-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update: check SignatureMediaType in notation.Verify #208
Conversation
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
Codecov Report
@@ Coverage Diff @@
## main #208 +/- ##
==========================================
+ Coverage 66.64% 67.75% +1.10%
==========================================
Files 23 23
Lines 1559 1569 +10
==========================================
+ Hits 1039 1063 +24
+ Misses 455 441 -14
Partials 65 65
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we even taking opts.SignatureMediaType
as input? Also, will checking check SignatureMediaType in notation.Verify hurt multi-signature envelope support?
This enables users to pick their trusted signature format. Signature format that they don't trust will not be processed even if it might pass the verification process.
No, it won't hurt multi-signature format support.
To enable both JWS and COSE, user could just leave VerifyOptions.SignatureMediaType as empty. (I updated the code to reflect this.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The question here is, if a user trust notary v2 for signing and verifying, why wont they trust a signature format that has been vetted by notary v2 ?
Yes, that's an implementation detail. I am wondering why will a user want to trust one signature format but not the other. Also, if an implementation does that then it's not abiding by notartv2 spec. |
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
Please don't get me wrong, I don't mean users should or need to pick one specific signature format here. Leaving the field empty is the default behavior, i.e. taking both signature formats is our default. The purpose of this PR is not enabling users to pick a signature format. On the contrary, previous to this PR, the logic is only using opts.SignatureMediaType. This PR actually fixes this issue and takes SignatureMediaType from registry. |
if the purpose of this PR is not enabling users to pick a signature format, can we always use mediatype returned by signature manifest i.e. user shouldn't be able to choose? |
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
Code updated. Changed the field to an array, and separated verify options for notation.Verify() and verifier.Verify(). |
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@patrickzheng200 Can we do this? |
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@priteshbandi Oh yeah, I've updated the code. PTAL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
In this PR:
Signed-off-by: Patrick Zheng patrickzheng@microsoft.com