notation-go

notation-go copied to clipboard

fix: error message for dangling reference index

1

Test example: ``` notation sign docker.io/xxx/hello:v1 --plugin azure-kv --id https://xxx.vault.azure.net/certificates/xxx/xxx --plugin-config credential_type=azurecli -v INFO The referrers tag schema is always attempted INFO Reference v1 resolved to manifest descriptor: {MediaType:application/vnd.docker.distribution.manifest.v2+json Digest:sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4...

JeyJeyGao

### What is not working as expected? ``` $ notation sign --key wabbit-networks-ca-issued $image -v INFO Using the referrers tag schema INFO Reference v1 resolved to manifest descriptor: {MediaType:application/vnd.docker.distribution.manifest.v2+json Digest:sha256:43837354f3f9a79b20b430b8ce4b6cc43c52dbabed9e88775b53697fe560c329...

JeyJeyGao

feat: Implements VerifyBlob functionality

1

This PR implements VerifyBlob functionality as per https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md *This PRis ready for review*

priteshbandi

Payload Mediatype and certificate thumbprint annotation constants are not exported for API consumers

2

### What is not working as expected? The constants defined in `internal/envelope/envelope.go` ``` MediaTypePayloadV1 = "application/vnd.cncf.notary.payload.v1+json" AnnotationX509ChainThumbprint = "io.cncf.notary.x509chain.thumbprint#S256" ``` are not exported, and therefore not available for consumers of...

c-grund

### Pre-requisite: 1. https://github.com/notaryproject/notation-core-go/issues/124 2. https://github.com/notaryproject/notation-core-go/issues/125 ### Tasks - [ ] Abstract OCSP and CRL check behind a separate module. - [ ] Call the above module based on [spec](https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#certificate-revocation-evaluation)...

priteshbandi

Refactoring to thin out notation pkg

2

Refactoring to thin out notation pkg. In this change, we are moving bunch of code from `notation` cli to `notation-go` pkg so that `notation` pkg is truely a cli wrapper...

priteshbandi

Users are able to use the verify command to ensure that a certificate chain passes OCSP revocation checks after #295. However, it may be helpful for users to see these...

kody-kimberl

Perform X509 revocation check in signature verification

1

Signature verification needs to perform x509 revocation check (CRL/OCSP) and fail if a certificate in the chain is revoked. See https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#certificate-revocation-evaluation

rgnote

the version value of useragent in the signature should be driven by notation release value

2

https://github.com/notaryproject/notation-go/blob/0355e8eb494c3e8f9ecb899f12c06ab333739321/signer/signer.go#L24 The semver, currently `1.0.0` should be set based on notation release which means the value needs to be taken as input from caller of sign method.

priteshbandi

Proposal: Add `SignatureMediaTypes` array to `RemoteVerifyOptions` in `notation.Verify()`

2

Created this issue to track adding SignatureMediaTypes array to RemoteVerifyOptions. Proposed behavior: 1. When SignatureMediaTypes is empty, i.e. left by user as default, all signature media types will be processed...

patrickzheng200