Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add digest check for Sign #317

Merged
merged 3 commits into from
May 25, 2023
Merged

fix: add digest check for Sign #317

merged 3 commits into from
May 25, 2023

Conversation

byronchien
Copy link
Contributor

@byronchien byronchien commented May 24, 2023
edited by JeyJeyGao
Loading

This PR adds digest check on Sign.

Signed-off-by: Byron Chien byronc@ucla.edu
Co-authored-by: Patrick Zheng patrickzheng@microsoft.com

@byronchien
Add digest check for Sign
0bfb2ba 
Signed-off-by: Byron Chien <byronc@ucla.edu>
@codecov-commenter
Copy link

codecov-commenter commented May 24, 2023
edited
Loading

Codecov Report

Merging #317 (c54ea8d) into main (c3f8c33) will increase coverage by 0.02%.
The diff coverage is 100.00%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@            Coverage Diff             @@
##             main     #317      +/-   ##
==========================================
+ Coverage   74.78%   74.80%   +0.02%     
==========================================
  Files          23       23              
  Lines        2177     2179       +2     
==========================================
+ Hits         1628     1630       +2     
  Misses        433      433              
  Partials      116      116
Impacted Files Coverage Δ
notation.go 64.81% <100.00%> (+0.32%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

priteshbandi
priteshbandi previously approved these changes May 24, 2023
View reviewed changes
Copy link
Contributor

@priteshbandi priteshbandi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Two-Hearts
Copy link
Contributor

Two-Hearts commented May 25, 2023
edited
Loading

After running through a test workflow from Notation CLI, I found this change is not quite correct.
To reproduce: run command notation sign <reg>/<repo>@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d -v
The notation-go logic still sees the above digest as a tag and prints out the warning Always sign the artifact using digest....

The reason causing this issue: notation CLI will always set signOpts.ArtifactReference as a digest and pass it to notation-go, related code: https://github.com/notaryproject/notation/blob/a695b60ed2b0d9a173724c23b5f2c0dd04558f3e/cmd/notation/sign.go#L133.
Thus, in notation-go, given the input is from Notation CLI, ref, err := orasRegistry.ParseReference(artifactRef) would always return non-nil error with EMPTY ref (this code is valid because non-CLI users might choose to pass a full reference to notation-go).
Then, the new change in this PR if ref.ValidateReferenceAsDigest() != nil will always be evaluated to true, as long as the caller is notation CLI.
/cc: @priteshbandi @JeyJeyGao @shizhMSFT

Two-Hearts
Two-Hearts reviewed May 25, 2023
View reviewed changes
notation.go Outdated Show resolved Hide resolved
@Two-Hearts
digest check for Sign
11ba15e 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
digest check on Sign
c54ea8d 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
@Two-Hearts
Copy link
Contributor

Based on our discussion offline, fixed the logic in this PR as asked by @priteshbandi. /cc: @byronchien

priteshbandi
priteshbandi approved these changes May 25, 2023
View reviewed changes
Copy link
Contributor

@priteshbandi priteshbandi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

JeyJeyGao
JeyJeyGao approved these changes May 25, 2023
View reviewed changes
Copy link
Contributor

@JeyJeyGao JeyJeyGao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shizhMSFT shizhMSFT changed the title fix: Add digest check for Sign fix: add digest check for Sign May 25, 2023
shizhMSFT
shizhMSFT approved these changes May 25, 2023
View reviewed changes
Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shizhMSFT shizhMSFT merged commit eba60f5 into notaryproject:main May 25, 2023
@yizha1 yizha1 mentioned this pull request May 25, 2023
Closed
6 tasks
@priteshbandi priteshbandi added this to the v1.0.0-rc.6 milestone May 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Two-Hearts Two-Hearts Two-Hearts left review comments

@JeyJeyGao JeyJeyGao JeyJeyGao approved these changes

@shizhMSFT shizhMSFT shizhMSFT approved these changes

@priteshbandi priteshbandi priteshbandi approved these changes

@gokarnm gokarnm Awaiting requested review from gokarnm gokarnm is a code owner

@justincormack justincormack Awaiting requested review from justincormack

@NiazFK NiazFK Awaiting requested review from NiazFK NiazFK is a code owner

@rgnote rgnote Awaiting requested review from rgnote rgnote is a code owner

@SteveLasker SteveLasker Awaiting requested review from SteveLasker

Assignees
No one assigned
Labels
None yet
Projects
Notary Project Planning Board
Status: No status
Milestone
v1.0.0-rc.6
Development

Successfully merging this pull request may close these issues.
6 participants
@byronchien @codecov-commenter @Two-Hearts @priteshbandi @shizhMSFT @JeyJeyGao