notaryproject · shizhMSFT · Dec 5, 2022 · Oct 12, 2022 · Oct 12, 2022 · Oct 12, 2022
@@ -5,7 +5,7 @@ import (
 	"errors"
 	"fmt"
 
-	notationRegistry "github.com/notaryproject/notation-go/registry"
+	notationregistry "github.com/notaryproject/notation-go/registry"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
@@ -50,7 +50,7 @@ func runList(command *cobra.Command, opts *listOpts) error {
 	}
 
 	// core process
-	manifestDesc, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, reference)
+	manifestDesc, _, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, reference)
 	if err != nil {
 		return err
 	}
@@ -61,7 +61,7 @@ func runList(command *cobra.Command, opts *listOpts) error {
 
 // printSignatureManifestDigests returns the signature manifest digests of
 // the subject manifest.
-func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Digest, sigRepo notationRegistry.Repository, reference string) error {
+func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Digest, sigRepo notationregistry.Repository, reference string) error {
 	// prepare title
 	ref, err := registry.ParseReference(reference)
 	if err != nil {
@@ -72,7 +72,7 @@ func printSignatureManifestDigests(ctx context.Context, manifestDigest digest.Di
 	printTitle := func() {
 		if !titlePrinted {
 			fmt.Println(ref)
-			fmt.Printf("└── %s\n", notationRegistry.ArtifactTypeNotation)
+			fmt.Printf("└── %s\n", notationregistry.ArtifactTypeNotation)
 			titlePrinted = true
 		}
 	}

@@ -8,22 +8,30 @@ import (
 	"oras.land/oras-go/v2/registry"
 )
 
-func getManifestDescriptorFromContext(ctx context.Context, opts *SecureFlagOpts, ref string) (ocispec.Descriptor, error) {
+func getManifestDescriptorFromContext(ctx context.Context, opts *SecureFlagOpts, ref string) (ocispec.Descriptor, registry.Reference, error) {
 	if ref == "" {
-		return ocispec.Descriptor{}, errors.New("missing reference")
+		return ocispec.Descriptor{}, registry.Reference{}, errors.New("missing reference")
 	}
 
 	return getManifestDescriptorFromReference(ctx, opts, ref)
 }
 
-func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpts, reference string) (ocispec.Descriptor, error) {
+func getManifestDescriptorFromReference(ctx context.Context, opts *SecureFlagOpts, reference string) (ocispec.Descriptor, registry.Reference, error) {
 	ref, err := registry.ParseReference(reference)
 	if err != nil {
-		return ocispec.Descriptor{}, err
+		return ocispec.Descriptor{}, registry.Reference{}, err
+	}
+	if ref.Reference == "" {
+		return ocispec.Descriptor{}, registry.Reference{}, errors.New("reference is missing digest or tag")
 	}
 	repo, err := getRepositoryClient(opts, ref)
 	if err != nil {
-		return ocispec.Descriptor{}, err
+		return ocispec.Descriptor{}, registry.Reference{}, err
+	}
+
+	manifestDesc, err := repo.Resolve(ctx, ref.Reference)
+	if err != nil {
+		return ocispec.Descriptor{}, registry.Reference{}, err
 	}
-	return repo.Resolve(ctx, ref.ReferenceOrDefault())
+	return manifestDesc, ref, err
 }
@@ -9,8 +9,8 @@ import (
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation/internal/cmd"
 	"github.com/notaryproject/notation/internal/envelope"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
+	"oras.land/oras-go/v2/registry"
 )
 
 type signOpts struct {
@@ -74,7 +74,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error {
 	}
 
 	// core process
-	desc, opts, err := prepareSigningContent(command.Context(), cmdOpts)
+	opts, ref, err := prepareSigningContent(command.Context(), cmdOpts)
 	if err != nil {
 		return err
 	}
@@ -88,30 +88,39 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error {
 	}
 
 	// write out
-	fmt.Println(desc.Digest)
+	fmt.Println("Successfully signed", ref)
+
 	return nil
 }
 
-func prepareSigningContent(ctx context.Context, opts *signOpts) (ocispec.Descriptor, notation.SignOptions, error) {
-	manifestDesc, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference)
+func prepareSigningContent(ctx context.Context, opts *signOpts) (notation.SignOptions, registry.Reference, error) {
+	manifestDesc, ref, err := getManifestDescriptorFromContext(ctx, &opts.SecureFlagOpts, opts.reference)
 	if err != nil {
-		return ocispec.Descriptor{}, notation.SignOptions{}, err
+		return notation.SignOptions{}, registry.Reference{}, err
 	}
 	mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat)
 	if err != nil {
-		return ocispec.Descriptor{}, notation.SignOptions{}, err
+		return notation.SignOptions{}, registry.Reference{}, err
 	}
 	pluginConfig, err := cmd.ParseFlagPluginConfig(opts.pluginConfig)
 	if err != nil {
-		return ocispec.Descriptor{}, notation.SignOptions{}, err
+		return notation.SignOptions{}, registry.Reference{}, err
+	}
+	if ref.ValidateReferenceAsDigest() != nil {
+		// reference is not a digest reference
+		fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference)
+		fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, manifestDesc.Digest.String())
+
+		// resolve tag to digest reference
+		ref.Reference = manifestDesc.Digest.String()
 	}
 
 	signOpts := notation.SignOptions{
-		ArtifactReference:  opts.reference,
+		ArtifactReference:  ref.String(),
 		SignatureMediaType: mediaType,
 		ExpiryDuration:     opts.expiry,
 		PluginConfig:       pluginConfig,
 	}
 
