From 2e38b37e13d8f49dec6ad441b0b37c5460a74b7d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 27 Mar 2024 16:58:59 +0800 Subject: [PATCH 01/19] initial commit Signed-off-by: Patrick Zheng --- go.mod | 4 ++-- go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 1edb2e567..22ada5e5c 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/notaryproject/notation -go 1.21 +go 1.22.0 require ( github.com/notaryproject/notation-core-go v1.0.2 @@ -11,7 +11,7 @@ require ( github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 golang.org/x/term v0.18.0 - oras.land/oras-go/v2 v2.4.0 + oras.land/oras-go/v2 v2.5.0 ) require ( diff --git a/go.sum b/go.sum index e2ce1ba36..457f9e309 100644 --- a/go.sum +++ b/go.sum @@ -98,5 +98,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= -oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= +oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c= +oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg= From b726114866a38e1625c319e74099414cfc35402d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 28 Mar 2024 13:29:06 +0800 Subject: [PATCH 02/19] updated to oci 1.1 Signed-off-by: Patrick Zheng --- cmd/notation/inspect.go | 21 ++--- cmd/notation/list.go | 22 ++--- cmd/notation/registry.go | 25 +++-- cmd/notation/registry_test.go | 10 -- cmd/notation/sign.go | 15 ++- cmd/notation/verify.go | 13 +-- go.mod | 11 ++- go.sum | 22 +++-- internal/cmd/flags.go | 3 +- specs/commandline/inspect.md | 1 - specs/commandline/list.md | 1 - specs/commandline/sign.md | 8 +- specs/commandline/verify.md | 1 - test/e2e/go.mod | 8 +- test/e2e/go.sum | 19 ++-- test/e2e/plugin/go.mod | 17 ++-- test/e2e/plugin/go.sum | 30 +++--- test/e2e/suite/command/sign.go | 16 ++++ test/e2e/suite/command/verify.go | 14 +-- test/e2e/suite/trustpolicy/trust_store.go | 10 +- .../e2e/suite/trustpolicy/trusted_identity.go | 13 ++- .../suite/trustpolicy/verification_level.go | 92 +++++++++---------- 22 files changed, 182 insertions(+), 190 deletions(-) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index eb442fc46..4d642d067 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -28,7 +28,6 @@ import ( "github.com/notaryproject/notation-go/plugin/proto" "github.com/notaryproject/notation-go/registry" cmderr "github.com/notaryproject/notation/cmd/notation/internal/errors" - "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" "github.com/notaryproject/notation/internal/ioutil" @@ -40,10 +39,9 @@ import ( type inspectOpts struct { cmd.LoggingFlagOpts SecureFlagOpts - reference string - outputFormat string - allowReferrersAPI bool - maxSignatures int + reference string + outputFormat string + maxSignatures int } type inspectOutput struct { @@ -83,10 +81,6 @@ Example - Inspect signatures on an OCI artifact identified by a tag (Notation w Example - Inspect signatures on an OCI artifact identified by a digest and output as json: notation inspect --output json /@ -` - experimentalExamples := ` -Example - [Experimental] Inspect signatures on an OCI artifact identified by a digest using the Referrers API, if not supported (returns 404), fallback to the Referrers tag schema - notation inspect --allow-referrers-api /@ ` command := &cobra.Command{ Use: "inspect [reference]", @@ -99,9 +93,6 @@ Example - [Experimental] Inspect signatures on an OCI artifact identified by a d opts.reference = args[0] return nil }, - PreRunE: func(cmd *cobra.Command, args []string) error { - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api") - }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) @@ -114,8 +105,6 @@ Example - [Experimental] Inspect signatures on an OCI artifact identified by a d opts.SecureFlagOpts.ApplyFlags(command.Flags()) cmd.SetPflagOutput(command.Flags(), &opts.outputFormat, cmd.PflagOutputUsage) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "inspect")) - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api"}) return command } @@ -129,7 +118,9 @@ func runInspect(command *cobra.Command, opts *inspectOpts) error { // initialize reference := opts.reference - sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, opts.allowReferrersAPI) + // always use the Referrers API, if not supported, automatically fallback to + // the referrers tag schema + sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, true) if err != nil { return err } diff --git a/cmd/notation/list.go b/cmd/notation/list.go index a651386eb..4e6aa451b 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -30,11 +30,10 @@ import ( type listOpts struct { cmd.LoggingFlagOpts SecureFlagOpts - reference string - allowReferrersAPI bool - ociLayout bool - inputType inputType - maxSignatures int + reference string + ociLayout bool + inputType inputType + maxSignatures int } func listCommand(opts *listOpts) *cobra.Command { @@ -52,9 +51,6 @@ Example - List signatures of an OCI artifact identified by a tag (Notation will notation list /: ` experimentalExamples := ` -Example - [Experimental] List signatures of an OCI artifact using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema - notation list --allow-referrers-api /@ - Example - [Experimental] List signatures of an OCI artifact referenced in an OCI layout notation list --oci-layout "@" @@ -77,7 +73,7 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") + return experimental.CheckFlagsAndWarn(cmd, "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatures <= 0 { @@ -88,11 +84,9 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag } opts.LoggingFlagOpts.ApplyFlags(command.Flags()) opts.SecureFlagOpts.ApplyFlags(command.Flags()) - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "list")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] list signatures stored in OCI image layout") - experimental.HideFlags(command, "", []string{"allow-referrers-api", "oci-layout"}) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } @@ -102,7 +96,9 @@ func runList(ctx context.Context, opts *listOpts) error { // initialize reference := opts.reference - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, opts.allowReferrersAPI) + // always use the Referrers API, if not supported, automatically fallback to + // the referrers tag schema + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, true) if err != nil { return err } diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index d4c748a36..60694eefb 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -21,7 +21,6 @@ import ( "github.com/notaryproject/notation-go/log" notationregistry "github.com/notaryproject/notation-go/registry" - "github.com/notaryproject/notation/cmd/notation/internal/experimental" notationauth "github.com/notaryproject/notation/internal/auth" "github.com/notaryproject/notation/internal/httputil" "github.com/notaryproject/notation/pkg/configutil" @@ -41,10 +40,10 @@ const ( // getRepository returns a notationregistry.Repository given user input // type and user input reference -func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, allowReferrersAPI bool) (notationregistry.Repository, error) { +func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, useReferrersAPI bool) (notationregistry.Repository, error) { switch inputType { case inputTypeRegistry: - return getRemoteRepository(ctx, opts, reference, allowReferrersAPI) + return getRemoteRepository(ctx, opts, reference, useReferrersAPI) case inputTypeOCILayout: layoutPath, _, err := parseOCILayoutReference(reference) if err != nil { @@ -57,17 +56,17 @@ func getRepository(ctx context.Context, inputType inputType, reference string, o } // getRemoteRepository returns a registry.Repository. -// When experimental feature is disabled OR allowReferrersAPI is not set, -// Notation always uses referrers tag schema to store and consume signatures -// by default. -// When experimental feature is enabled AND allowReferrersAPI is set, Notation -// tries the Referrers API, if not supported, fallback to use the Referrers -// tag schema. +// When useReferrersAPI is set, Notation tries the Referrers API, +// if not supported, fallback to use the Referrers tag schema. This flag is +// always set when verify/list/inspect signatures. +// +// When useReferrersAPI is not set, Notation uses referrers tag schema +// to store signatures by default. // // References: -// https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers -// https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#referrers-tag-schema -func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, allowReferrersAPI bool) (notationregistry.Repository, error) { +// https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers +// https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#referrers-tag-schema +func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, useReferrersAPI bool) (notationregistry.Repository, error) { logger := log.GetLogger(ctx) ref, err := registry.ParseReference(reference) if err != nil { @@ -82,7 +81,7 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st return nil, err } - if !experimental.IsDisabled() && allowReferrersAPI { + if useReferrersAPI { logger.Info("Trying to use the referrers API") } else { logger.Info("Using the referrers tag schema") diff --git a/cmd/notation/registry_test.go b/cmd/notation/registry_test.go index 5d5526a1f..ac915eb1c 100644 --- a/cmd/notation/registry_test.go +++ b/cmd/notation/registry_test.go @@ -19,8 +19,6 @@ import ( "net/http/httptest" "net/url" "testing" - - "github.com/notaryproject/notation/cmd/notation/internal/experimental" ) const ( @@ -28,10 +26,6 @@ const ( ) func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { - t.Setenv("NOTATION_EXPERIMENTAL", "1") - if experimental.IsDisabled() { - t.Fatal("failed to enable experimental") - } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusOK) @@ -56,10 +50,6 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { } func TestRegistry_getRemoteRepositoryWithReferrersAPINotSupported(t *testing.T) { - t.Setenv("NOTATION_EXPERIMENTAL", "1") - if experimental.IsDisabled() { - t.Fatal("failed to enable experimental") - } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusNotFound) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 5a1c5c8f7..b5ab4d01c 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -72,11 +72,11 @@ Example - Sign an OCI artifact identified by a tag (Notation will resolve tag to Example - Sign an OCI artifact stored in a registry and specify the signature expiry duration, for example 24 hours notation sign --expiry 24h /@ + +Example - Sign an OCI artifact and store signature using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema + notation sign --allow-referrers-api /@ ` experimentalExamples := ` -Example - [Experimental] Sign an OCI artifact and store signature using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema - notation sign --allow-referrers-api /@ - Example - [Experimental] Sign an OCI artifact referenced in an OCI layout notation sign --oci-layout "@" @@ -99,7 +99,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") + return experimental.CheckFlagsAndWarn(cmd, "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { return runSign(cmd, opts) @@ -111,10 +111,10 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagExpiry(command.Flags(), &opts.expiry) cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) + cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, "use the Referrers API to store signatures, if not supported (returns 404), fallback to the Referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") command.MarkFlagsMutuallyExclusive("oci-layout", "allow-referrers-api") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } @@ -127,9 +127,6 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { if err != nil { return err } - if cmdOpts.allowReferrersAPI { - fmt.Fprintln(os.Stderr, "Warning: using the Referrers API to store signature. On success, must set the `--allow-referrers-api` flag to list, inspect, and verify the signature.") - } sigRepo, err := getRepository(ctx, cmdOpts.inputType, cmdOpts.reference, &cmdOpts.SecureFlagOpts, cmdOpts.allowReferrersAPI) if err != nil { return err diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 2ac0b9f48..ca8ea1adb 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -36,7 +36,6 @@ type verifyOpts struct { reference string pluginConfig []string userMetadata []string - allowReferrersAPI bool ociLayout bool trustPolicyScope string inputType inputType @@ -60,9 +59,6 @@ Example - Verify a signature on an OCI artifact identified by a tag (Notation w notation verify /: ` experimentalExamples := ` -Example - [Experimental] Verify an OCI artifact using the Referrers API, if not supported (returns 404), fallback to the Referrers tag schema - notation verify --allow-referrers-api /@ - Example - [Experimental] Verify a signature on an OCI artifact referenced in an OCI layout using trust policy statement specified by scope. notation verify --oci-layout /@ --scope @@ -84,7 +80,7 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout", "scope") + return experimental.CheckFlagsAndWarn(cmd, "oci-layout", "scope") }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatureAttempts <= 0 { @@ -98,11 +94,10 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t command.Flags().StringArrayVar(&opts.pluginConfig, "plugin-config", nil, "{key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values") cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataVerifyUsage) command.Flags().IntVar(&opts.maxSignatureAttempts, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "verify")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] verify the artifact stored as OCI image layout") command.Flags().StringVar(&opts.trustPolicyScope, "scope", "", "[Experimental] set trust policy scope for artifact verification, required and can only be used when flag \"--oci-layout\" is set") command.MarkFlagsRequiredTogether("oci-layout", "scope") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout", "scope"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout", "scope"}) return command } @@ -130,7 +125,9 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { // core verify process reference := opts.reference - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, opts.allowReferrersAPI) + // always use the Referrers API, if not supported, automatically fallback to + // the referrers tag schema + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, true) if err != nil { return err } diff --git a/go.mod b/go.mod index 22ada5e5c..1454a85c4 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/notaryproject/notation go 1.22.0 require ( - github.com/notaryproject/notation-core-go v1.0.2 - github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e + github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/sirupsen/logrus v1.9.3 @@ -16,16 +16,17 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/mod v0.14.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/mod v0.16.0 // indirect golang.org/x/sync v0.6.0 // indirect golang.org/x/sys v0.18.0 // indirect ) diff --git a/go.sum b/go.sum index 457f9e309..18ea7a618 100644 --- a/go.sum +++ b/go.sum @@ -6,8 +6,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= @@ -18,10 +18,12 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= -github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb h1:OVkHyQD0O8hTsuDPzdpgdteHDN9ormV5M3/pi9ka4II= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb/go.mod h1:v0e8Y7gEzTtx7aNw3tG6da7atr59JRdePVMMkTGNXzA= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 h1:KgZXNSRfwdwO3EpI3ctDM3lWWDuP8V1Tf0D55J2+EBo= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8/go.mod h1:BEK6ix7+AEqnDQwXlcic+E1gf0YUGZR52HUsgViJ8Ns= +github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= +github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -49,12 +51,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 8d93e6708..5ae48a0b0 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -109,8 +109,7 @@ var ( PflagReferrersAPI = &pflag.Flag{ Name: "allow-referrers-api", } - PflagReferrersUsageFormat = "[Experimental] use the Referrers API to %s signatures, if not supported (returns 404), fallback to the Referrers tag schema" - SetPflagReferrersAPI = func(fs *pflag.FlagSet, p *bool, usage string) { + SetPflagReferrersAPI = func(fs *pflag.FlagSet, p *bool, usage string) { fs.BoolVar(p, PflagReferrersAPI.Name, false, usage) } diff --git a/specs/commandline/inspect.md b/specs/commandline/inspect.md index 5dc9b334d..b068bff2c 100644 --- a/specs/commandline/inspect.md +++ b/specs/commandline/inspect.md @@ -36,7 +36,6 @@ Usage: notation inspect [flags] Flags: - --allow-referrers-api [Experimental] use the Referrers API to inspect signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for inspect --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/specs/commandline/list.md b/specs/commandline/list.md index d73be9758..2540633d0 100644 --- a/specs/commandline/list.md +++ b/specs/commandline/list.md @@ -27,7 +27,6 @@ Aliases: list, ls Flags: - --allow-referrers-api [Experimental] use the Referrers API to list signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for list --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index 1bb445797..ccfcff984 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -30,7 +30,7 @@ Usage: notation sign [flags] Flags: - --allow-referrers-api [Experimental] use the Referrers API to store signatures in the registry, if not supported (returns 404), fallback to the Referrers tag schema + --allow-referrers-api use the Referrers API to store signatures in the registry, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m -h, --help help for sign @@ -190,6 +190,6 @@ notation list --oci-layout hello-world@sha256:xxx ``` [oci-artifact-manifest]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/artifact.md -[oci-image-spec]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/spec.md -[oci-referers-api]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers -[oci-image-layout]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/image-layout.md +[oci-image-spec]: https://github.com/opencontainers/image-spec/blob/v1.1.0/spec.md +[oci-referers-api]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers +[oci-image-layout]: https://github.com/opencontainers/image-spec/blob/v1.1.0/image-layout.md diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index 943e7bcd3..fa56fdc94 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -38,7 +38,6 @@ Usage: notation verify [flags] Flags: - --allow-referrers-api [Experimental] use the Referrers API to verify signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for verify --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 450b1352a..5f5e8be8b 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -1,17 +1,17 @@ module github.com/notaryproject/notation/test/e2e -go 1.20 +go 1.21 require ( - github.com/notaryproject/notation-core-go v1.0.2 + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 - github.com/opencontainers/image-spec v1.1.0-rc6 + github.com/opencontainers/image-spec v1.1.0 oras.land/oras-go/v2 v2.4.0 ) require ( - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/go-cmp v0.5.9 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 930892729..068057a4c 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -1,38 +1,42 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9tRnGuw+ZVCB3FazXODD6JE1R8= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= -github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= -github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= -github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o= github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= @@ -44,6 +48,7 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 465f6c3ce..961688ca4 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -1,29 +1,30 @@ module github.com/notaryproject/notation/test/e2e/plugin -go 1.20 +go 1.21 require ( github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/notaryproject/notation-core-go v1.0.2 - github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e + github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 github.com/spf13/cobra v1.7.0 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc6 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/mod v0.14.