cli: verify digests (#681)

## Description

Enable the cli command `verify component` to verify digests without
signature validation


## What type of PR is this? (check all applicable)

- [ ] 🍕 Feature
- [ ] 🐛 Bug Fix
- [ ] 📝 Documentation Update
- [ ] 🎨 Style
- [ ] 🧑‍💻 Code Refactor
- [ ] 🔥 Performance Improvements
- [ ] ✅ Test
- [ ] 🤖 Build
- [ ] 🔁 CI
- [ ] 📦 Chore (Release)
- [ ] ⏩ Revert

## Related Tickets & Documents

<!-- 
Please use this format link issue numbers: Fixes #123

https://docs.github.com/en/free-pro-team@latest/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
-->
- Related Issue # (issue)
- Closes # (issue)
- Fixes # (issue)
> Remove if not applicable

## Screenshots

<!-- Visual changes require screenshots -->


## Added tests?

- [ ] 👍 yes
- [ ] 🙅 no, because they aren't needed
- [ ] 🙋 no, because I need help
- [ ] Separate ticket for tests # (issue/pr)

Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration


## Added to documentation?

- [ ] 📜 README.md
- [ ] 🙅 no documentation needed

## Checklist:

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published in downstream
modules

cmds/ocm/commands/ocmcmds/common/cmds/signing/cmd.go

@@ -35,22 +35,24 @@ type SignatureCommand struct {
 type spec struct {
 	op      string
 	sign    bool
+	desc    string
 	example string
 	terms   []string
 }
 
-func newOperation(op string, sign bool, terms []string, example string) *spec {
+func newOperation(op string, sign bool, terms []string, desc string, example string) *spec {
 	return &spec{
 		op:      op,
 		sign:    sign,
+		desc:    desc,
 		example: example,
 		terms:   terms,
 	}
 }
 
 // NewCommand creates a new ctf command.
-func NewCommand(ctx clictx.Context, op string, sign bool, terms []string, example string, names ...string) *cobra.Command {
-	spec := newOperation(op, sign, terms, example)
+func NewCommand(ctx clictx.Context, op string, sign bool, terms []string, desc string, example string, names ...string) *cobra.Command {
+	spec := newOperation(op, sign, terms, desc, example)
 	return utils.SetupCommand(&SignatureCommand{spec: spec, BaseCommand: utils.NewBaseCommand(ctx, versionconstraintsoption.New(), repooption.New(), signoption.New(sign), lookupoption.New())}, names...)
 }
 
@@ -60,7 +62,7 @@ func (o *SignatureCommand) ForName(name string) *cobra.Command {
 		Short: o.spec.op + " component version",
 		Long: `
 ` + o.spec.op + ` specified component versions.
-`,
+` + o.spec.desc,
 		Example: o.spec.example,
 	}
 }
@@ -89,7 +91,9 @@ func (o *SignatureCommand) Run() (rerr error) {
 	handler := comphdlr.NewTypeHandler(o.Context.OCM(), session, repo, comphdlr.OptionsFor(o))
 	sopts := signing.NewOptions(sign, signing.Resolver(repo, lookup.Resolver))
 	if !o.spec.sign {
-		sopts.VerifySignature = true
+		if len(sopts.SignatureNames) > 0 || sopts.Issuer != nil || sopts.Keyless {
+			sopts.VerifySignature = true
+		}
 	}
 	err = sopts.Complete(o.Context.OCMContext())
 	if err != nil {

cmds/ocm/commands/ocmcmds/components/sign/cmd.go

@@ -23,6 +23,8 @@ var (
 func NewCommand(ctx clictx.Context, names ...string) *cobra.Command {
 	return signing.NewCommand(ctx, "Sign", true,
 		[]string{"signed", "signing"},
-		"$ ocm sign componentversion --signature mandelsoft --private-key=mandelsoft.key ghcr.io/mandelsoft/kubelink",
+		desc, "$ ocm sign componentversion --signature mandelsoft --private-key=mandelsoft.key ghcr.io/mandelsoft/kubelink",
 		utils.Names(Names, names...)...)
 }
+
+var desc = ``

