spec: update cli sign spec for tag to digest translation #439
Conversation
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <zhayi@outlook.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
yizha1
requested review from
toddysm,
dtzar,
priteshbandi,
shizhMSFT,
FeynmanZhou and
a team
Codecov Report
@@ Coverage Diff @@
## main #439 +/- ##
==========================================
- Coverage 32.82% 32.48% -0.35%
==========================================
Files 25 25
Lines 1237 1250 +13
==========================================
Hits 406 406
- Misses 819 832 +13
Partials 12 12
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
I think the verbiage should be changed to - [ Sign an OCI artifact stored in a registry and use ”--expiry”(expiration) parameter to define the expiration duration for the signature in days, for example 1day = 24 hours. ] |
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
|
LGTM |
specs/commandline/sign.md
Outdated
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. | ||
| Resolved artifact tag '<tag>' to digest '<digest>' before signing. |
There was a problem hiding this comment.
Note: These outputs will be in the form of logs.
| # Or change the default signing key to an existing signing key | ||
| notation key update --default <key_name> | ||
| # Prerequisites: | ||
| # - A signing plugin is installed. See plugin documentation (https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. |
There was a problem hiding this comment.
Instead of the main branch, should we use a tag version for the URL?
There was a problem hiding this comment.
Can we update it later once we have cut a version for notaryproject?
specs/commandline/sign.md
Outdated
| Upon successful signing, the generated signature is pushed to the registry and associated with the signed OCI artifact. The output message is printed out as following: | ||
|
|
||
| ```text | ||
| Successfully signed <registry>/<repository>@<digest>. |
There was a problem hiding this comment.
It seems not consistent with notation verify that the sentence has a dot at the end or not.
|
|
||
| ```console | ||
| $ notation sign localhost:5000/net-monitor:v1 | ||
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. |
There was a problem hiding this comment.
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. | |
| Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:<tag>`) because tags are mutable and a tag reference can point to a different artifact than the one signed. |
There was a problem hiding this comment.
I would keep line 115 as it is, but change the text in line 18 from :v1 to :<tag>. What do you think?
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
yizha1
dismissed
toddysm’s stale review
Discussed with Toddy, and looks good to him
This PR is mainly to improve the output message of
notation signcommand for tag to digest translation.