Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: check SignatureMediaType in notation.Verify #208

Merged
merged 14 commits into from
Nov 25, 2022
Merged

update: check SignatureMediaType in notation.Verify #208

merged 14 commits into from
Nov 25, 2022

Conversation

patrickzheng200
Copy link
Contributor

@patrickzheng200 patrickzheng200 commented Nov 18, 2022
edited
Loading

In this PR:

  1. Created RemoteVerifyOptions for notation.Verify(), and therefore, VerifyOptions is now only for verifier.Verify().
  2. In notation.Verify(), using signature media type fetched from registry.

Signed-off-by: Patrick Zheng patrickzheng@microsoft.com

@Two-Hearts
check SignatureMediaType in notation.Verify
6e57ab2 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@codecov-commenter
Copy link

codecov-commenter commented Nov 18, 2022
edited
Loading

Codecov Report

Merging #208 (ccd6de7) into main (7e391f7) will increase coverage by 1.10%.
The diff coverage is 89.47%.

@@            Coverage Diff             @@
##             main     #208      +/-   ##
==========================================
+ Coverage   66.64%   67.75%   +1.10%     
==========================================
  Files          23       23              
  Lines        1559     1569      +10     
==========================================
+ Hits         1039     1063      +24     
+ Misses        455      441      -14     
  Partials       65       65
Impacted Files Coverage Δ
notation.go 53.53% <89.47%> (+20.95%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

JeyJeyGao
JeyJeyGao reviewed Nov 18, 2022
View reviewed changes
notation.go Show resolved Hide resolved
priteshbandi
priteshbandi reviewed Nov 18, 2022
View reviewed changes
Copy link
Contributor

@priteshbandi priteshbandi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we even taking opts.SignatureMediaType as input? Also, will checking check SignatureMediaType in notation.Verify hurt multi-signature envelope support?

@Two-Hearts
update
88db322 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@patrickzheng200
Copy link
Contributor Author

patrickzheng200 commented Nov 18, 2022
edited
Loading

Why are we even taking opts.SignatureMediaType as input?

This enables users to pick their trusted signature format. Signature format that they don't trust will not be processed even if it might pass the verification process.

Also, will checking check SignatureMediaType in notation.Verify hurt multi-signature envelope support?

No, it won't hurt multi-signature format support.
Basically, there are 3 scenarios:

  1. VerifyOptions.SignatureMediaType is empty. In this case, MediaType fetched from repo will be used.
  2. VerifyOptions.SignatureMediaType is not empty but does not match MediaType fetched from repo. In this case, this certain signature will be skipped, and the program will continue to verify the next signature.
  3. VerifyOptions.SignatureMediaType equals to MediaType fetched from repo. This MediaType will be used to verify the signature.

To enable both JWS and COSE, user could just leave VerifyOptions.SignatureMediaType as empty. (I updated the code to reflect this.)

shizhMSFT
shizhMSFT approved these changes Nov 18, 2022
View reviewed changes
Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

JeyJeyGao
JeyJeyGao approved these changes Nov 18, 2022
View reviewed changes
Copy link
Contributor

@JeyJeyGao JeyJeyGao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

priteshbandi
priteshbandi reviewed Nov 18, 2022
View reviewed changes
notation.go Outdated Show resolved Hide resolved
@yizha1 yizha1 added this to the RC-1 milestone Nov 18, 2022
@priteshbandi
Copy link
Contributor

Why are we even taking opts.SignatureMediaType as input?

This enables users to pick their trusted signature format. Signature format that they don't trust will not be processed even if it might pass the verification process.

The question here is, if a user trust notary v2 for signing and verifying, why wont they trust a signature format that has been vetted by notary v2 ?

Also, will checking check SignatureMediaType in notation.Verify hurt multi-signature envelope support?

No, it won't hurt multi-signature format support. Basically, there are 3 scenarios:

  1. VerifyOptions.SignatureMediaType is empty. In this case, MediaType fetched from repo will be used.
  2. VerifyOptions.SignatureMediaType is not empty but does not match MediaType fetched from repo. In this case, this certain signature will be skipped, and the program will continue to verify the next signature.
  3. VerifyOptions.SignatureMediaType equals to MediaType fetched from repo. This MediaType will be used to verify the signature.

