-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement generate signature plugin workflow #42
Conversation
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v2...v3) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v2...v3.0.1) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Plugin spec updated with latest changes in notaryproject/specifications#155 |
notation.go
Outdated
@@ -55,7 +33,7 @@ func (opts SignOptions) Validate() error { | |||
type Signer interface { | |||
// Sign signs the artifact described by its descriptor, | |||
// and returns the signature. | |||
Sign(ctx context.Context, desc Descriptor, opts SignOptions) ([]byte, error) | |||
Sign(ctx context.Context, desc signature.Descriptor, opts SignOptions) ([]byte, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Descriptor
should be maintained at the notation
level, regardless how plugin protocol works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any particular reason? The descriptor is part of the signing spec, so IMO it should be in the spec package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then we have the Signer
interface to be spec specific, and probably we need to put the Signer
into the specs/v1
folder. LoL.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signer
is not part of the spec, it's just an interface defined by notation-go
, so I would put it in /spec
. As we have removed the version subfolders from /spec
, then we have no conflict here anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two protocols here. One is at the Signer
interface level, another is at the spec level. We probably need a design doc here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO types which are inputs and outputs of Sign/Verify methods in top level package should also be in the same package, Descriptor
should remain at notation
level.
I think spec
package is not required, Notation implements one major version of Notary V2 specifications, which can introduce non breaking changes. Breaking changes can be introduced in a new major version of specification and corresponding new major version of Notation.
An exception is the plugin contract spec versioning, which is independent of other versioning, but we need not reflect this in package naming, consumers do not directly interact with plugin contract version.
We should also put most types under internal
package, and selectively move then out as publicly visible types as appropriate for Notation CLI and other consumers . Are we planning to use pkg
folder for public library types? I was looking at Go lang project layout standard, but not sure how widely it's adopted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two protocols here. One is at the
Signer
interface level, another is at the spec level. We probably need a design doc here.
Can you clarify @shizhMSFT? I didn't understand why two interfaces are required, are you referring to the low level Signer
interface to be added in notation-core-go
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think spec package is not required, Notation implements one major version of Notary V2 specifications, which can introduce non breaking changes. Breaking changes can be introduced in a new major version of specification and corresponding new major version of Notation.
I will not tire of repeating that mixing the notation-go
module versioning with the Notary versioning is an artificial restriction that will limit notation-go
capacity to improve its API. What if in a couple of months, or even years, we find that part of the API is too easy to misuse or has security vulnerabilities? What if we think there is a much better way to implement the Notary spec? We won't be able to react properly if we can't bump the major version of nottion-go
.
About having the spec
package or putting everything at the root of the module, I think there is value on having a clear separation for types which are defined in the Notary spec and types that are invented by notation-go
. I'm not a maintainer of this library, so if you don't see it then I can remove it.
An exception is the plugin contract spec versioning, which is independent of other versioning, but we need not reflect this in package naming, consumers do not directly interact with plugin contract version.
We should also put most types under internal package, and selectively move then out as publicly visible types as appropriate for Notation CLI and other consumers
spec/plugin
package is intended for plugin authors consumption, if we move those types into internal
they will have to reimplement the whole plugin spec. I can assure you that all types and methods in spec
are relevant for consumers, as I'm implementing the notation-azure-kv
plugin and notation
cli in parallel and I'm just exporting what's necessary.
Are we planning to use pkg folder for public library types? I was looking at Go lang project layout standard, but not sure how widely it's adopted.
Having a package named pkg
is not idiomatic, it used to be long time ago, and the current best practice is to place packages at the module root, or stack them with care.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will not tire of repeating that mixing the
notation-go
module versioning with the Notary versioning is an artificial restriction that will limitnotation-go
capacity to improve its API. What if in a couple of months, or even years, we find that part of the API is too easy to misuse or has security vulnerabilities?
I agree with the concern, I don't think we have thought enough about versioning of the multiple things (plugins, signature, trust policy) and which ones may reflect in package structure. For example, trust policy document has its own version property, so that policy language in trustPolicy.json
can be independently revised without impacting anything else. We'll be making a round of refactoring to get it in line with intended separation between notation, notation-go and notation-core-go, we'll also wait for the rest of the specs to be completed. I'll track this as one of the items in a refactoring issue, and an independent issue to clarify versioning. Do you have few examples of projects that expose a spec and spec version to consumers as part of package structure, /image-spec was one, but that's quite stable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you have few examples of projects that expose a spec and spec version to consumers as part of package structure, /image-spec was one, but that's quite stable.
To name a few big ones:
- azure-go-sdk use it all around.
- aws-sdk-go is more stable but also uses it.
- google/go.
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
This reverts commit c9afb7c. Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some comments, will cover the rest of changes in another pass.
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
notation.go
Outdated
@@ -55,7 +33,7 @@ func (opts SignOptions) Validate() error { | |||
type Signer interface { | |||
// Sign signs the artifact described by its descriptor, | |||
// and returns the signature. | |||
Sign(ctx context.Context, desc Descriptor, opts SignOptions) ([]byte, error) | |||
Sign(ctx context.Context, desc signature.Descriptor, opts SignOptions) ([]byte, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two protocols here. One is at the Signer
interface level, another is at the spec level. We probably need a design doc here.
@gokarnm , is your requested change resolved? |
@SteveLasker on the call yesterday @gokarnm said the changes he made are fine with the code he reviewed so far but wants a couple changes after the PR is merged and he will file issues to track. He only reviewed 1/2 of the PR and will review the rest today. |
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly superficial comments around naming and error messages.
For organizing packages and types, IMO we should not have a spec
top level package. I'd keep public methods and corresponding input/output types (e.g. Descriptor) in the same package. Any private types should be moved to internal
package, any public plugin types should move to plugin
package.
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Co-authored-by: Milind Gokarn <milind81@gmail.com> Signed-off-by: qmuntal <qmuntaldiaz@microsoft.com>
Thanks everyone for the feedback. I've finally removed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks @qmuntal for implementing this and improving the spec along the way!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Great work @qmuntal
This PR contains the following changes:
describe-key
commandgenerate-signature
request to includekeySpec
,hashAlgorithm
andconfigMap
generate-signature
workflow supportspec/v1/plugin
andspec/v1/signature
package. These contains the Go types as defined in the notary spec. Having this in its own package will help decoupling the spec itself with the crypto-related code and also plugin authors who want to implement thegenerate-envelope
workflow.This PR still doesn't implement:
generate-signature
workflow@SteveLasker @shizhMSFT @gokarnm @jaredpar