-	return manifestDesc, signOpts, nil
+	return signOpts, ref, nil
 }
@@ -2,15 +2,13 @@ package main
 
 import (
 	"errors"
+	"fmt"
 	"math"
-	"os"
-	"strings"
 
 	"github.com/notaryproject/notation-go"
 	notationregistry "github.com/notaryproject/notation-go/registry"
 	"github.com/notaryproject/notation-go/verifier"
 	"github.com/notaryproject/notation/internal/cmd"
-	"github.com/notaryproject/notation/internal/ioutil"
 
 	"github.com/spf13/cobra"
 	"oras.land/oras-go/v2/registry"
@@ -57,13 +55,13 @@ Example - Verify a signature on an OCI artifact identified by a tag  (Notation w
 }
 
 func runVerify(command *cobra.Command, opts *verifyOpts) error {
-	// resolve the given reference and set the digest.
+	// resolve the given reference and set the digest
 	ref, err := resolveReference(command, opts)
 	if err != nil {
 		return err
 	}
 
-	// initialize verifier.
+	// initialize verifier
 	verifier, err := verifier.NewFromConfig()
 	if err != nil {
 		return err
@@ -76,7 +74,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error {
 	}
 	repo := notationregistry.NewRepository(&remoteRepo)
 
-	// set up verification plugin config.
+	// set up verification plugin config
 	configs, err := cmd.ParseFlagPluginConfig(opts.pluginConfig)
 	if err != nil {
 		return err
@@ -90,11 +88,27 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error {
 		MaxSignatureAttempts: math.MaxInt64,
 	}
 
-	// core verify process.
+	// core verify process
 	_, outcomes, err := notation.Verify(command.Context(), verifier, repo, verifyOpts)
 
-	// write out.
-	return ioutil.PrintVerificationResults(os.Stdout, outcomes, err, ref.Reference)
+	// write out
+	// on failure
+	if err != nil || len(outcomes) == 0 {
+		return fmt.Errorf("signature verification failed for all the signatures associated with %s", ref.String())
+	}
+
+	// on success
+	outcome := outcomes[0]
+	// print out warning for any failed result with logged verification action
+	for _, result := range outcome.VerificationResults {
+		if result.Error != nil {
+			// at this point, the verification action has to be logged and
+			// it's failed
+			fmt.Printf("Warning: %v was set to \"logged\" and failed with error: %v\n", result.Type, result.Error)
+		}
+	}
+	fmt.Println("Successfully verified signature for", ref.String())
+	return nil
 }
 
 func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Reference, error) {
@@ -103,26 +117,19 @@ func resolveReference(command *cobra.Command, opts *verifyOpts) (registry.Refere
 		return registry.Reference{}, err
 	}
 
-	if isDigestReference(opts.reference) {
+	// reference is a digest reference
+	if ref.ValidateReferenceAsDigest() == nil {
 		return ref, nil
 	}
 
-	// Resolve tag reference to digest reference.
-	manifestDesc, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference)
+	// resolve tag to digest reference
+	manifestDesc, ref, err := getManifestDescriptorFromReference(command.Context(), &opts.SecureFlagOpts, opts.reference)
 	if err != nil {
 		return registry.Reference{}, err
 	}
-
+	fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String())
+	fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.")
 	ref.Reference = manifestDesc.Digest.String()
-	return ref, nil
-}
-
-func isDigestReference(reference string) bool {
-	parts := strings.SplitN(reference, "/", 2)
-	if len(parts) == 1 {
-		return false
-	}
 
-	index := strings.Index(parts[1], "@")
-	return index != -1
+	return ref, nil
 }
@@ -5,7 +5,6 @@ import (
 	"io"
 	"text/tabwriter"
 
-	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/config"
 )
 
@@ -33,17 +32,3 @@ func PrintKeyMap(w io.Writer, target string, v []config.KeySuite) error {
 	}
 	return tw.Flush()
 }
-
-func PrintVerificationResults(w io.Writer, v []*notation.VerificationOutcome, resultErr error, digest string) error {
-	tw := newTabWriter(w)
-
-	if resultErr == nil {
-		fmt.Fprintf(tw, "Successfully verified for %s\n", digest)
-		// TODO[https://github.com/notaryproject/notation/issues/304]: print out failed validations as warnings.
-		return nil
-	}
-	fmt.Printf("Signature verification failed for all the signatures associated with digest: %s\n", digest)
-	tw.Flush()
-
-	return resultErr
-}