To enable both JWS and COSE, user could just leave VerifyOptions.SignatureMediaType as empty. (I updated the code to reflect this.)

Yes, that's an implementation detail. I am wondering why will a user want to trust one signature format but not the other. Also, if an implementation does that then it's not abiding by notartv2 spec.

@Two-Hearts
added unit test
6e67c4a 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
Merge branch 'notaryproject:main' into update_verify
6dc9bb2
@patrickzheng200
Copy link
Contributor Author

Why are we even taking opts.SignatureMediaType as input?

This enables users to pick their trusted signature format. Signature format that they don't trust will not be processed even if it might pass the verification process.

The question here is, if a user trust notary v2 for signing and verifying, why wont they trust a signature format that has been vetted by notary v2 ?

Also, will checking check SignatureMediaType in notation.Verify hurt multi-signature envelope support?

No, it won't hurt multi-signature format support. Basically, there are 3 scenarios:

  1. VerifyOptions.SignatureMediaType is empty. In this case, MediaType fetched from repo will be used.
  2. VerifyOptions.SignatureMediaType is not empty but does not match MediaType fetched from repo. In this case, this certain signature will be skipped, and the program will continue to verify the next signature.
  3. VerifyOptions.SignatureMediaType equals to MediaType fetched from repo. This MediaType will be used to verify the signature.

To enable both JWS and COSE, user could just leave VerifyOptions.SignatureMediaType as empty. (I updated the code to reflect this.)

Yes, that's an implementation detail. I am wondering why will a user want to trust one signature format but not the other. Also, if an implementation does that then it's not abiding by notartv2 spec.

Please don't get me wrong, I don't mean users should or need to pick one specific signature format here. Leaving the field empty is the default behavior, i.e. taking both signature formats is our default. The purpose of this PR is not enabling users to pick a signature format. On the contrary, previous to this PR, the logic is only using opts.SignatureMediaType. This PR actually fixes this issue and takes SignatureMediaType from registry.

@priteshbandi
Copy link
Contributor

Why are we even taking opts.SignatureMediaType as input?

This enables users to pick their trusted signature format. Signature format that they don't trust will not be processed even if it might pass the verification process.

The question here is, if a user trust notary v2 for signing and verifying, why wont they trust a signature format that has been vetted by notary v2 ?

Also, will checking check SignatureMediaType in notation.Verify hurt multi-signature envelope support?

No, it won't hurt multi-signature format support. Basically, there are 3 scenarios:

  1. VerifyOptions.SignatureMediaType is empty. In this case, MediaType fetched from repo will be used.
  2. VerifyOptions.SignatureMediaType is not empty but does not match MediaType fetched from repo. In this case, this certain signature will be skipped, and the program will continue to verify the next signature.
  3. VerifyOptions.SignatureMediaType equals to MediaType fetched from repo. This MediaType will be used to verify the signature.

To enable both JWS and COSE, user could just leave VerifyOptions.SignatureMediaType as empty. (I updated the code to reflect this.)

Yes, that's an implementation detail. I am wondering why will a user want to trust one signature format but not the other. Also, if an implementation does that then it's not abiding by notartv2 spec.

Please don't get me wrong, I don't mean users should or need to pick one specific signature format here. Leaving the field empty is the default behavior, i.e. taking both signature formats is our default. The purpose of this PR is not enabling users to pick a signature format. On the contrary, previous to this PR, the logic is only using opts.SignatureMediaType. This PR actually fixes this issue and takes SignatureMediaType from registry.

if the purpose of this PR is not enabling users to pick a signature format, can we always use mediatype returned by signature manifest i.e. user shouldn't be able to choose?

@Two-Hearts
updated per code review
784fc18 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@patrickzheng200
Copy link
Contributor Author

patrickzheng200 commented Nov 23, 2022
edited
Loading

Why are we even taking opts.SignatureMediaType as input?

This enables users to pick their trusted signature format. Signature format that they don't trust will not be processed even if it might pass the verification process.

The question here is, if a user trust notary v2 for signing and verifying, why wont they trust a signature format that has been vetted by notary v2 ?

Also, will checking check SignatureMediaType in notation.Verify hurt multi-signature envelope support?