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/mod v0.16.0 // indirect golang.org/x/sync v0.6.0 // indirect - oras.land/oras-go/v2 v2.4.0 // indirect + oras.land/oras-go/v2 v2.5.0 // indirect ) diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 2ebbff354..6d924d226 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -6,8 +6,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= @@ -20,14 +20,16 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= -github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb h1:OVkHyQD0O8hTsuDPzdpgdteHDN9ormV5M3/pi9ka4II= -github.com/notaryproject/notation-go v1.1.1-0.20240201073933-4606472ebdcb/go.mod h1:v0e8Y7gEzTtx7aNw3tG6da7atr59JRdePVMMkTGNXzA= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 h1:KgZXNSRfwdwO3EpI3ctDM3lWWDuP8V1Tf0D55J2+EBo= +github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8/go.mod h1:BEK6ix7+AEqnDQwXlcic+E1gf0YUGZR52HUsgViJ8Ns= +github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= +github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= -github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -48,12 +50,12 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -92,5 +94,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= -oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= +oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c= +oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg= diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 11045ed6e..408318204 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -78,6 +78,22 @@ var _ = Describe("notation sign", func() { }) }) + It("by digest, with Referrers API", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). + MatchKeyWords(SignSuccessfully) + }) + }) + + It("by tag, with Referrers API", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + Exec("sign", artifact.ReferenceWithTag(), "--allow-referrers-api"). + MatchKeyWords(SignSuccessfully) + }) + }) + It("with specific key", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { const keyName = "sKey" diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 7df83ee3d..5aaa3a92e 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -63,22 +63,22 @@ var _ = Describe("notation verify", func() { }) }) - It("by digest with the Referrers API", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + It("by digest, sign with the Referrers API", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) - It("by digest, sign with the Referrers tag schema, verify with the Referrers API", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", artifact.ReferenceWithDigest()). + It("by tag, sign with the Referrers API", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithTag(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/trust_store.go b/test/e2e/suite/trustpolicy/trust_store.go index 099801bf3..736917493 100644 --- a/test/e2e/suite/trustpolicy/trust_store.go +++ b/test/e2e/suite/trustpolicy/trust_store.go @@ -35,12 +35,12 @@ var _ = Describe("notation trust policy trust store test", func() { }) It("invalid trust store", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("invalid_trust_store_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("the trust store \"invalid_store\" of type \"ca\" does not exist") }) }) @@ -82,14 +82,14 @@ var _ = Describe("notation trust policy trust store test", func() { AddTrustPolicyOption("multiple_trust_store_trustpolicy.json"), AddTrustStoreOption("e2e-new", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), - EnableExperimental()) + ) notation.WithDescription("verify artifact1 with trust store ca/e2e-new"). - Exec("verify", "--allow-referrers-api", artifact1.ReferenceWithDigest(), "-v"). + Exec("verify", artifact1.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) notation.WithDescription("verify artifact2 with trust store ca/e2e"). - Exec("verify", "--allow-referrers-api", artifact2.ReferenceWithDigest(), "-v"). + Exec("verify", artifact2.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/trusted_identity.go b/test/e2e/suite/trustpolicy/trusted_identity.go index 8e26477df..2f276a2b4 100644 --- a/test/e2e/suite/trustpolicy/trusted_identity.go +++ b/test/e2e/suite/trustpolicy/trusted_identity.go @@ -34,21 +34,21 @@ var _ = Describe("notation trust policy trusted identity test", func() { }) It("with valid trusted identity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("valid_trusted_identity_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) It("with invalid trusted identity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("invalid_trusted_identity_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Failure reason: signing certificate from the digital signature does not match the X.509 trusted identities", VerifyFailed) }) @@ -89,13 +89,12 @@ var _ = Describe("notation trust policy trusted identity test", func() { AddTrustPolicyOption("multiple_trusted_identity_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), - EnableExperimental(), ) - notation.Exec("verify", "--allow-referrers-api", artifact1.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact1.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) - notation.Exec("verify", "--allow-referrers-api", artifact2.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact2.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/verification_level.go b/test/e2e/suite/trustpolicy/verification_level.go index 938e9a4ab..6ada0259b 100644 --- a/test/e2e/suite/trustpolicy/verification_level.go +++ b/test/e2e/suite/trustpolicy/verification_level.go @@ -24,10 +24,10 @@ import ( var _ = Describe("notation trust policy verification level test", func() { It("strict level with expired signature", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -40,9 +40,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -53,35 +53,35 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) }) }) It("strict level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("permissive level with expired signature", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry was set to \"log\" and failed with error: digital signature has expired"). MatchKeyWords(VerifySuccessfully) }) @@ -94,9 +94,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -108,37 +108,37 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) }) }) It("permissive level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("audit level with expired signature", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("digital signature has expired", "expiry was set to \"log\""). MatchKeyWords(VerifySuccessfully) @@ -152,9 +152,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -166,13 +166,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -180,35 +180,35 @@ var _ = Describe("notation trust policy verification level test", func() { }) It("audit level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("skip level with invalid integrity", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("skip_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords("Trust policy is configured to skip signature verification") }) }) It("strict level with Expiry overridden as log level", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_strict_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("digital signature has expired", "expiry was set to \"log\""). MatchKeyWords(VerifySuccessfully) @@ -222,9 +222,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_strict_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -236,13 +236,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_strict_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -250,12 +250,12 @@ var _ = Describe("notation trust policy verification level test", func() { }) It("permissive level with Expiry overridden as enforce level", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -270,9 +270,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -283,11 +283,11 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -299,22 +299,22 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_integrity_for_permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords(`"integrity" verification can not be overridden in custom signature verification`) }) }) It("audit level with Expiry overridden as enforce level", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -329,9 +329,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - EnableExperimental()) + ) - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -342,13 +342,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - EnableExperimental()) + ) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) }) From 813b7a3865480d6d56c35ecc60bade2f43485f01 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 28 Mar 2024 13:35:30 +0800 Subject: [PATCH 03/19] go version Signed-off-by: Patrick Zheng --- .github/workflows/build.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/release-github.