Skip to content

Add support for inspecting signatures on a reference #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
byronchien wants to merge 5 commits into
base: metadata-output
Choose a base branch
from
Open

Add support for inspecting signatures on a reference #2

byronchien wants to merge 5 commits into from

Conversation

@byronchien
Copy link
Owner

@byronchien byronchien commented Jan 28, 2023

Adds support for notation inspect (spec here)

Example output:

chienb@a07817b52895 notation % ./bin/notation inspect $IMAGE
Resolved artifact tag `v1` to digest `sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b` before inspect.
Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.
Inspecting all signatures for signed artifact
localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b
└── application/vnd.cncf.notary.signature
    └── sha256:34e5843a1a8b1607d2ba7da9b61c6a5b3953f5680751c160fb944df87b01b2b2
        ├── signature algorithm : RSASSA-PSS-SHA-256
        ├── signed attributes
        │   ├── expiry : 0001-01-01 00:00:00 +0000 UTC
        │   ├── signingScheme : notary.x509
        │   └── signingTime : 2023-01-27 17:02:22 -0800 PST
        ├── user defined attributes
        │   └── io.wabbit-networks.buildId : 123
        ├── unsigned attributes
        │   └── signingAgent : Notation/1.0.0
        ├── certificates
        │   └── SHA1 fingerprint e1ef7b0f984d1f8222d6bf297e1ad10047997b54
        │       ├── issued to : CN=byron.test,O=Notary,L=Seattle,ST=WA,C=US
        │       ├── issued by : CN=byron.test,O=Notary,L=Seattle,ST=WA,C=US
        │       └── expiry : 2023-01-29 01:02:13 +0000 UTC
        └── signed artifact
            ├── media type : application/vnd.docker.distribution.manifest.v2+json
            ├── digest : sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b
            └── size : 942
chienb@a07817b52895 notation % ./bin/notation inspect $IMAGE --output json
{
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "Signatures": [
        {
            "digest": "sha256:34e5843a1a8b1607d2ba7da9b61c6a5b3953f5680751c160fb944df87b01b2b2",
            "signatureAlgorithm": "RSASSA-PSS-SHA-256",
            "signedAttributes": {
                "expiry": "0001-01-01 00:00:00 +0000 UTC",
                "signingScheme": "notary.x509",
                "signingTime": "2023-01-27 17:02:22 -0800 PST"
            },
            "userDefinedAttributes": {
                "io.wabbit-networks.buildId": "123"
            },
            "unsignedAttributes": {
                "signingAgent": "Notation/1.0.0"
            },
            "certificates": [
                {
                    "SHA1Fingerprint": "e1ef7b0f984d1f8222d6bf297e1ad10047997b54",
                    "issuedTo": "CN=byron.test,O=Notary,L=Seattle,ST=WA,C=US",
                    "issuedBy": "CN=byron.test,O=Notary,L=Seattle,ST=WA,C=US",
                    "expiry": "2023-01-29 01:02:13 +0000 UTC"
                }
            ],
            "signedArtifact": {
                "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
                "digest": "sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b",
                "size": 942
            }
        }
    ]
}

Signed-off-by: Byron Chien chienb@amazon.com

@byronchien
Copy link
Owner Author

byronchien commented Jan 28, 2023

TODOs:

  • Add a generic tree printer, would ideally like to just do a printObjectAsTree(foo) instead of all the plaintext print logic
  • update verify to use the getDescriptorFromPayload instead of the metadata specific helper

This was referenced Jan 28, 2023
Open
Open
@byronchien byronchien force-pushed the inspect-impl branch 3 times, most recently from 555dc3f to 5f4afdf Compare February 8, 2023 19:13
@yizha1
doc: update sign.md for OCI image manifest support (notaryproject#540)
86aeb0c 
updates:
- Update the flag name per community discussion
- Update the description for using OCI image manifest

Signed-off-by: Yi Zha <yizha1@microsoft.com>
byronchien and others added 2 commits February 9, 2023 16:28
@byronchien
feat: add support for json output for notation verify (notaryprojec…
33c2281 
…t#527)

allows json output for `notation verify`. Fixes notaryproject/roadmap#67 and notaryproject#498

chienb@a07817b52895 notation % ./bin/notation verify $IMAGE --output json
{
    "reference": "localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b",
    "userMetadata": {
        "foo": "bar"
    },
    "result": "Success"
}

Signed-off-by: Byron Chien <chienb@amazon.com>
chore: update sign command descriptions to align with the spec (notar…
c47a452 
…yproject#543)

After discussion with @yizha1, aligning with the spec in this [PR](notaryproject#540).

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@byronchien byronchien force-pushed the inspect-impl branch 3 times, most recently from 4ab2a4d to a8e2dc0 Compare February 10, 2023 07:51
@priteshbandi
Revert "feat: add support for json output for notation verify (nota…
54b42cb 
…ryproject#527)" (notaryproject#551)

This reverts commit 33c2281.

We are reverting notaryproject#527 because we need to write spec first for json output.

Signed-off-by: Pritesh Bandi <priteshbandi@gmail.com>
@byronchien
Add support for notation inspect
00896e4 
Signed-off-by: Byron Chien <byronc@ucla.edu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@byronchien @yizha1 @priteshbandi