Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpectedly added version property to extraIdentity #842

Closed
8R0WNI3 opened this issue Jul 12, 2024 · 1 comment · Fixed by #844
Closed

Unexpectedly added version property to extraIdentity #842

8R0WNI3 opened this issue Jul 12, 2024 · 1 comment · Fixed by #844
Labels
component/ocm-cli component/ocm-core kind/bug Bug
Milestone
2024-Q3

Comments

@8R0WNI3
Copy link
Member

8R0WNI3 commented Jul 12, 2024

What happened:
When executing ocm sign componentversions on a component descriptor which contains multiple resources which share the same name and have extraIdentity explicitly set to {}, all resources have the version property added to the extraIdentity field except the last resource of that name (which is reasonable since the last resource is unique without extraIdentity being set as soon as all other resources have their version property added to it).

What you expected to happen:
Don't silently add properties to the extraIdentity field during ocm sign command (and certainly not inconsistently). Instead, rather fail verification.

How to reproduce it (as minimally and precisely as possible):
Example component descriptor which has to be signed using ocm sign componentversions command:

component:
  componentReferences: []
  name: example.org/my-component
  provider: ACME Inc.
  repositoryContexts: []
  resources:
  - access:
      imageReference: hello-world
      type: ociArtifact
    extraIdentity: {} # must not be omitted to reproduce behaviour
    name: my-resource # must be part of the component multiple times
    relation: external
    type: ociImage
    version: 0.1.1 # must be different for the resources sharing the same name
  - access:
      imageReference: hello-world
      type: ociArtifact
    extraIdentity: {} # must not be omitted to reproduce behaviour
    name: my-resource # must be part of the component multiple times
    relation: external
    type: ociImage
    version: 0.1.2 # must be different for the resources sharing the same name
  sources: []
  version: 1.0.0
meta:
  schemaVersion: v2
signatures: []

Anything else we need to know:

Environment:
@8R0WNI3 8R0WNI3 added the kind/bug Bug label Jul 12, 2024
@ccwienk
Copy link
Contributor

ccwienk commented Jul 12, 2024

Instead, rather fail verification

generally +1. However, I would personally prefer the sign command to at most emit a warning (which may be escalated to an error) upon validation error. At least, please offer a flag to ignore validation errors (motivation being identical to #755 (there should always be an override option for emergencies)

@mandelsoft mandelsoft mentioned this issue Jul 14, 2024
Merged
@morri-son morri-son added this to the 2024-Q3 milestone Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/ocm-cli component/ocm-core kind/bug Bug
Projects
OCM Backlog Board
Status: 🔒Closed
Milestone
2024-Q3
Development

Successfully merging a pull request may close this issue.

Rework adding elements to a component version mandelsoft/ocm
3 participants
@ccwienk @morri-son @8R0WNI3