Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: update inspect command with timestamping #998

Merged
merged 11 commits into from
Jul 30, 2024
Merged

feat: update inspect command with timestamping #998

merged 11 commits into from
Jul 30, 2024

Conversation

Two-Hearts
Copy link
Contributor

@Two-Hearts Two-Hearts commented Jul 26, 2024
edited
Loading

This PR updates notation inspect command with timestamping. Resolves #997
Example results:

notation inspect $IMAGE

Inspecting all signatures for signed artifact
myRegistry/myRepo@sha256:c0669ef34cdc14332c0f1ab0c2c01acb91d96014b172f1a76f3a39e63d1f0bda
└── application/vnd.cncf.notary.signature
    └── sha256:20171244b2291f7e854e595a20842faa581d82ebcd85266543390d5ca4b73551
        ├── media type: application/cose
        ├── signature algorithm: RSASSA-PSS-SHA-256
        ├── signed attributes
        │   ├── signingScheme: notary.x509
        │   └── signingTime: Fri Jul 26 14:50:29 2024
        ├── user defined attributes
        │   └── (empty)
        ├── unsigned attributes
        │   ├── timestamp signature
        │   │   ├── timestamp: [Fri Jul 26 06:50:37 2024, Fri Jul 26 06:50:37 2024]
        │   │   └── certificates
        │   │       ├── SHA256 fingerprint: d2f6e46ded7422ccd1d440576841366f828ada559aae3316af4d1a9ad40c7828
        │   │       │   ├── issued to: CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US
        │   │       │   ├── issued by: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US
        │   │       │   └── expiry: Fri Oct 13 23:59:59 2034
        │   │       ├── SHA256 fingerprint: 281734d4592d1291d27190709cb510b07e22c405d5e0d6119b70e73589f98acf
        │   │       │   ├── issued to: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US
        │   │       │   ├── issued by: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
        │   │       │   └── expiry: Sun Mar 22 23:59:59 2037
        │   │       └── SHA256 fingerprint: 33846b545a49c9be4903c60e01713c1bd4e4ef31ea65cd95d69e62794f30b941
        │   │           ├── issued to: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
        │   │           ├── issued by: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
        │   │           └── expiry: Sun Nov  9 23:59:59 2031
        │   └── signingAgent: Notation/1.0.0 azure-kv/1.2.0
......

Example of JSON output:

notation inspect $IMAGE -o json

{
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "Signatures": [
        {
            "mediaType": "application/cose",
            "digest": "sha256:20171244b2291f7e854e595a20842faa581d82ebcd85266543390d5ca4b73551",
            "signatureAlgorithm": "RSASSA-PSS-SHA-256",
            "signedAttributes": {
                "signingScheme": "notary.x509",
                "signingTime": "2024-07-26T14:50:29+08:00"
            },
            "userDefinedAttributes": null,
            "unsignedAttributes": {
                "signingAgent": "Notation/1.0.0 azure-kv/1.2.0",
                "timestampSignature": {
                    "timestamp": "[2024-07-26T06:50:37Z, 2024-07-26T06:50:37Z]",
                    "certificates": [
                        {
                            "SHA256Fingerprint": "d2f6e46ded7422ccd1d440576841366f828ada559aae3316af4d1a9ad40c7828",
                            "issuedTo": "CN=DigiCert Timestamp 2023,O=DigiCert\\, Inc.,C=US",
                            "issuedBy": "CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\\, Inc.,C=US",
                            "expiry": "2034-10-13T23:59:59Z"
                        },
                        {
                            "SHA256Fingerprint": "281734d4592d1291d27190709cb510b07e22c405d5e0d6119b70e73589f98acf",
                            "issuedTo": "CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\\, Inc.,C=US",
                            "issuedBy": "CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US",
                            "expiry": "2037-03-22T23:59:59Z"
                        },
                        {
                            "SHA256Fingerprint": "33846b545a49c9be4903c60e01713c1bd4e4ef31ea65cd95d69e62794f30b941",
                            "issuedTo": "CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US",
                            "issuedBy": "CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
                            "expiry": "2031-11-09T23:59:59Z"
                        }
                    ]
                }
            },
......

