102,6 +101,15 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { + // allow-referrers-api flag is set + if cmd.Flags().Changed("allow-referrers-api") { + if opts.allowReferrersAPI { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.") + opts.forceReferrersTag = false + } else { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") + } + } return runSign(cmd, opts) }, } @@ -112,9 +120,10 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) + cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") - command.MarkFlagsMutuallyExclusive("oci-layout", "allow-referrers-api") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) + command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } @@ -127,14 +136,11 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { if err != nil { return err } - if cmdOpts.allowReferrersAPI { - fmt.Fprintln(os.Stderr, "Warning: using the Referrers API to store signature. On success, must set the `--allow-referrers-api` flag to list, inspect, and verify the signature.") - } - sigRepo, err := getRepository(ctx, cmdOpts.inputType, cmdOpts.reference, &cmdOpts.SecureFlagOpts, cmdOpts.allowReferrersAPI) + sigRepo, err := getRepository(ctx, cmdOpts.inputType, cmdOpts.reference, &cmdOpts.SecureFlagOpts, cmdOpts.forceReferrersTag) if err != nil { return err } - signOpts, err := prepareSigningOpts(ctx, cmdOpts, sigRepo) + signOpts, err := prepareSigningOpts(cmdOpts) if err != nil { return err } @@ -162,7 +168,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { return nil } -func prepareSigningOpts(ctx context.Context, opts *signOpts, sigRepo notationregistry.Repository) (notation.SignOptions, error) { +func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { return notation.SignOptions{}, err diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index 77c4c5540..c98b80817 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -36,6 +36,7 @@ func TestSignCommand_BasicArgs(t *testing.T) { Key: "key", SignatureFormat: envelope.JWS, }, + forceReferrersTag: true, } if err := command.ParseFlags([]string{ expected.reference, @@ -67,7 +68,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { SignatureFormat: envelope.COSE, }, expiry: 24 * time.Hour, - allowReferrersAPI: true, + forceReferrersTag: true, } if err := command.ParseFlags([]string{ expected.reference, @@ -77,7 +78,8 @@ func TestSignCommand_MoreArgs(t *testing.T) { "--insecure-registry", "--signature-format", expected.SignerFlagOpts.SignatureFormat, "--expiry", expected.expiry.String(), - "--allow-referrers-api"}); err != nil { + "--force-referrers-tag", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -97,8 +99,9 @@ func TestSignCommand_CorrectConfig(t *testing.T) { Key: "key", SignatureFormat: envelope.COSE, }, - expiry: 365 * 24 * time.Hour, - pluginConfig: []string{"key0=val0", "key1=val1"}, + expiry: 365 * 24 * time.Hour, + pluginConfig: []string{"key0=val0", "key1=val1"}, + forceReferrersTag: false, } if err := command.ParseFlags([]string{ expected.reference, @@ -106,7 +109,9 @@ func TestSignCommand_CorrectConfig(t *testing.T) { "--signature-format", expected.SignerFlagOpts.SignatureFormat, "--expiry", expected.expiry.String(), "--plugin-config", "key0=val0", - "--plugin-config", "key1=val1"}); err != nil { + "--plugin-config", "key1=val1", + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -154,7 +159,9 @@ func TestSignCommmand_OnDemandKeyOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--id", expected.KeyID, - "--plugin", expected.PluginName}); err != nil { + "--plugin", expected.PluginName, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -188,7 +195,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "--password", expected.Password, "--id", expected.KeyID, "--plugin", expected.PluginName, - "--key", expected.Key}); err != nil { + "--key", expected.Key, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -222,7 +231,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--id", expected.KeyID, - "--key", expected.Key}); err != nil { + "--key", expected.Key, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -256,7 +267,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--plugin", expected.PluginName, - "--key", expected.Key}); err != nil { + "--key", expected.Key, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -288,7 +301,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { expected.reference, "-u", expected.Username, "--password", expected.Password, - "--id", expected.KeyID}); err != nil { + "--id", expected.KeyID, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -320,7 +335,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { expected.reference, "-u", expected.Username, "--password", expected.Password, - "--plugin", expected.PluginName}); err != nil { + "--plugin", expected.PluginName, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 2ac0b9f48..6417b10c6 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -60,9 +60,6 @@ Example - Verify a signature on an OCI artifact identified by a tag (Notation w notation verify /: ` experimentalExamples := ` -Example - [Experimental] Verify an OCI artifact using the Referrers API, if not supported (returns 404), fallback to the Referrers tag schema - notation verify --allow-referrers-api /@ - Example - [Experimental] Verify a signature on an OCI artifact referenced in an OCI layout using trust policy statement specified by scope. notation verify --oci-layout /@ --scope @@ -90,6 +87,9 