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 90a371888..16a1b833a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cb636304c..6086f6db8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: security-events: write strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: false steps: - name: Checkout repository diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 8bde5c193..2144822a1 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} From 1f26a0b8871959a2adb1e88701ca3aa7d25b614b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 28 Mar 2024 13:47:57 +0800 Subject: [PATCH 04/19] fix e2e test Signed-off-by: Patrick Zheng --- test/e2e/plugin/generate_signature.go | 9 +++++---- test/e2e/plugin/go.mod | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/test/e2e/plugin/generate_signature.go b/test/e2e/plugin/generate_signature.go index 71e5ee7f2..3ef4eaf87 100644 --- a/test/e2e/plugin/generate_signature.go +++ b/test/e2e/plugin/generate_signature.go @@ -22,6 +22,7 @@ import ( "github.com/golang-jwt/jwt" "github.com/notaryproject/notation-core-go/signature" "github.com/notaryproject/notation-go/plugin/proto" + "github.com/notaryproject/notation-plugin-framework-go/plugin" "github.com/notaryproject/notation/test/e2e/plugin/internal/io" "github.com/notaryproject/notation/test/e2e/plugin/mock" "github.com/spf13/cobra" @@ -88,10 +89,10 @@ func runGenerateSignature(req *proto.GenerateSignatureRequest) error { if err != nil { return &proto.RequestError{Code: proto.ErrorCodeGeneric, Err: err} } - resp := &proto.GenerateSignatureResponse{ + resp := &plugin.GenerateSignatureResponse{ KeyID: req.KeyID, Signature: rawSig, - SigningAlgorithm: string(signingAlg), + SigningAlgorithm: signingAlg, CertificateChain: toRawCerts(certs), } @@ -155,7 +156,7 @@ func validateGenerateSignatureRequest(req proto.GenerateSignatureRequest) error } // updateGenerateSignatureResponse tampers the response to test various cases. -func updateGenerateSignatureResponse(req *proto.GenerateSignatureRequest, resp *proto.GenerateSignatureResponse) { +func updateGenerateSignatureResponse(req *plugin.GenerateSignatureRequest, resp *plugin.GenerateSignatureResponse) { if v, ok := req.PluginConfig[mock.TamperKeyID]; ok { resp.KeyID = v } @@ -165,7 +166,7 @@ func updateGenerateSignatureResponse(req *proto.GenerateSignatureRequest, resp * } if v, ok := req.PluginConfig[mock.TamperSignatureAlgorithm]; ok { - resp.SigningAlgorithm = v + resp.SigningAlgorithm = plugin.SignatureAlgorithm(v) } if v, ok := req.PluginConfig[mock.TamperCertificateChain]; ok { diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 961688ca4..fe9772dcd 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -6,6 +6,7 @@ require ( github.com/golang-jwt/jwt v3.2.2+incompatible github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e github.com/notaryproject/notation-go v1.1.1-0.20240327165254-57ff8e68a0a8 + github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/spf13/cobra v1.7.0 ) @@ -17,7 +18,6 @@ require ( github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect From 3267b3466e991463206f9111c38c0e120d605225 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 28 Mar 2024 13:56:19 +0800 Subject: [PATCH 05/19] update Signed-off-by: Patrick Zheng --- building.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/building.md b/building.md index 44109c632..0a5d81b22 100644 --- a/building.md +++ b/building.md @@ -4,7 +4,7 @@ The notation repo contains the following: - `notation` - A CLI for signing and verifying artifacts with Notation -Building above binaries require [golang](https://golang.org/dl/) with version `>= 1.20`. +Building above binaries require [golang](https://golang.org/dl/) with version `>= 1.21`. ## Windows with WSL or Linux From 33b1a29d4f6d9ee3b8f2395965dabd74368b3fb5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 28 Mar 2024 14:28:06 +0800 Subject: [PATCH 06/19] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 1454a85c4..c72bbea49 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/notaryproject/notation -go 1.22.0 +go 1.22 require ( github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e From a0d2a4c7f9ecf2e5137a82731943bb64e977a5a3 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 29 Mar 2024 09:51:33 +0800 Subject: [PATCH 07/19] update Signed-off-by: Patrick Zheng --- .github/workflows/build.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/release-github.yml | 2 +- go.mod | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8b0840a84..260609740 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ['1.22'] + go-version: ['1.20'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 84c7a6136..ede07273a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: security-events: write strategy: matrix: - go-version: ['1.22'] + go-version: ['1.20'] fail-fast: false steps: - name: Checkout repository diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 2144822a1..8bde5c193 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - go-version: ['1.22'] + go-version: ['1.20'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} diff --git a/go.mod b/go.mod index c72bbea49..c0579705f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/notaryproject/notation -go 1.22 +go 1.21 require ( github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e From 3d53087969bcc111cdfd4781816b660e220577c8 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 29 Mar 2024 09:56:45 +0800 Subject: [PATCH 08/19] fix CI Signed-off-by: Patrick Zheng --- .github/workflows/build.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/release-github.yml | 2 +- go.mod | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 260609740..8b0840a84 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ede07273a..84c7a6136 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: security-events: write strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: false steps: - name: Checkout repository diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 8bde5c193..2144822a1 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - go-version: ['1.20'] + go-version: ['1.22'] fail-fast: true steps: - name: Set up Go ${{ matrix.go-version }} diff --git a/go.mod b/go.mod index c0579705f..c72bbea49 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/notaryproject/notation -go 1.21 +go 1.22 require ( github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e From e287a207f8ffa5f72bcdc84423a4da7743119788 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 2 Apr 2024 15:18:35 +0800 Subject: [PATCH 09/19] added --force-referrers-tag Signed-off-by: Patrick Zheng --- cmd/notation/inspect.go | 2 +- cmd/notation/list.go | 2 +- cmd/notation/registry.go | 25 +++++++++++++------------ cmd/notation/sign.go | 10 +++++----- cmd/notation/sign_test.go | 4 ++-- cmd/notation/verify.go | 2 +- internal/cmd/flags.go | 8 ++++---- specs/commandline/sign.md | 2 +- test/e2e/suite/command/sign.go | 10 +++++----- test/e2e/suite/command/verify.go | 6 +++--- 10 files changed, 36 insertions(+), 35 deletions(-) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index 4d642d067..7cb5c0620 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -120,7 +120,7 @@ func runInspect(command *cobra.Command, opts *inspectOpts) error { reference := opts.reference // always use the Referrers API, if not supported, automatically fallback to // the referrers tag schema - sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, true) + sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, false) if err != nil { return err } diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 4e6aa451b..1b9c1c477 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -98,7 +98,7 @@ func runList(ctx context.Context, opts *listOpts) error { reference := opts.reference // always use the Referrers API, if not supported, automatically fallback to // the referrers tag schema - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, true) + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, false) if err != nil { return err } diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index 60694eefb..54c829e6c 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -40,10 +40,10 @@ const ( // getRepository returns a notationregistry.Repository given user input // type and user input reference -func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, useReferrersAPI bool) (notationregistry.Repository, error) { +func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, forceReferrersTag bool) (notationregistry.Repository, error) { switch inputType { case inputTypeRegistry: - return getRemoteRepository(ctx, opts, reference, useReferrersAPI) + return getRemoteRepository(ctx, opts, reference, forceReferrersTag) case inputTypeOCILayout: layoutPath, _, err := parseOCILayoutReference(reference) if err != nil { @@ -56,17 +56,18 @@ func getRepository(ctx context.Context, inputType inputType, reference string, o } // getRemoteRepository returns a registry.Repository. -// When useReferrersAPI is set, Notation tries the Referrers API, -// if not supported, fallback to use the Referrers tag schema. This flag is -// always set when verify/list/inspect signatures. +// When forceReferrersTag is set, Notation will always generate an image index +// according to the Referrers tag schema to store signature. // -// When useReferrersAPI is not set, Notation uses referrers tag schema -// to store signatures by default. +// When forceReferrersTag is not set, Notation will first try to store the +// signature as a referrer according to the Referrers API. If the Referrers API +// is not supported, fallback to use the referrers tag schema. +// This flag is always NOT set when verify/list/inspect signatures. // // References: // https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers // https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#referrers-tag-schema -func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, useReferrersAPI bool) (notationregistry.Repository, error) { +func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, forceReferrersTag bool) (notationregistry.Repository, error) { logger := log.GetLogger(ctx) ref, err := registry.ParseReference(reference) if err != nil { @@ -81,13 +82,13 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st return nil, err } - if useReferrersAPI { - logger.Info("Trying to use the referrers API") - } else { - logger.Info("Using the referrers tag schema") + if forceReferrersTag { + logger.Info("Generating the referrers tag schema") if err := remoteRepo.SetReferrersCapability(false); err != nil { return nil, err } + } else { + logger.Info("Check and use the Referrers API first if possible") } return notationregistry.NewRepository(remoteRepo), nil } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index b5ab4d01c..5a978d682 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -40,7 +40,7 @@ type signOpts struct { pluginConfig []string userMetadata []string reference string - allowReferrersAPI bool + forceReferrersTag bool ociLayout bool inputType inputType } @@ -74,7 +74,7 @@ Example - Sign an OCI artifact stored in a registry and specify the signature ex notation sign --expiry 24h /@ Example - Sign an OCI artifact and store signature using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema - notation sign --allow-referrers-api /@ + notation sign --force-referrers-tag /@ ` experimentalExamples := ` Example - [Experimental] Sign an OCI artifact referenced in an OCI layout @@ -111,9 +111,9 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagExpiry(command.Flags(), &opts.expiry) cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, "use the Referrers API to store signatures, if not supported (returns 404), fallback to the Referrers tag schema") + cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") - command.MarkFlagsMutuallyExclusive("oci-layout", "allow-referrers-api") + command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag") experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } @@ -127,7 +127,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { if err != nil { return err } - sigRepo, err := getRepository(ctx, cmdOpts.inputType, cmdOpts.reference, &cmdOpts.SecureFlagOpts, cmdOpts.allowReferrersAPI) + sigRepo, err := getRepository(ctx, cmdOpts.inputType, cmdOpts.reference, &cmdOpts.SecureFlagOpts, cmdOpts.forceReferrersTag) if err != nil { return err } diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index 77c4c5540..3540829f5 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -67,7 +67,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { SignatureFormat: envelope.COSE, }, expiry: 24 * time.Hour, - allowReferrersAPI: true, + forceReferrersTag: true, } if err := command.ParseFlags([]string{ expected.reference, @@ -77,7 +77,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { "--insecure-registry", "--signature-format", expected.SignerFlagOpts.SignatureFormat, "--expiry", expected.expiry.String(), - "--allow-referrers-api"}); err != nil { + "--force-referrers-tag"}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index ca8ea1adb..b40720f5f 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -127,7 +127,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { reference := opts.reference // always use the Referrers API, if not supported, automatically fallback to // the referrers tag schema - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, true) + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, false) if err != nil { return err } diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 5ae48a0b0..8763d95ce 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -106,11 +106,11 @@ var ( fs.StringArrayVarP(p, PflagUserMetadata.Name, PflagUserMetadata.Shorthand, nil, usage) } - PflagReferrersAPI = &pflag.Flag{ - Name: "allow-referrers-api", + PflagReferrersTag = &pflag.Flag{ + Name: "force-referrers-tag", } - SetPflagReferrersAPI = func(fs *pflag.FlagSet, p *bool, usage string) { - fs.BoolVar(p, PflagReferrersAPI.Name, false, usage) + SetPflagReferrersTag = func(fs *pflag.FlagSet, p *bool, usage string) { + fs.BoolVar(p, PflagReferrersTag.Name, true, usage) } PflagOutput = &pflag.Flag{ diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index ccfcff984..f7e9577ae 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -30,7 +30,7 @@ Usage: notation sign [flags] Flags: - --allow-referrers-api use the Referrers API to store signatures in the registry, if not supported (returns 404), fallback to the Referrers tag schema + --force-referrers-tag force to store signatures using the referrers tag schema (default true) -d, --debug debug mode -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m -h, --help help for sign diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 408318204..5bf7e3b6d 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -78,18 +78,18 @@ var _ = Describe("notation sign", func() { }) }) - It("by digest, with Referrers API", func() { + It("by digest, with referrers tag schema", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). + notation.WithDescription("store signature with referrers tag schema"). + Exec("sign", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) }) }) - It("by tag, with Referrers API", func() { + It("by digest, with Referrers API", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.WithDescription("store signature with Referrers API"). - Exec("sign", artifact.ReferenceWithTag(), "--allow-referrers-api"). + Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag=false"). MatchKeyWords(SignSuccessfully) }) }) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 5aaa3a92e..16aa525ad 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -65,7 +65,7 @@ var _ = Describe("notation verify", func() { It("by digest, sign with the Referrers API", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). @@ -73,9 +73,9 @@ var _ = Describe("notation verify", func() { }) }) - It("by tag, sign with the Referrers API", func() { + It("by tag, sign with the referrers tag schema", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithTag(), "-v"). From 8f9afb58a57b566fe7fb845ff8140ef7b31751e5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 2 Apr 2024 15:30:31 +0800 Subject: [PATCH 10/19] fix tests Signed-off-by: Patrick Zheng --- cmd/notation/sign_test.go | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index 3540829f5..c98b80817 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -36,6 +36,7 @@ func TestSignCommand_BasicArgs(t *testing.T) { Key: "key", SignatureFormat: envelope.JWS, }, + forceReferrersTag: true, } if err := command.ParseFlags([]string{ expected.reference, @@ -77,7 +78,8 @@ func TestSignCommand_MoreArgs(t *testing.T) { "--insecure-registry", "--signature-format", expected.SignerFlagOpts.SignatureFormat, "--expiry", expected.expiry.String(), - "--force-referrers-tag"}); err != nil { + "--force-referrers-tag", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -97,8 +99,9 @@ func TestSignCommand_CorrectConfig(t *testing.T) { Key: "key", SignatureFormat: envelope.COSE, }, - expiry: 365 * 24 * time.Hour, - pluginConfig: []string{"key0=val0", "key1=val1"}, + expiry: 365 * 24 * time.Hour, + pluginConfig: []string{"key0=val0", "key1=val1"}, + forceReferrersTag: false, } if err := command.ParseFlags([]string{ expected.reference, @@ -106,7 +109,9 @@ func TestSignCommand_CorrectConfig(t *testing.T) { "--signature-format", expected.SignerFlagOpts.SignatureFormat, "--expiry", expected.expiry.String(), "--plugin-config", "key0=val0", - "--plugin-config", "key1=val1"}); err != nil { + "--plugin-config", "key1=val1", + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -154,7 +159,9 @@ func TestSignCommmand_OnDemandKeyOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--id", expected.KeyID, - "--plugin", expected.PluginName}); err != nil { + "--plugin", expected.PluginName, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -188,7 +195,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "--password", expected.Password, "--id", expected.KeyID, "--plugin", expected.PluginName, - "--key", expected.Key}); err != nil { + "--key", expected.Key, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -222,7 +231,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--id", expected.KeyID, - "--key", expected.Key}); err != nil { + "--key", expected.Key, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -256,7 +267,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--plugin", expected.PluginName, - "--key", expected.Key}); err != nil { + "--key", expected.Key, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -288,7 +301,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { expected.reference, "-u", expected.Username, "--password", expected.Password, - "--id", expected.KeyID}); err != nil { + "--id", expected.KeyID, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -320,7 +335,9 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { expected.reference, "-u", expected.Username, "--password", expected.Password, - "--plugin", expected.PluginName}); err != nil { + "--plugin", expected.PluginName, + "--force-referrers-tag=false", + }); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { From f239675f94006e8d2c0d0f5092fb03602727448b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 2 Apr 2024 18:49:18 +0800 Subject: [PATCH 11/19] update Signed-off-by: Patrick Zheng --- cmd/notation/inspect.go | 13 ++++++++++--- cmd/notation/list.go | 