cmds/ocm/commands/ocmcmds/components/verify/cmd.go

@@ -23,6 +23,11 @@ var (
 func NewCommand(ctx clictx.Context, names ...string) *cobra.Command {
 	return signing.NewCommand(ctx, "Verify signature of", false,
 		[]string{"verified", "verifying signature of"},
-		"$ ocm verify componentversion --signature mandelsoft --public-key=mandelsoft.key ghcr.io/mandelsoft/kubelink",
+		desc, "$ ocm verify componentversion --signature mandelsoft --public-key=mandelsoft.key ghcr.io/mandelsoft/kubelink",
 		utils.Names(Names, names...)...)
 }
+
+var desc = `
+If no signature name is given, only the digests are validated against the
+registered ones at the component version.
+`

docs/reference/ocm_add_resource-configuration.md

@@ -15,70 +15,75 @@ resource-configuration, resourceconfig, rsccfg, rcfg
 ### Options
 
 ```
-  -h, --help                         help for resource-configuration
-  -s, --settings stringArray         settings file with variable settings (yaml)
+  -h, --help                                help for resource-configuration
+  -s, --settings stringArray                settings file with variable settings (yaml)
 ```
 
 
 #### Access Specification Options
 
 ```
-      --access YAML                  blob access specification (YAML)
-      --accessHostname string        hostname used for access
-      --accessPackage string         package or object name
-      --accessRegistry string        registry base URL
-      --accessRepository string      repository URL
-      --accessType string            type of blob access specification
-      --accessVersion string         version for access specification
-      --bucket string                bucket name
-      --commit string                git commit id
-      --digest string                blob digest
-      --globalAccess YAML            access specification for global access
-      --hint string                  (repository) hint for local artifacts
-      --mediaType string             media type for artifact blob representation
-      --reference string             reference name
-      --region string                region name
-      --size int                     blob size
+      --access YAML                         blob access specification (YAML)
+      --accessHostname string               hostname used for access
+      --accessPackage string                package or object name
+      --accessRegistry string               registry base URL
+      --accessRepository string             repository URL
+      --accessType string                   type of blob access specification
+      --accessVersion string                version for access specification
+      --bucket string                       bucket name
+      --commit string                       git commit id
+      --digest string                       blob digest
+      --globalAccess YAML                   access specification for global access
+      --hint string                         (repository) hint for local artifacts
+      --mediaType string                    media type for artifact blob representation
+      --reference string                    reference name
+      --region string                       region name
+      --size int                            blob size
 ```
 
 
 #### Input Specification Options
 
 ```
-      --hint string                  (repository) hint for local artifacts
-      --input YAML                   blob input specification (YAML)
-      --inputCompress                compress option for input
-      --inputData !bytesBase64       data (string, !!string or !<base64>
-      --inputExcludes stringArray    excludes (path) for inputs
-      --inputFollowSymlinks          follow symbolic links during archive creation for inputs
-      --inputFormattedJson YAML      JSON formatted text
-      --inputHelmRepository string   helm repository base URL
-      --inputIncludes stringArray    includes (path) for inputs
-      --inputJson YAML               JSON formatted text
-      --inputLibraries stringArray   library path for inputs
-      --inputPath string             path field for input
-      --inputPlatforms stringArray   input filter for image platforms ([os]/[architecture])
-      --inputPreserveDir             preserve directory in archive for inputs
-      --inputText string             utf8 text
-      --inputType string             type of blob input specification
-      --inputValues YAML             YAML based generic values for inputs
-      --inputVariants stringArray    (platform) variants for inputs
-      --inputVersion string          version info for inputs
-      --inputYaml YAML               YAML formatted text
-      --mediaType string             media type for artifact blob representation
+      --body string                         body of a http request
+      --header <name>:<value>,<value>,...   http headers (default {})
+      --hint string                         (repository) hint for local artifacts
+      --input YAML                          blob input specification (YAML)
+      --inputCompress                       compress option for input
+      --inputData !bytesBase64              data (string, !!string or !<base64>
+      --inputExcludes stringArray           excludes (path) for inputs
+      --inputFollowSymlinks                 follow symbolic links during archive creation for inputs
+      --inputFormattedJson YAML             JSON formatted text
+      --inputHelmRepository string          helm repository base URL
+      --inputIncludes stringArray           includes (path) for inputs
+      --inputJson YAML                      JSON formatted text
+      --inputLibraries stringArray          library path for inputs
+      --inputPath filepath                  path field for input
+      --inputPlatforms stringArray          input filter for image platforms ([os]/[architecture])
+      --inputPreserveDir                    preserve directory in archive for inputs
+      --inputText string                    utf8 text
+      --inputType string                    type of blob input specification
+      --inputValues YAML                    YAML based generic values for inputs
+      --inputVariants stringArray           (platform) variants for inputs
+      --inputVersion string                 version info for inputs
+      --inputYaml YAML                      YAML formatted text
+      --mediaType string                    media type for artifact blob representation
+      --noredirect                          http redirect behavior
+      --url string                          artifact or server url
+      --verb string                         http request method
 ```
 