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t if opts.maxSignatureAttempts <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatureAttempts) } + if cmd.Flags().Changed("allow-referrers-api") { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") + } return runVerify(cmd, opts) }, } @@ -97,12 +97,12 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t opts.SecureFlagOpts.ApplyFlags(command.Flags()) command.Flags().StringArrayVar(&opts.pluginConfig, "plugin-config", nil, "{key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values") cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataVerifyUsage) - command.Flags().IntVar(&opts.maxSignatureAttempts, "max-signatures", 100, "maximum number of signatures to evaluate or examine") cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "verify")) + command.Flags().IntVar(&opts.maxSignatureAttempts, "max-signatures", 100, "maximum number of signatures to evaluate or examine") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] verify the artifact stored as OCI image layout") command.Flags().StringVar(&opts.trustPolicyScope, "scope", "", "[Experimental] set trust policy scope for artifact verification, required and can only be used when flag \"--oci-layout\" is set") command.MarkFlagsRequiredTogether("oci-layout", "scope") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout", "scope"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout", "scope"}) return command } @@ -130,7 +130,9 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { // core verify process reference := opts.reference - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, opts.allowReferrersAPI) + // always use the Referrers API, if not supported, automatically fallback to + // the referrers tag schema + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, false) if err != nil { return err } diff --git a/go.mod b/go.mod index 1edb2e567..c72bbea49 100644 --- a/go.mod +++ b/go.mod @@ -1,31 +1,32 @@ module github.com/notaryproject/notation -go 1.21 +go 1.22 require ( - github.com/notaryproject/notation-core-go v1.0.2 - github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e + github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 golang.org/x/term v0.18.0 - oras.land/oras-go/v2 v2.4.0 + oras.land/oras-go/v2 v2.5.0 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/mod v0.14.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/mod v0.16.0 // indirect golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.18.0 // indirect ) diff --git a/go.sum b/go.sum index e2ce1ba36..18ea7a618 100644 --- a/go.sum +++ b/go.sum @@ -6,8 +6,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= @@ -18,10 +18,12 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= -github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb h1:OVkHyQD0O8hTsuDPzdpgdteHDN9ormV5M3/pi9ka4II= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb/go.mod h1:v0e8Y7gEzTtx7aNw3tG6da7atr59JRdePVMMkTGNXzA= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 h1:KgZXNSRfwdwO3EpI3ctDM3lWWDuP8V1Tf0D55J2+EBo= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8/go.mod h1:BEK6ix7+AEqnDQwXlcic+E1gf0YUGZR52HUsgViJ8Ns= +github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= +github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -49,12 +51,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -98,5 +100,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= -oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= +oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c= +oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg= diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 8d93e6708..196768b2c 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -112,6 +112,14 @@ var ( PflagReferrersUsageFormat = "[Experimental] use the Referrers API to %s signatures, if not supported (returns 404), fallback to the Referrers tag schema" SetPflagReferrersAPI = func(fs *pflag.FlagSet, p *bool, usage string) { fs.BoolVar(p, PflagReferrersAPI.Name, false, usage) + fs.MarkHidden(PflagReferrersAPI.Name) + } + + PflagReferrersTag = &pflag.Flag{ + Name: "force-referrers-tag", + } + SetPflagReferrersTag = func(fs *pflag.FlagSet, p *bool, usage string) { + fs.BoolVar(p, PflagReferrersTag.Name, true, usage) } PflagOutput = &pflag.Flag{ diff --git a/specs/commandline/inspect.md b/specs/commandline/inspect.md index 5dc9b334d..b068bff2c 100644 --- a/specs/commandline/inspect.md +++ b/specs/commandline/inspect.md @@ -36,7 +36,6 @@ Usage: notation inspect [flags] Flags: - --allow-referrers-api [Experimental] use the Referrers API to inspect signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for inspect --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/specs/commandline/list.md b/specs/commandline/list.md index d73be9758..2540633d0 100644 --- a/specs/commandline/list.md +++ b/specs/commandline/list.md @@ -27,7 +27,6 @@ Aliases: list, ls Flags: - --allow-referrers-api [Experimental] use the Referrers API to list signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for list --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 1bb445797..f7e9577ae 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -30,7 +30,7 @@ Usage: notation sign [flags] Flags: - --allow-referrers-api [Experimental] use the Referrers API to store signatures in the registry, if not supported (returns 404), fallback to the Referrers tag schema + --force-referrers-tag force to store signatures using the referrers tag schema (default