18 ++++++++++++------ cmd/notation/sign.go | 21 ++++++++++++++++----- cmd/notation/verify.go | 9 +++++++-- internal/cmd/flags.go | 9 +++++++++ 5 files changed, 54 insertions(+), 16 deletions(-) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index 7cb5c0620..a3d842635 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -28,6 +28,7 @@ import ( "github.com/notaryproject/notation-go/plugin/proto" "github.com/notaryproject/notation-go/registry" cmderr "github.com/notaryproject/notation/cmd/notation/internal/errors" + "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" "github.com/notaryproject/notation/internal/ioutil" @@ -39,9 +40,10 @@ import ( type inspectOpts struct { cmd.LoggingFlagOpts SecureFlagOpts - reference string - outputFormat string - maxSignatures int + reference string + outputFormat string + allowReferrersAPI bool + maxSignatures int } type inspectOutput struct { @@ -97,6 +99,9 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } + if cmd.Flags().Changed("allow-referrers-api") { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and ignored.") + } return runInspect(cmd, opts) }, } @@ -105,6 +110,8 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu opts.SecureFlagOpts.ApplyFlags(command.Flags()) cmd.SetPflagOutput(command.Flags(), &opts.outputFormat, cmd.PflagOutputUsage) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") + cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "inspect")) + experimental.HideFlags(command, "", []string{"allow-referrers-api"}) return command } diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 1b9c1c477..bb061bb09 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -17,6 +17,7 @@ import ( "context" "errors" "fmt" + "os" notationregistry "github.com/notaryproject/notation-go/registry" cmderr "github.com/notaryproject/notation/cmd/notation/internal/errors" @@ -30,10 +31,11 @@ import ( type listOpts struct { cmd.LoggingFlagOpts SecureFlagOpts - reference string - ociLayout bool - inputType inputType - maxSignatures int + reference string + allowReferrersAPI bool + ociLayout bool + inputType inputType + maxSignatures int } func listCommand(opts *listOpts) *cobra.Command { @@ -73,20 +75,24 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "oci-layout") + return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } + if cmd.Flags().Changed("allow-referrers-api") { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and ignored.") + } return runList(cmd.Context(), opts) }, } opts.LoggingFlagOpts.ApplyFlags(command.Flags()) opts.SecureFlagOpts.ApplyFlags(command.Flags()) + cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "list")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] list signatures stored in OCI image layout") command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) return command } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 5a978d682..ca630a48d 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -40,6 +40,7 @@ type signOpts struct { pluginConfig []string userMetadata []string reference string + allowReferrersAPI bool forceReferrersTag bool ociLayout bool inputType inputType @@ -73,8 +74,8 @@ Example - Sign an OCI artifact identified by a tag (Notation will resolve tag to Example - Sign an OCI artifact stored in a registry and specify the signature expiry duration, for example 24 hours notation sign --expiry 24h /@ -Example - Sign an OCI artifact and store signature using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema - notation sign --force-referrers-tag /@ +Example - Sign an OCI artifact and store signature using the Referrers API. If it's not supported, fallback to the Referrers tag schema + notation sign --force-referrers-tag=false /@ ` experimentalExamples := ` Example - [Experimental] Sign an OCI artifact referenced in an OCI layout @@ -99,9 +100,18 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "oci-layout") + return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { + // allow-referrers-api flag is set + if cmd.Flags().Changed("allow-referrers-api") { + if opts.allowReferrersAPI { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag=false' instead.") + opts.forceReferrersTag = false + } else { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag' instead.") + } + } return runSign(cmd, opts) }, } @@ -111,10 +121,11 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagExpiry(command.Flags(), &opts.expiry) cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) + cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") - command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag") - experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) + command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) return command } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index b40720f5f..f013bdd21 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -36,6 +36,7 @@ type verifyOpts struct { reference string pluginConfig []string userMetadata []string + allowReferrersAPI bool ociLayout bool trustPolicyScope string inputType inputType @@ -80,12 +81,15 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "oci-layout", "scope") + return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout", "scope") }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatureAttempts <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatureAttempts) } + if cmd.Flags().Changed("allow-referrers-api") { + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and ignored.") + } return runVerify(cmd, opts) }, } @@ -93,11 +97,12 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t opts.SecureFlagOpts.ApplyFlags(command.Flags()) command.Flags().StringArrayVar(&opts.pluginConfig, "plugin-config", nil, "{key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values") cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataVerifyUsage) + cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "verify")) command.Flags().IntVar(&opts.maxSignatureAttempts, "max-signatures", 100, "maximum number of signatures to evaluate or examine") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] verify the artifact stored as OCI image layout") command.Flags().StringVar(&opts.trustPolicyScope, "scope", "", "[Experimental] set trust policy scope for artifact verification, required and can only be used when flag \"--oci-layout\" is set") command.MarkFlagsRequiredTogether("oci-layout", "scope") - experimental.HideFlags(command, experimentalExamples, []string{"oci-layout", "scope"}) + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout", "scope"}) return command } diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 8763d95ce..196768b2c 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -106,6 +106,15 @@ var ( fs.StringArrayVarP(p, PflagUserMetadata.Name, PflagUserMetadata.Shorthand, nil, usage) } + PflagReferrersAPI = &pflag.Flag{ + Name: "allow-referrers-api", + } + PflagReferrersUsageFormat = "[Experimental] use the Referrers API to %s signatures, if not supported (returns 404), fallback to the Referrers tag schema" + SetPflagReferrersAPI = func(fs *pflag.FlagSet, p *bool, usage string) { + fs.BoolVar(p, PflagReferrersAPI.Name, false, usage) + fs.MarkHidden(PflagReferrersAPI.Name) + } + PflagReferrersTag = &pflag.Flag{ Name: "force-referrers-tag", } From 6cf5ab44e9eb020bf05674f3e5d529f57fb09244 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 2 Apr 2024 19:16:05 +0800 Subject: [PATCH 12/19] added e2e tests Signed-off-by: Patrick Zheng --- test/e2e/suite/command/sign.go | 60 +++++++++++++++++++++++++++++--- test/e2e/suite/command/verify.go | 44 ++++++++++++++++++++--- 2 files changed, 95 insertions(+), 9 deletions(-) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 5bf7e3b6d..afc772bdb 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -78,19 +78,71 @@ var _ = Describe("notation sign", func() { }) }) - It("by digest, with referrers tag schema", func() { + It("with force-referrers-tag set", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.WithDescription("store signature with referrers tag schema"). - Exec("sign", artifact.ReferenceWithDigest()). + Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag"). MatchKeyWords(SignSuccessfully) + + OldNotation().WithDescription("verify by tag schema"). + Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) }) }) - It("by digest, with Referrers API", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + It("with force-referrers-tag set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.WithDescription("store signature with Referrers API"). Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag=false"). MatchKeyWords(SignSuccessfully) + + OldNotation().WithDescription("verify by referrers api"). + Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("with allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag=false' instead.", + ). + MatchKeyWords(SignSuccessfully) + + OldNotation().WithDescription("verify by referrers api"). + Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("with allow-referrers-api set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with referrers tag schema"). + Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api=false"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag' instead.", + ). + MatchKeyWords(SignSuccessfully) + + OldNotation().WithDescription("verify by tag schema"). + Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("with both force-referrers-tag and allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + ExpectFailure(). + Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag", "--allow-referrers-api"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "[allow-referrers-api force-referrers-tag] were all set", + ) }) }) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 16aa525ad..c40950920 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -63,9 +63,9 @@ var _ = Describe("notation verify", func() { }) }) - It("by digest, sign with the Referrers API", func() { + It("sign with --force-referrers-tag set", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). @@ -73,12 +73,46 @@ var _ = Describe("notation verify", func() { }) }) - It("by tag, sign with the referrers tag schema", func() { + It("sign with --force-referrers-tag set to false", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). + notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - notation.Exec("verify", artifact.ReferenceWithTag(), "-v"). + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("sign with --allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + ). + MatchKeyWords(VerifySuccessfully) + }) + }) + + It("sign with --allow-referrers-api set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(VerifySuccessfully) + + notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + ). MatchKeyWords(VerifySuccessfully) }) }) From bb42b3ad00f653e72675ad17bccb07bba916446a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 2 Apr 2024 19:29:13 +0800 Subject: [PATCH 13/19] added e2e tests Signed-off-by: Patrick Zheng --- test/e2e/suite/command/inspect.go | 54 +++++++++++++++++++++++ test/e2e/suite/command/list.go | 72 +++++++++++++++++++++++++++++++ test/e2e/suite/command/sign.go | 4 +- 3 files changed, 128 insertions(+), 2 deletions(-) diff --git a/test/e2e/suite/command/inspect.go b/test/e2e/suite/command/inspect.go index 7937e8066..ff4ef7cf8 100644 --- a/test/e2e/suite/command/inspect.go +++ b/test/e2e/suite/command/inspect.go @@ -77,4 +77,58 @@ var _ = Describe("notation inspect", func() { NoMatchErrKeyWords(HTTPSRequest) }) }) + + It("sign with --force-referrers-tag set", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + }) + }) + + It("sign with --force-referrers-tag set to false", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + }) + }) + + It("sign with --allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + ). + MatchKeyWords(inspectSuccessfully...) + }) + }) + + It("sign with --allow-referrers-api set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords(inspectSuccessfully...) + + notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + ). + MatchKeyWords(inspectSuccessfully...) + }) + }) }) diff --git a/test/e2e/suite/command/list.go b/test/e2e/suite/command/list.go index 62c11f8f0..558eabf63 100644 --- a/test/e2e/suite/command/list.go +++ b/test/e2e/suite/command/list.go @@ -85,4 +85,76 @@ var _ = Describe("notation list", func() { MatchKeyWords("has no associated signature") }) }) + + It("sign with --force-referrers-tag set", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) + + It("sign with --force-referrers-tag set to false", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) + + It("sign with --allow-referrers-api set", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + + notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + ). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) + + It("sign with --allow-referrers-api set to false", func() { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). + MatchKeyWords(SignSuccessfully) + + notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + + notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). + MatchErrKeyWords( + "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", + "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + ). + MatchKeyWords( + "└── application/vnd.cncf.notary.signature", + "└── sha256:", + ) + }) + }) }) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index afc772bdb..f35eb4d8a 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -96,7 +96,7 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag=false"). MatchKeyWords(SignSuccessfully) - OldNotation().WithDescription("verify by referrers api"). + OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchKeyWords(VerifySuccessfully) }) @@ -112,7 +112,7 @@ var _ = Describe("notation sign", func() { ). MatchKeyWords(SignSuccessfully) - OldNotation().WithDescription("verify by referrers api"). + OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchKeyWords(VerifySuccessfully) }) From f3ebda60e9130e9f550fc8d8fd3cd1c76f28c426 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 2 Apr 2024 19:38:11 +0800 Subject: [PATCH 14/19] fix Signed-off-by: Patrick Zheng --- cmd/notation/inspect.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index a3d842635..a5c140884 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -95,6 +95,9 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu opts.reference = args[0] return nil }, + PreRunE: func(cmd *cobra.Command, args []string) error { + return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api") + }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) From c378a658b2f6306f3a9f1731250cf1db1b4febbc Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 3 Apr 2024 09:38:58 +0800 Subject: [PATCH 15/19] update Signed-off-by: Patrick Zheng --- cmd/notation/registry.go | 2 +- cmd/notation/sign.go | 6 ++---- test/e2e/suite/command/sign.go | 10 ++++++++++ 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index 54c829e6c..54d914ca7 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -88,7 +88,7 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st return nil, err } } else { - logger.Info("Check and use the Referrers API first if possible") + logger.Info("Trying to use the Referrers API, fallback if not supported") } return notationregistry.NewRepository(remoteRepo), nil } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index ca630a48d..41f812519 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -14,7 +14,6 @@ package main import ( - "context" "errors" "fmt" "os" @@ -22,7 +21,6 @@ import ( "time" "github.com/notaryproject/notation-go" - notationregistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" @@ -142,7 +140,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { if err != nil { return err } - signOpts, err := prepareSigningOpts(ctx, cmdOpts, sigRepo) + signOpts, err := prepareSigningOpts(cmdOpts) if err != nil { return err } @@ -170,7 +168,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { return nil } -func prepareSigningOpts(ctx context.Context, opts *signOpts, sigRepo notationregistry.Repository) (notation.SignOptions, error) { +func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { return notation.SignOptions{}, err diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index f35eb4d8a..d83d7614d 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -146,6 +146,16 @@ var _ = Describe("notation sign", func() { }) }) + It("with allow-referrers-api set and experimental off", func() { + Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { + notation.WithDescription("store signature with Referrers API"). + ExpectFailure(). + Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). + MatchErrKeyWords( + "Error: flag(s) --allow-referrers-api in \"notation sign\" is experimental and not enabled by default.") + }) + }) + It("with specific key", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { const keyName = "sKey" From 25815d7d710495cb16ec9740c30e34025642d883 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 3 Apr 2024 13:53:40 +0800 Subject: [PATCH 16/19] update per code review Signed-off-by: Patrick Zheng --- cmd/notation/registry.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index 54d914ca7..a5051b88e 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -56,13 +56,13 @@ func getRepository(ctx context.Context, inputType inputType, reference string, o } // getRemoteRepository returns a registry.Repository. -// When forceReferrersTag is set, Notation will always generate an image index +// When forceReferrersTag is true, Notation will always generate an image index // according to the Referrers tag schema to store signature. // -// When forceReferrersTag is not set, Notation will first try to store the +// When forceReferrersTag is false, Notation will first try to store the // signature as a referrer according to the Referrers API. If the Referrers API // is not supported, fallback to use the referrers tag schema. -// This flag is always NOT set when verify/list/inspect signatures. +// This flag is always FALSE when verify/list/inspect signatures. // // References: // https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers From d75c2134161d20ac80e57fe6c979bceb350fa0f5 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 3 Apr 2024 14:06:14 +0800 Subject: [PATCH 17/19] update per code review Signed-off-by: Patrick Zheng --- building.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/building.md b/building.md index 0a5d81b22..34e6222a9 100644 --- a/building.md +++ b/building.md @@ -4,7 +4,7 @@ The notation repo contains the following: - `notation` - A CLI for signing and verifying artifacts with Notation -Building above binaries require [golang](https://golang.org/dl/) with version `>= 1.21`. +Building above binaries require [golang](https://golang.org/dl/) with version `>= 1.22`. ## Windows with WSL or Linux From 1e3fd9fa000cbfa4c17ac2d235b6b94da1d00724 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 8 Apr 2024 16:18:11 +0800 Subject: [PATCH 18/19] updated per code review Signed-off-by: Patrick Zheng --- cmd/notation/inspect.go | 2 +- cmd/notation/list.go | 2 +- cmd/notation/sign.go | 4 ++-- cmd/notation/verify.go | 2 +- test/e2e/suite/command/inspect.go | 4 ++-- test/e2e/suite/command/list.go | 4 ++-- test/e2e/suite/command/sign.go | 4 ++-- test/e2e/suite/command/verify.go | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index a5c140884..ffa104b13 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -103,7 +103,7 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and ignored.