notation icon indicating copy to clipboard operation
notation copied to clipboard
verified publisher icon notaryproject

UX: Improve the output for a successful signing

Open yizha1 opened this issue 3 years ago • 2 comments

Summary

Currently only a digest showed as the output after notation sign successfully executed. What is this digest about, the digest of the signature, signature manifest or image manifest? see example below:

notation sign --key $KEY_NAME $IMAGE
sha256:18adff7f255319415112345671bb41076de4a864eb792c35c20f0f6b4aa4c458

nowadays the digest is actually the digest of image manifest.

User Scenario

As a user, after I sign an image or artifact successfully, I want to know where the signature is stored and what the signature refers to, so that I can make sure the signature refers to a correct image or artifact, make sure sigature is stored properly, and I can CRUD later.

Improvement

Here is one idea of improving the output after a successful signing

notation sign --key $KEY_NAME $IMAGE
Signature is pushed to regsitry xxx.xxx.xxx, and refers to sha256:18adff7f255319415112345671bb41076de4a864eb792c35c20f0f6b4aa4c458

cc @shizhMSFT @dtzar @FeynmanZhou @SteveLasker

yizha1 avatar Aug 13 '22 02:08 yizha1

We might also need to make output script-friendly.

shizhMSFT avatar Aug 16 '22 09:08 shizhMSFT

We might also need to make output script-friendly.

Yes there could be something like a -o json option to output it json format

dtzar avatar Aug 16 '22 17:08 dtzar

Any comments? @dtzar @gokarnm @priteshbandi @iamsamirzon @vaninrao10 @patrickzheng200 , I will create PR to update spec sign.md later.

# sign an artifact identified by digest
> notation sign localhost:5000/net-monitor@sha256:1111111111111111111111111111111111111111111111111111111111111111
Sign success. Signature has been attached to localhost:5000/net-monitor@sha2561111111111111111111111111111111111111111111111111111111111111111

# sign an artifact identified by tag
> notation sign localhost:5000/net-monitor:v1
Warning: Tag is used. Always use digest to identify the reference uniquely and immutably.

Resolve tag "v1" to digest "sha256:1111111111111111111111111111111111111111111111111111111111111111"
Sign success. Signature has been attached to localhost:5000/net-monitor@sha256:1111111111111111111111111111111111111111111111111111111111111111

yizha1 avatar Oct 27 '22 11:10 yizha1

@yizha1 Similar to my comments in https://github.com/notaryproject/notation/issues/304#issuecomment-1293593766, I suggest updating Sign success to Sign succeeded. This is more commonly used.

Another question, Notation has supported two signature envelope formats (JWS and COSE). Is it helpful to explicitly tell users about the signature envelope format they signed?

FeynmanZhou avatar Oct 27 '22 14:10 FeynmanZhou

@yizha1 Similar to my comments in #304 (comment), I suggest updating Sign success to Sign succeeded. This is more commonly used.

Another question, Notation has supported two signature envelope formats (JWS and COSE). Is it helpful to explicitly tell users about the signature envelope format they signed?

@yizha1 I second what Feynman suggested.

patrickzheng200 avatar Oct 28 '22 00:10 patrickzheng200

@yizha1 Similar to my comments in #304 (comment), I suggest updating Sign success to Sign succeeded. This is more commonly used.

Another question, Notation has supported two signature envelope formats (JWS and COSE). Is it helpful to explicitly tell users about the signature envelope format they signed?

@patrickzheng200 @FeynmanZhou Comments taken. I will address them in the PR.

yizha1 avatar Oct 28 '22 02:10 yizha1

Reopened because the implementation of this issue (PR 450) is not merged yet.

patrickzheng200 avatar Dec 02 '22 05:12 patrickzheng200