Skip to content

Add output flag for notation verify #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
byronchien wants to merge 26 commits into
base: attestations-impl
Choose a base branch
from
Open

Add output flag for notation verify #1

byronchien wants to merge 26 commits into from

Conversation

@byronchien
Copy link
Owner

@byronchien byronchien commented Jan 23, 2023

Adds output flag for notation verify to format output as json. Also updates the notation verify spec for the new flag.

Signed-off-by: Byron Chien chienb@amazon.com

byronchien and others added 5 commits January 13, 2023 16:06
@byronchien
Merge branch 'notaryproject:main' into attestations-impl
eff0563
Ignore envelope parsing error and explain in comment
e9cf5e1 
Signed-off-by: Byron Chien <chienb@amazon.com>
use RemoteSignOptions and fix verify error
7e1fcd1 
Signed-off-by: Byron Chien <chienb@amazon.com>
Use embedded struct
356a303 
Signed-off-by: Byron Chien <chienb@amazon.com>
Add output flag for notation verify
ed93b36 
Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
priteshbandi reviewed Jan 23, 2023
View reviewed changes
plaintext => text, adds helper for printing objects
f2004e7 
Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi
priteshbandi reviewed Jan 24, 2023
View reviewed changes
priteshbandi
priteshbandi reviewed Jan 24, 2023
View reviewed changes
priteshbandi
priteshbandi reviewed Jan 24, 2023
View reviewed changes
Copy link

@priteshbandi priteshbandi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few nitpicks, else LGTM

cmd/notation/verify.go Outdated
}

func printMetadataIfPresent(outcome *notation.VerificationOutcome) {
func printResult(outputFormat string, reference string, outcome *notation.VerificationOutcome) error {
Copy link

@priteshbandi priteshbandi Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func printResult(outputFormat string, reference string, outcome *notation.VerificationOutcome) error {
func printResult(outputFormat, reference string, outcome *notation.VerificationOutcome) error {

Copy link
Owner Author

@byronchien byronchien Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huh, didn't realize it wasn't necessary, is this a go thing?

priteshbandi
priteshbandi reviewed Jan 24, 2023
View reviewed changes
specs/commandline/verify.md Outdated
"reference": "localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9",
"userMetadata": {
"io.wabbit-networks.buildId": "123"
}
Copy link

@priteshbandi priteshbandi Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we missing result?

cmd/notation/verify.go Outdated
Comment on lines 88 to 90
fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String())
fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.")
}
Copy link

@priteshbandi priteshbandi Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this should go into std.err instead of std.out. its not part of your change but can we open an issue to track this?

Copy link
Owner Author

@byronchien byronchien Jan 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: notaryproject#513

cmd/notation/verify.go Outdated
Comment on lines 193 to 195
if outputFormat == ioutil.OutputJson {
output.UserMetadata = metadata
return ioutil.PrintObjectAsJson(output)
}
Copy link

@priteshbandi priteshbandi Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we throwing away outputFormat object if output != json ?

Copy link
Owner Author

@byronchien byronchien Jan 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, can make it cleaner and only setup the object if output format is json

cmd/notation/verify.go Outdated

func printMetadataIfPresent(outcome *notation.VerificationOutcome) {
func printResult(outputFormat, reference string, outcome *notation.VerificationOutcome) error {
output := verifyOutput{Reference: reference, Result: "Success", UserMetadata: map[string]string{}}
Copy link

@priteshbandi priteshbandi Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: usually its best practice to start with failure mode and add then override data, unless you have all the data you need to call success.

Byron Chien added 3 commits February 2, 2023 09:34
Beautify json, add behavior for warnings
f2abaed 
Signed-off-by: Byron Chien <chienb@amazon.com>
Add result to output instead of warnings
f1e85af 
Signed-off-by: Byron Chien <chienb@amazon.com>
initialize output object only when output is json
cb6d2ed 
Signed-off-by: Byron Chien <chienb@amazon.com>
Byron Chien added 3 commits February 6, 2023 15:05
Merge from main
8e3d62e 
Signed-off-by: Byron Chien <chienb@amazon.com>
some nits
17f4b82 
Signed-off-by: Byron Chien <chienb@amazon.com>
Revert the merge but update the error messages for cleaner diff
b8367b8 
Signed-off-by: Byron Chien <chienb@amazon.com>
@byronchien byronchien force-pushed the attestations-impl branch 2 times, most recently from 5f040e0 to 1c3cddf Compare February 7, 2023 00:29
byronchien and others added 2 commits February 7, 2023 16:04
@byronchien
Merge branch 'main' into metadata-output
00d8c1a 
Signed-off-by: Byron Chien <chienb@amazon.com>
Add e2e test for metadata output
aa74179 
Signed-off-by: Byron Chien <chienb@amazon.com>
Byron Chien and others added 2 commits February 7, 2023 16:08
Add SkippedByTrustPolicy result
5447ef8 
Signed-off-by: Byron Chien <chienb@amazon.com>
@JeyJeyGao
fix: add error handling for LoadConfigOnce() (notaryproject#520)
8d52989 
* Added error handling and unit tests.
* WIP for notaryproject#516 
* Resolves notaryproject#525 

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
Byron Chien and others added 4 commits February 8, 2023 09:13
Update go.mod for notation-go
0ff2455 
Signed-off-by: Byron Chien <chienb@amazon.com>
@byronchien
feat: add support for signed user metadata in notation sign and verif…
51951af 
…y cmds (notaryproject#507)

Adds support for signed user metadata in `notation sign` and `notation verify`. [Relevant spec](notaryproject#498)

example sign usage:
chienb@a07817b52895 notation % notation sign $IMAGE --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=123
Successfully signed localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b
---------------
example verification:
chienb@a07817b52895 notation % notation verify $IMAGE --user-metadata io.wabbit-networks.buildTime=123
Resolved artifact tag `v1` to digest `sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b` before verification.
Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.
Successfully verified signature for localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b

The artifact was signed with the following user metadata.
KEY                            VALUE
io.wabbit-networks.buildTime   123
io.wabbit-networks.buildId     123
-----

Signed-off-by: Byron Chien <chienb@amazon.com>
@byronchien
Merge branch 'main' into metadata-output
be0a68a 
Signed-off-by: Byron Chien <chienb@amazon.com>
Fix bad merge conflict resolution
b22ae06 
Signed-off-by: Byron Chien <chienb@amazon.com>
priteshbandi and others added 6 commits February 8, 2023 10:52
@priteshbandi
Dont access value of default pointer if it is nil (notaryproject#541)
053f0f8 
Don't access value of default pointer if it is nil. This is actually a bug(unable to delete key if defualt key is not present) fix.

Signed-off-by: Pritesh Bandi <pritesb@amazon.com>
Expect failure for E2E metadata test
d1c6526 
Signed-off-by: Byron Chien <chienb@amazon.com>
feat: support OCI image manifest (notaryproject#509)
4f573af 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
Assorted updates
682d674 
- fail fast on unknown output format
- print warnings to stderr for both output formats
- omit empty metadata from json response

Signed-off-by: Byron Chien <chienb@amazon.com>
@byronchien
Merge branch 'main' into metadata-output
c4a432f 
Signed-off-by: Byron Chien <chienb@amazon.com>
Assorted nits
79b3217 
- rename PrintObjectAsJson => PrintObjectAsJSON
- move output format constants to flags.go
- use switch for verify output behavior
- add documentation output methods
- call out failure behavior in spec

Signed-off-by: Byron Chien <chienb@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@priteshbandi priteshbandi priteshbandi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@byronchien @priteshbandi @JeyJeyGao