Example when failed to parse timestamp countersignature:

{
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "Signatures": [
        {
            "mediaType": "application/cose",
            "digest": "sha256:85f04ea6891da367b825866c53b27999e6cdf3bae8b2fe33eb1433d938c0f3e1",
            "signatureAlgorithm": "RSASSA-PSS-SHA-256",
            "signedAttributes": {
                "signingScheme": "notary.x509",
                "signingTime": "2024-07-29T10:40:55+08:00"
            },
            "userDefinedAttributes": null,
            "unsignedAttributes": {
                "signingAgent": "Notation/1.0.0 azure-kv/1.0.1",
                "timestampSignature": {
                    "error": "failed to parse timestamp countersignature"
                }
            },
......

@Two-Hearts
updated timestamp countersignature under inspect
2e06733 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
fixed E2E test
e619835 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
fixed E2E test
387cd5b 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@codecov Codecov
Copy link

codecov bot commented Jul 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 77.55102% with 11 lines in your changes missing coverage. Please review.

Project coverage is 71.92%. Comparing base (9c15eec) to head (7375966).

Files Patch % Lines
cmd/notation/inspect.go 77.55% 8 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #998      +/-   ##
==========================================
+ Coverage   71.88%   71.92%   +0.03%     
==========================================
  Files          46       46              
  Lines        2230     2265      +35     
==========================================
+ Hits         1603     1629      +26     
- Misses        431      438       +7     
- Partials      196      198       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Two-Hearts
update
feba5b1 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
shizhMSFT
shizhMSFT reviewed Jul 26, 2024
View reviewed changes
cmd/notation/inspect.go Outdated Show resolved Hide resolved
cmd/notation/inspect.go Outdated Show resolved Hide resolved
@Two-Hearts
updated per code review
e00452f 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
add test
05f5270 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
fixed json
61ffb06 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
junczhu
junczhu approved these changes Jul 29, 2024
View reviewed changes
Copy link
Contributor

@junczhu junczhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

shizhMSFT
shizhMSFT reviewed Jul 29, 2024
View reviewed changes
cmd/notation/inspect.go Outdated Show resolved Hide resolved
cmd/notation/inspect.go Outdated Show resolved Hide resolved
cmd/notation/inspect.go Outdated Show resolved Hide resolved
@Two-Hearts
updated per code review
b6d6637 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
updated per code review
d91177f 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
shizhMSFT
shizhMSFT previously approved these changes Jul 29, 2024
View reviewed changes
Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

priteshbandi
priteshbandi reviewed Jul 29, 2024
View reviewed changes
Copy link
Contributor

@priteshbandi priteshbandi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with couple of nits

specs/commandline/inspect.md Outdated Show resolved Hide resolved
specs/commandline/inspect.md Outdated Show resolved Hide resolved
@Two-Hearts
updated per code review
a67038e 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
updated per code review
7375966 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
priteshbandi
priteshbandi approved these changes Jul 30, 2024
View reviewed changes
Copy link
Contributor

@priteshbandi priteshbandi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

shizhMSFT
shizhMSFT approved these changes Jul 30, 2024
View reviewed changes
Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Two-Hearts Two-Hearts merged commit dc9ad63 into notaryproject:main Jul 30, 2024
7 checks passed
@Two-Hearts Two-Hearts deleted the inspect branch July 30, 2024 02:04
@Two-Hearts Two-Hearts mentioned this pull request Aug 20, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@priteshbandi priteshbandi priteshbandi approved these changes

@shizhMSFT shizhMSFT shizhMSFT approved these changes

@junczhu junczhu junczhu approved these changes

@gokarnm gokarnm Awaiting requested review from gokarnm gokarnm is a code owner

@NiazFK NiazFK Awaiting requested review from NiazFK NiazFK is a code owner

@rgnote rgnote Awaiting requested review from rgnote rgnote is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

@vaninrao10 vaninrao10 Awaiting requested review from vaninrao10 vaninrao10 is a code owner

@yizha1 yizha1 Awaiting requested review from yizha1 yizha1 is a code owner

@JeyJeyGao JeyJeyGao Awaiting requested review from JeyJeyGao JeyJeyGao is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Notation inspect command timestamp signature support
5 participants
@Two-Hearts @priteshbandi @shizhMSFT @JeyJeyGao @junczhu