Skip to content

Commit

Permalink
feat: timestamping feature (ratify-project#1758)
Browse files Browse the repository at this point in the history
Signed-off-by: akashsinghal <[email protected]>
  • Loading branch information
junczhu authored and akashsinghal committed Sep 13, 2024
1 parent f609cb0 commit 106f531
Show file tree
Hide file tree
Showing 17 changed files with 409 additions and 62 deletions.
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ RUN curl -Lo bats.tar.gz https://github.com/bats-core/bats-core/archive/v${BATS_
&& bash ./bats-core-${BATS_VERSION}/install.sh /usr/local \
&& rm -rf bats.tar.gz ./bats-core-${BATS_VERSION}

ARG NOTATION_VERSION="1.0.0-rc.1"
ARG NOTATION_VERSION="1.2.0"
RUN curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v${NOTATION_VERSION}/notation_${NOTATION_VERSION}_linux_amd64.tar.gz \
&& tar -zxf notation.tar.gz \
&& mv ./notation /usr/local/bin/notation \
Expand Down
2 changes: 1 addition & 1 deletion .github/licenserc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ header:
limitations under the License.
paths-ignore:
- "**/*.{md,svg,yaml,crt,json,pub,yml,pb.go,proto}"
- "**/*.{md,svg,yaml,crt,cer,json,pub,yml,pb.go,proto}"
- "CODEOWNERS"
- "PROJECT"
- "NOTICE"
Expand Down
13 changes: 11 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ KIND_KUBERNETES_VERSION ?= 1.29.2
GATEKEEPER_VERSION ?= 3.16.0
DAPR_VERSION ?= 1.12.5
COSIGN_VERSION ?= 2.2.3
NOTATION_VERSION ?= 1.1.0
NOTATION_VERSION ?= 1.2.0
ORAS_VERSION ?= 1.1.0

HELM_VERSION ?= 3.14.2
Expand All @@ -56,6 +56,8 @@ TRIVY_VERSION ?= 0.49.1
GATEKEEPER_NAMESPACE = gatekeeper-system
RATIFY_NAME = ratify

TIMESTAMP_URL = http://timestamp.digicert.com

# Local Registry Setup
LOCAL_REGISTRY_IMAGE ?= ghcr.io/project-zot/zot-linux-amd64:v2.0.2
TEST_REGISTRY = localhost:5000
Expand Down Expand Up @@ -98,6 +100,7 @@ install:
ratify-config:
cp ./test/bats/tests/config/* ${INSTALL_DIR}
cp ./test/bats/tests/certificates/wabbit-networks.io.crt ${INSTALL_DIR}/ratify-certs/notation/wabbit-networks.io.crt
cp ./test/bats/tests/certificates/tsarootca.cer ${INSTALL_DIR}/ratify-certs/notation/tsarootca.cer
cp ./test/bats/tests/certificates/cosign.pub ${INSTALL_DIR}/ratify-certs/cosign/cosign.pub
cp -r ./test/bats/tests/schemas/ ${INSTALL_DIR}

Expand Down Expand Up @@ -295,10 +298,16 @@ e2e-notation-setup:
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/notation/notation.tar:v0 ${TEST_REGISTRY}/notation:unsigned
rm .staging/notation/notation.tar

printf 'FROM ${ALPINE_IMAGE}\nCMD ["echo", "notation tsa signed image"]' > .staging/notation/Dockerfile
docker buildx create --use
docker buildx build --output type=oci,dest=.staging/notation/notation.tar -t notation:v0 .staging/notation
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/notation/notation.tar:v0 ${TEST_REGISTRY}/notation:tsa
rm .staging/notation/notation.tar

rm -rf ~/.config/notation
.staging/notation/notation cert generate-test --default "ratify-bats-test"

NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign --allow-referrers-api -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/notation@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/notation:signed --descriptor | jq .digest | xargs`
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign --timestamp-url ${TIMESTAMP_URL} --timestamp-root-cert ./test/bats/tests/certificates/tsarootca.cer --allow-referrers-api -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/notation@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/notation:tsa --descriptor | jq .digest | xargs`
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign --allow-referrers-api -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/all@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/all:v0 --descriptor | jq .digest | xargs`

e2e-notation-leaf-cert-setup:
Expand Down
22 changes: 12 additions & 10 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,9 @@ require (
github.com/golang/protobuf v1.5.4
github.com/google/go-containerregistry v0.20.2
github.com/gorilla/mux v1.8.1
github.com/notaryproject/notation-core-go v1.0.3
github.com/notaryproject/notation-go v1.0.1
github.com/notaryproject/notation-core-go v1.1.0
github.com/notaryproject/notation-go v1.2.0
github.com/notaryproject/notation-plugin-framework-go v1.0.0
github.com/open-policy-agent/cert-controller v0.8.0
github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa
github.com/open-policy-agent/opa v0.63.0
Expand All @@ -46,7 +47,7 @@ require (
go.opentelemetry.io/otel/exporters/prometheus v0.49.0
go.opentelemetry.io/otel/metric v1.27.0
go.opentelemetry.io/otel/sdk/metric v1.27.0
golang.org/x/sync v0.7.0
golang.org/x/sync v0.8.0
google.golang.org/grpc v1.64.1
google.golang.org/protobuf v1.34.2
k8s.io/api v0.28.13
Expand Down Expand Up @@ -97,7 +98,7 @@ require (
github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-jose/go-jose/v4 v4.0.2 // indirect
github.com/go-ldap/ldap/v3 v3.4.6 // indirect
github.com/go-ldap/ldap/v3 v3.4.8 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
Expand All @@ -107,6 +108,7 @@ require (
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/miekg/pkcs11 v1.1.1 // indirect
github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
github.com/notaryproject/tspclient-go v0.2.0 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
Expand Down Expand Up @@ -153,7 +155,7 @@ require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/docker/docker-credential-helpers v0.8.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/fxamacker/cbor/v2 v2.6.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-logr/logr v1.4.2
github.com/go-logr/stdr v1.2.2 // indirect
Expand Down Expand Up @@ -231,14 +233,14 @@ require (
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.25.0
golang.org/x/crypto v0.26.0
golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
golang.org/x/mod v0.17.0 // indirect
golang.org/x/mod v0.20.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/oauth2 v0.22.0 // indirect
golang.org/x/sys v0.22.0 // indirect
golang.org/x/term v0.22.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/sys v0.23.0 // indirect
golang.org/x/term v0.23.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/time v0.5.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
Expand Down
Loading

0 comments on commit 106f531

Please sign in to comment.