No, it won't hurt multi-signature format support. Basically, there are 3 scenarios:

  1. VerifyOptions.SignatureMediaType is empty. In this case, MediaType fetched from repo will be used.
  2. VerifyOptions.SignatureMediaType is not empty but does not match MediaType fetched from repo. In this case, this certain signature will be skipped, and the program will continue to verify the next signature.
  3. VerifyOptions.SignatureMediaType equals to MediaType fetched from repo. This MediaType will be used to verify the signature.

To enable both JWS and COSE, user could just leave VerifyOptions.SignatureMediaType as empty. (I updated the code to reflect this.)

Yes, that's an implementation detail. I am wondering why will a user want to trust one signature format but not the other. Also, if an implementation does that then it's not abiding by notartv2 spec.

Please don't get me wrong, I don't mean users should or need to pick one specific signature format here. Leaving the field empty is the default behavior, i.e. taking both signature formats is our default. The purpose of this PR is not enabling users to pick a signature format. On the contrary, previous to this PR, the logic is only using opts.SignatureMediaType. This PR actually fixes this issue and takes SignatureMediaType from registry.

if the purpose of this PR is not enabling users to pick a signature format, can we always use mediatype returned by signature manifest i.e. user shouldn't be able to choose?

Code updated. Changed the field to an array, and separated verify options for notation.Verify() and verifier.Verify().

shizhMSFT
shizhMSFT reviewed Nov 23, 2022
View reviewed changes
notation.go Outdated Show resolved Hide resolved
notation.go Outdated Show resolved Hide resolved
notation.go Outdated Show resolved Hide resolved
notation.go Outdated Show resolved Hide resolved
notation.go Outdated Show resolved Hide resolved
notation.go Outdated Show resolved Hide resolved
@patrickzheng200 patrickzheng200 mentioned this pull request Nov 23, 2022
Open
@Two-Hearts
updated per code review
d0fc0ea 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
shizhMSFT
shizhMSFT approved these changes Nov 23, 2022
View reviewed changes
Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@priteshbandi
Copy link
Contributor

if the purpose of this PR is not enabling users to pick a signature format, can we always use mediatype returned by signature manifest i.e. user shouldn't be able to choose?

@patrickzheng200 Can we do this?

@Two-Hearts
updated per code review
3aef5ce 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@patrickzheng200
Copy link
Contributor Author

@priteshbandi Oh yeah, I've updated the code. PTAL.

priteshbandi
priteshbandi reviewed Nov 25, 2022
View reviewed changes
notation.go Outdated Show resolved Hide resolved
notation.go Outdated Show resolved Hide resolved
shizhMSFT
shizhMSFT approved these changes Nov 25, 2022
View reviewed changes
Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Two-Hearts
updated per code review
cffe5d1 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
shizhMSFT
shizhMSFT reviewed Nov 25, 2022
View reviewed changes
notation.go Show resolved Hide resolved
@Two-Hearts
updated per code review
8ac92d1 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
priteshbandi
priteshbandi approved these changes Nov 25, 2022
View reviewed changes
Copy link
Contributor

@priteshbandi priteshbandi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Two-Hearts
update
ccd6de7 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
shizhMSFT
shizhMSFT approved these changes Nov 25, 2022
View reviewed changes
Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shizhMSFT shizhMSFT merged commit ab113eb into notaryproject:main Nov 25, 2022
@patrickzheng200 patrickzheng200 deleted the update_verify branch November 25, 2022 02:20
@priteshbandi priteshbandi mentioned this pull request Feb 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shizhMSFT shizhMSFT shizhMSFT approved these changes

@priteshbandi priteshbandi priteshbandi approved these changes

@JeyJeyGao JeyJeyGao JeyJeyGao approved these changes

@rgnote rgnote Awaiting requested review from rgnote rgnote is a code owner

Assignees

@patrickzheng200 patrickzheng200

Labels
None yet
Projects
Notary Project Planning Board
Status: Done
Milestone
RC-1
Development

Successfully merging this pull request may close these issues.
7 participants
@patrickzheng200 @codecov-commenter @priteshbandi @shizhMSFT @JeyJeyGao @yizha1 @Two-Hearts