-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spec: add spec for notation verify command #371
Conversation
Signed-off-by: Yi Zha <[email protected]>
Signed-off-by: Yi Zha <[email protected]>
Signed-off-by: Yi Zha <[email protected]>
Signed-off-by: Yi Zha <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #371 +/- ##
==========================================
+ Coverage 30.54% 30.70% +0.16%
==========================================
Files 25 26 +1
Lines 1614 1638 +24
==========================================
+ Hits 493 503 +10
- Misses 1108 1122 +14
Partials 13 13
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @yizha1! Added some feedback.
Signed-off-by: Yi Zha <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with below suggestions.
Signed-off-by: Yi Zha <[email protected]>
Signed-off-by: Yi Zha <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Open to address these before or after merge, so mark for approve.
notation verify registry.wabbit-networks.io/software/net-monitor:v1 | ||
``` | ||
|
||
### Verify signatures on an OCI artifact stored in a registry (Trust store and trust policy are configured properly) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is confusing as to OCI artifact versus trust * configured versus not.
I'd consider removing the distinction of OCI artifact per section. Place the tag AND digest verification options for image & OCI artifact in the same properly configured section.
I'd then have a section on what the experience is like when trust store and policy is not configured. I'd imagine you wouldn't get a verification, but show some error message(s).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will create a new PR to address this comment and the error handling parts.
|
||
# Configure trust policy by creating a JSON document named "trustpolicy.json" under directory "{NOTATION_CONFIG}" | ||
# Example on Linux | ||
cat <<EOF > $HOME/.config/notation/trustpolicy.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is going to vary based on the user's operating system. IMO we should consider if we can get a "bare bones" cli implementation which simply writes a template similar to what's there to the user's proper directory (i.e. notation policy create -n default) and possibly opens it up or lists where it is at. (i.e. notation policy list or notation policy open (optional --name default)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will create a new issue for a discussion regarding this request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verify signatures associated with the artifact. | ||
|
||
Usage: | ||
notation verify [flags] <reference> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should explain here and in the sign command that < reference > support can be a tag or a digest. When with a tag, we do a default tag to digest translation and we only sign/verify the digest, not the tag itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will create a new PR to address this
No description provided.