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") } return runInspect(cmd, opts) }, diff --git a/cmd/notation/list.go b/cmd/notation/list.go index bb061bb09..3cd6226a5 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -82,7 +82,7 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and ignored.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") } return runList(cmd.Context(), opts) }, diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 41f812519..ac5a68975 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -104,10 +104,10 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced // allow-referrers-api flag is set if cmd.Flags().Changed("allow-referrers-api") { if opts.allowReferrersAPI { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag=false' instead.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version, use '--force-referrers-tag=false' instead.") opts.forceReferrersTag = false } else { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag' instead.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") } } return runSign(cmd, opts) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index f013bdd21..ae2796f1d 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -88,7 +88,7 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatureAttempts) } if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and ignored.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") } return runVerify(cmd, opts) }, diff --git a/test/e2e/suite/command/inspect.go b/test/e2e/suite/command/inspect.go index ff4ef7cf8..64dd37d72 100644 --- a/test/e2e/suite/command/inspect.go +++ b/test/e2e/suite/command/inspect.go @@ -109,7 +109,7 @@ var _ = Describe("notation inspect", func() { notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", ). MatchKeyWords(inspectSuccessfully...) }) @@ -126,7 +126,7 @@ var _ = Describe("notation inspect", func() { notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", ). MatchKeyWords(inspectSuccessfully...) }) diff --git a/test/e2e/suite/command/list.go b/test/e2e/suite/command/list.go index 558eabf63..d1eb06b57 100644 --- a/test/e2e/suite/command/list.go +++ b/test/e2e/suite/command/list.go @@ -126,7 +126,7 @@ var _ = Describe("notation list", func() { notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", ). MatchKeyWords( "└── application/vnd.cncf.notary.signature", @@ -149,7 +149,7 @@ var _ = Describe("notation list", func() { notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", ). MatchKeyWords( "└── application/vnd.cncf.notary.signature", diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index d83d7614d..0371cce6d 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -108,7 +108,7 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag=false' instead.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version, use '--force-referrers-tag=false' instead.", ). MatchKeyWords(SignSuccessfully) @@ -124,7 +124,7 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api=false"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated, use '--force-referrers-tag' instead.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", ). MatchKeyWords(SignSuccessfully) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index c40950920..81d883cd7 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -94,7 +94,7 @@ var _ = Describe("notation verify", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", ). MatchKeyWords(VerifySuccessfully) }) @@ -111,7 +111,7 @@ var _ = Describe("notation verify", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and ignored.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", ). MatchKeyWords(VerifySuccessfully) }) From ce4915a170cb86b87363ac9cdd53b369820186b9 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 10 Apr 2024 08:24:02 +0800 Subject: [PATCH 19/19] update Signed-off-by: Patrick Zheng --- cmd/notation/inspect.go | 3 +-- cmd/notation/list.go | 4 ++-- cmd/notation/registry.go | 4 ++-- cmd/notation/sign.go | 6 +++--- cmd/notation/verify.go | 4 ++-- test/e2e/suite/command/inspect.go | 4 ++-- test/e2e/suite/command/list.go | 4 ++-- test/e2e/suite/command/sign.go | 4 ++-- test/e2e/suite/command/verify.go | 4 ++-- 9 files changed, 18 insertions(+), 19 deletions(-) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index ffa104b13..df91dbea0 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -103,7 +103,7 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") } return runInspect(cmd, opts) }, @@ -114,7 +114,6 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu cmd.SetPflagOutput(command.Flags(), &opts.outputFormat, cmd.PflagOutputUsage) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "inspect")) - experimental.HideFlags(command, "", []string{"allow-referrers-api"}) return command } diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 3cd6226a5..387134907 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -82,7 +82,7 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") } return runList(cmd.Context(), opts) }, @@ -92,7 +92,7 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "list")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] list signatures stored in OCI image layout") command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index a5051b88e..bc9352179 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -83,12 +83,12 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st } if forceReferrersTag { - logger.Info("Generating the referrers tag schema") + logger.Info("The referrers tag schema is always attempted") if err := remoteRepo.SetReferrersCapability(false); err != nil { return nil, err } } else { - logger.Info("Trying to use the Referrers API, fallback if not supported") + logger.Info("Allowed to access the referrers API, fallback if not supported") } return notationregistry.NewRepository(remoteRepo), nil } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index ac5a68975..23b227a49 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -104,10 +104,10 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced // allow-referrers-api flag is set if cmd.Flags().Changed("allow-referrers-api") { if opts.allowReferrersAPI { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version, use '--force-referrers-tag=false' instead.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.") opts.forceReferrersTag = false } else { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") } } return runSign(cmd, opts) @@ -123,7 +123,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command } diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index ae2796f1d..6417b10c6 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -88,7 +88,7 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatureAttempts) } if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.") + fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") } return runVerify(cmd, opts) }, @@ -102,7 +102,7 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] verify the artifact stored as OCI image layout") command.Flags().StringVar(&opts.trustPolicyScope, "scope", "", "[Experimental] set trust policy scope for artifact verification, required and can only be used when flag \"--oci-layout\" is set") command.MarkFlagsRequiredTogether("oci-layout", "scope") - experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout", "scope"}) + experimental.HideFlags(command, experimentalExamples, []string{"oci-layout", "scope"}) return command } diff --git a/test/e2e/suite/command/inspect.go b/test/e2e/suite/command/inspect.go index 64dd37d72..49ba33e77 100644 --- a/test/e2e/suite/command/inspect.go +++ b/test/e2e/suite/command/inspect.go @@ -109,7 +109,7 @@ var _ = Describe("notation inspect", func() { notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", ). MatchKeyWords(inspectSuccessfully...) }) @@ -126,7 +126,7 @@ var _ = Describe("notation inspect", func() { notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", ). MatchKeyWords(inspectSuccessfully...) }) diff --git a/test/e2e/suite/command/list.go b/test/e2e/suite/command/list.go index d1eb06b57..889ccb396 100644 --- a/test/e2e/suite/command/list.go +++ b/test/e2e/suite/command/list.go @@ -126,7 +126,7 @@ var _ = Describe("notation list", func() { notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", ). MatchKeyWords( "└── application/vnd.cncf.notary.signature", @@ -149,7 +149,7 @@ var _ = Describe("notation list", func() { notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", ). MatchKeyWords( "└── application/vnd.cncf.notary.signature", diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 0371cce6d..8354d8696 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -108,7 +108,7 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version, use '--force-referrers-tag=false' instead.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.", ). MatchKeyWords(SignSuccessfully) @@ -124,7 +124,7 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api=false"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", ). MatchKeyWords(SignSuccessfully) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 81d883cd7..f27384301 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -94,7 +94,7 @@ var _ = Describe("notation verify", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", ). MatchKeyWords(VerifySuccessfully) }) @@ -111,7 +111,7 @@ var _ = Describe("notation verify", func() { notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). MatchErrKeyWords( "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in a future version.", + "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", ). MatchKeyWords(VerifySuccessfully) })