true) -d, --debug debug mode -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m -h, --help help for sign @@ -190,6 +190,6 @@ notation list --oci-layout hello-world@sha256:xxx ``` [oci-artifact-manifest]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/artifact.md -[oci-image-spec]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/spec.md -[oci-referers-api]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers -[oci-image-layout]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/image-layout.md +[oci-image-spec]: https://github.com/opencontainers/image-spec/blob/v1.1.0/spec.md +[oci-referers-api]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers +[oci-image-layout]: https://github.com/opencontainers/image-spec/blob/v1.1.0/image-layout.md diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 943e7bcd3..fa56fdc94 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -38,7 +38,6 @@ Usage: notation verify [flags] Flags: - --allow-referrers-api [Experimental] use the Referrers API to verify signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for verify --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 450b1352a..5f5e8be8b 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -1,17 +1,17 @@ module github.com/notaryproject/notation/test/e2e -go 1.20 +go 1.21 require ( - github.com/notaryproject/notation-core-go v1.0.2 + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 - github.com/opencontainers/image-spec v1.1.0-rc6 + github.com/opencontainers/image-spec v1.1.0 oras.land/oras-go/v2 v2.4.0 ) require ( - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/go-cmp v0.5.9 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 930892729..068057a4c 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -1,38 +1,42 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9tRnGuw+ZVCB3FazXODD6JE1R8= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= -github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= -github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= -github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o= github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= @@ -44,6 +48,7 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/test/e2e/plugin/generate_signature.go b/test/e2e/plugin/generate_signature.go index 71e5ee7f2..3ef4eaf87 100644 --- a/test/e2e/plugin/generate_signature.go +++ b/test/e2e/plugin/generate_signature.go @@ -22,6 +22,7 @@ import ( "github.com/golang-jwt/jwt" "github.com/notaryproject/notation-core-go/signature" "github.com/notaryproject/notation-go/plugin/proto" + "github.com/notaryproject/notation-plugin-framework-go/plugin" "github.com/notaryproject/notation/test/e2e/plugin/internal/io" "github.com/notaryproject/notation/test/e2e/plugin/mock" "github.com/spf13/cobra" @@ -88,10 +89,10 @@ func runGenerateSignature(req *proto.GenerateSignatureRequest) error { if err != nil { return &proto.RequestError{Code: proto.ErrorCodeGeneric, Err: err} } - resp := &proto.GenerateSignatureResponse{ + resp := &plugin.GenerateSignatureResponse{ KeyID: req.KeyID, Signature: rawSig, - SigningAlgorithm: string(signingAlg), + SigningAlgorithm: signingAlg, CertificateChain: toRawCerts(certs), } @@ -155,7 +156,7 @@ func validateGenerateSignatureRequest(req proto.GenerateSignatureRequest) error } // updateGenerateSignatureResponse tampers the response to test various cases. -func updateGenerateSignatureResponse(req *proto.GenerateSignatureRequest, resp *proto.GenerateSignatureResponse) { +func updateGenerateSignatureResponse(req *plugin.GenerateSignatureRequest, resp *plugin.GenerateSignatureResponse) { if v, ok := req.PluginConfig[mock.TamperKeyID]; ok { resp.KeyID = v } @@ -165,7 +166,7 @@ func updateGenerateSignatureResponse(req *proto.GenerateSignatureRequest, resp * } if v, ok := req.PluginConfig[mock.TamperSignatureAlgorithm]; ok { - resp.SigningAlgorithm = v + resp.SigningAlgorithm = plugin.SignatureAlgorithm(v) } if v, ok := req.PluginConfig[mock.TamperCertificateChain]; ok { diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 465f6c3ce..fe9772dcd 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -1,29 +1,30 @@ module github.com/notaryproject/notation/test/e2e/plugin -go 1.20 +go 1.21 require ( github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/notaryproject/notation-core-go v1.0.2 - github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e + github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 + github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/spf13/cobra v1.7.0 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc6 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/mod v0.14.