 
 #### Resource Meta Data Options
 
 ```
-      --external                     flag non-local resource
-      --extra <name>=<value>         resource extra identity (default [])
-      --label <name>=<YAML>          resource label (leading * indicates signature relevant, optional version separated by @)
-      --name string                  resource name
-      --resource YAML                resource meta data (yaml)
-      --type string                  resource type
-      --version string               resource version
+      --external                            flag non-local resource
+      --extra <name>=<value>                resource extra identity (default [])
+      --label <name>=<YAML>                 resource label (leading * indicates signature relevant, optional version separated by @)
+      --name string                         resource name
+      --resource YAML                       resource meta data (yaml)
+      --type string                         resource type
+      --version string                      resource version
 ```
 
 ### Description
@@ -456,6 +461,46 @@ with the field <code>type</code> in the <code>input</code> field:
 
   Options used to configure fields: <code>--inputCompress</code>, <code>--inputFormattedJson</code>, <code>--inputJson</code>, <code>--inputText</code>, <code>--inputYaml</code>, <code>--mediaType</code>
 
+- Input type <code>wget</code>
+
+  The <code>url</code> is the url pointing to the http endpoint from which a resource is
+  downloaded. The <code>mimeType</code> can be used to specify the MIME type of the
+  resource.
+
+  This blob type specification supports the following fields:
+  - **<code>url</code>** *string*
+
+    This REQUIRED property describes the url from which the resource is to be
+    downloaded.
+
+  - **<code>mediaType</code> *string*
+
+    This OPTIONAL property describes the media type of the resource to be
+    downloaded. If omitted, ocm tries to read the mediaType from the Content-Type header
+    of the http response. If the mediaType cannot be set from the Content-Type header as well,
+    ocm tries to deduct the mediaType from the URL. If that is not possible either, the default
+    media type is defaulted to application/octet-stream.
+
+  - **<code>header</code>** *map[string][]string*
+
+    This OPTIONAL property describes the http headers to be set in the http request to the server.
+
+  - **<code>verb</code>** *string*
+
+    This OPTIONAL property describes the http verb (also known as http request method) for the http
+    request. If omitted, the http verb is defaulted to GET.
+
+  - **<code>body</code>** *[]byte*
+
+    This OPTIONAL property describes the http body to be included in the request.
+
+  - **<code>noredirect<code>** *bool*
+
+    This OPTIONAL property describes whether http redirects should be disabled. If omitted,
+    it is defaulted to false (so, per default, redirects are enabled).
+
+  Options used to configure fields: <code>--body</code>, <code>--header</code>, <code>--mediaType</code>, <code>--noredirect</code>, <code>--url</code>, <code>--verb</code>
+
 The following list describes the supported access methods, their versions
 and specification formats.
 Typically there is special support for the CLI artifact add commands.
@@ -802,7 +847,7 @@ There are several templaters that can be selected by the <code>--templater</code
 ### Examples
 
 ```
-$ ocm add resource-config resources.yaml --name myresource --type PlainText --input '{ "type": "file", "path": "testdata/testcontent", "mediaType": "text/plain" }'
+$ ocm add resource-configuration resources.yaml --name myresource --type PlainText --input '{ "type": "file", "path": "testdata/testcontent", "mediaType": "text/plain" }'
 ```
 
 ### SEE ALSO