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/mod v0.16.0 // indirect golang.org/x/sync v0.6.0 // indirect - oras.land/oras-go/v2 v2.4.0 // indirect + oras.land/oras-go/v2 v2.5.0 // indirect ) diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 2ebbff354..6d924d226 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -6,8 +6,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= @@ -20,14 +20,16 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= -github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb h1:OVkHyQD0O8hTsuDPzdpgdteHDN9ormV5M3/pi9ka4II= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb/go.mod h1:v0e8Y7gEzTtx7aNw3tG6da7atr59JRdePVMMkTGNXzA= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 h1:KgZXNSRfwdwO3EpI3ctDM3lWWDuP8V1Tf0D55J2+EBo= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8/go.mod h1:BEK6ix7+AEqnDQwXlcic+E1gf0YUGZR52HUsgViJ8Ns= +github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= +github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= -github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -48,12 +50,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -92,5 +94,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= -oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= +oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c= +oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg= diff --git a/test/e2e/suite/command/inspect.go b/test/e2e/suite/command/inspect.go index 7937e8066..49ba33e77 100644 --- a/test/e2e/suite/command/inspect.go +++ b/test/e2e/suite/command/inspect.go @@ -77,4 +77,58 @@ var _ = Describe("notation inspect", func() { NoMatchErrKeyWords(HTTPSRequest) }) }) + + It("sign with --force-referrers-tag set", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + }) + }) + + It("sign with --force-referrers-tag set to false", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + }) + }) + + It("sign with --allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", + ). + MatchKeyWords(inspectSuccessfully...) + }) + }) + + It("sign with --allow-referrers-api set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", + ). + MatchKeyWords(inspectSuccessfully...) + }) + }) }) diff --git a/test/e2e/suite/command/list.go b/test/e2e/suite/command/list.go index 62c11f8f0..889ccb396 100644 --- a/test/e2e/suite/command/list.go +++ b/test/e2e/suite/command/list.go @@ -85,4 +85,76 @@ var _ = Describe("notation list", func() { MatchKeyWords("has no associated signature") }) }) + + It("sign with --force-referrers-tag set", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) + + It("sign with --force-referrers-tag set to false", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) + + It("sign with --allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + + notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", + ). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) + + It("sign with --allow-referrers-api set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + + notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", + ). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) }) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 11045ed6e..8354d8696 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -78,6 +78,84 @@ var _ = Describe("notation sign", func() { }) }) + It("with force-referrers-tag set", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with referrers tag schema"). + Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag"). + MatchKeyWords(SignSuccessfully) + + OldNotation().WithDescription("verify by tag schema"). + Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("with force-referrers-tag set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag=false"). + MatchKeyWords(SignSuccessfully) + + OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). + Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("with allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.", + ). + MatchKeyWords(SignSuccessfully) + + OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). + Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("with allow-referrers-api set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with referrers tag schema"). + Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api=false"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", + ). + MatchKeyWords(SignSuccessfully) + + OldNotation().WithDescription("verify by tag schema"). + Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("with both force-referrers-tag and allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + ExpectFailure(). + Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag", "--allow-referrers-api"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "[allow-referrers-api force-referrers-tag] were all set", + ) + }) + }) + + It("with allow-referrers-api set and experimental off", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + ExpectFailure(). + Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). + MatchErrKeyWords( + "Error: flag(s) --allow-referrers-api in \"notation sign\" is experimental and not enabled by default.") + }) + }) + It("with specific key", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { const keyName = "sKey" diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 7df83ee3d..f27384301 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -63,22 +63,56 @@ var _ = Describe("notation verify", func() { }) }) - It("by digest with the Referrers API", func() { + It("sign with --force-referrers-tag set", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("sign with --force-referrers-tag set to false", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("sign with --allow-referrers-api set", func() { Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", + ). MatchKeyWords(VerifySuccessfully) }) }) - It("by digest, sign with the Referrers tag schema, verify with the Referrers API", func() { + It("sign with --allow-referrers-api set to false", func() { Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", + ). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/trust_store.go b/test/e2e/suite/trustpolicy/trust_store.go index 099801bf3..736917493 100644 --- a/test/e2e/suite/trustpolicy/trust_store.go +++ b/test/e2e/suite/trustpolicy/trust_store.go @@ -35,12 +35,12 @@ var _ = Describe("notation trust policy trust store test", func() { }) It("invalid trust store", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("invalid_trust_store_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("the trust store \"invalid_store\" of type \"ca\" does not exist") }) }) @@ -82,14 +82,14 @@ var _ = Describe("notation trust policy trust store test", func() { AddTrustPolicyOption("multiple_trust_store_trustpolicy.json"), AddTrustStoreOption("e2e-new", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), - EnableExperimental()) + ) notation.WithDescription("verify artifact1 with trust store ca/e2e-new"). - Exec("verify", "--allow-referrers-api", artifact1.ReferenceWithDigest(), "-v"). + Exec("verify", artifact1.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) notation.WithDescription("verify artifact2 with trust store ca/e2e"). - Exec("verify", "--allow-referrers-api", artifact2.ReferenceWithDigest(), "-v"). + Exec("verify", artifact2.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/trusted_identity.go b/test/e2e/suite/trustpolicy/trusted_identity.go index 8e26477df..2f276a2b4 100644 --- a/test/e2e/suite/trustpolicy/trusted_identity.go +++ b/test/e2e/suite/trustpolicy/trusted_identity.go @@ -34,21 +34,21 @@ var _ = Describe("notation trust policy trusted identity test", func() { }) It("with valid trusted identity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("valid_trusted_identity_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) It("with invalid trusted identity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("invalid_trusted_identity_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Failure reason: signing certificate from the digital signature does not match the X.509 trusted identities", VerifyFailed) }) @@ -89,13 +89,12 @@ var _ = Describe("notation trust policy trusted identity test", func() { AddTrustPolicyOption("multiple_trusted_identity_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), - EnableExperimental(), ) - notation.Exec("verify", "--allow-referrers-api", artifact1.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact1.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) - notation.Exec("verify", "--allow-referrers-api", artifact2.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact2.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/verification_level.go b/test/e2e/suite/trustpolicy/verification_level.go index 938e9a4ab..6ada0259b 100644 --- a/test/e2e/suite/trustpolicy/verification_level.go +++ b/test/e2e/suite/trustpolicy/verification_level.go @@ -24,10 +24,10 @@ import ( var _ = Describe("notation trust policy verification level test", func() { It("strict level with expired signature", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -40,9 +40,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -53,35 +53,35 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) }) }) It("strict level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("permissive level with expired signature", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry was set to \"log\" and failed with error: digital signature has expired"). MatchKeyWords(VerifySuccessfully) }) @@ -94,9 +94,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -108,37 +108,37 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) }) }) It("permissive level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("audit level with expired signature", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("digital signature has expired", "expiry was set to \"log\""). MatchKeyWords(VerifySuccessfully) @@ -152,9 +152,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -166,13 +166,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -180,35 +180,35 @@ var _ = Describe("notation trust policy verification level test", func() { }) It("audit level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("skip level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("skip_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords("Trust policy is configured to skip signature verification") }) }) It("strict level with Expiry overridden as log level", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_strict_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("digital signature has expired", "expiry was set to \"log\""). MatchKeyWords(VerifySuccessfully) @@ -222,9 +222,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_strict_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -236,13 +236,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_strict_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -250,12 +250,12 @@ var _ = Describe("notation trust policy verification level test", func() { }) It("permissive level with Expiry overridden as enforce level", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -270,9 +270,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -283,11 +283,11 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -299,22 +299,22 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_integrity_for_permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords(`"integrity" verification can not be overridden in custom signature verification`) }) }) It("audit level with Expiry overridden as enforce level", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -329,9 +329,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -342,13 +342,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) })