Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: remove blob related specs #311

Merged
merged 2 commits into from
Aug 13, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 2 additions & 20 deletions specs/signature-envelope-cose.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ This specification implements the [Notary Project signature specification](signa
CBOR Object Signing and Encryption (COSE). COSE ([RFC8152](https://datatracker.ietf.org/doc/html/rfc8152)) is a CBOR based envelope format for digital signatures over any type of payload (e.g. CBOR, JSON, binary).
Notary Project specifically supports [COSE_Sign1_Tagged](https://datatracker.ietf.org/doc/html/rfc8152#section-4.2) as a signature envelope.

## OCI Signature Storage
## Signature Storage

A COSE signature envelope will be stored in an OCI registry as a blob, and referenced in the signature manifest as a layer blob with `mediaType` of `"application/cose"`.

Expand Down Expand Up @@ -36,15 +36,12 @@ Signature Manifest Example
}
}
```
## Blob Signature Storage

For detached signatures associated with arbitrary blobs, a COSE signature envelope will be stored on the file system as a binary file with `cose` as the file extension.

## COSE Payload

The COSE envelope contains the [Notary Project signature Payload](./signature-specification.md#payload).

Example of the Notary Project OCI signature payload:
Example

```jsonc
{
Expand All @@ -59,21 +56,6 @@ Example of the Notary Project OCI signature payload:
}
```

Example of the Notary Project blob signature payload:

```jsonc
{
"targetArtifact": {
"mediaType": "application/octet-stream",
"digest": "sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345",
"size": 1024,
"annotations": {
"io.wabbit-networks.buildId": "123" // user defined metadata
}
}
}
```

## Protected Header

The COSE envelope for the Notary Project signature uses the following header parameters:
Expand Down
25 changes: 3 additions & 22 deletions specs/signature-envelope-jws.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@

This specification implements the [Notary Project signature specification](./signature-specification.md) using JSON Web Signature (JWS). JWS ([RFC7515](https://datatracker.ietf.org/doc/html/rfc7515)) is a JSON based envelope format for digital signatures over any type of payload (e.g. JSON, binary). JWS is the Notary Project supported signature format and specifically uses the *JWS JSON Serialization* representation.

## OCI Signature Storage
## Signature Storage

A JWS signature envelope will be stored in an OCI registry as a layer, and referenced in the signature manifest as a layer blob with `mediaType` of `"application/jose+json"`.
A JWS signature envelope will be stored in an OCI registry as a blob, and referenced in the signature manifest as a layer blob with `mediaType` of `"application/jose+json"`.

Signature Manifest Example

Expand Down Expand Up @@ -35,15 +35,11 @@ Signature Manifest Example
}
```

## Blob Signature Storage

For detached signatures associated with blobs, a JWS signature envelope will be stored on the file system with `jws` as the file extension.

## JWS Payload

The JWS envelope contains the [Notary Project signature payload](./signature-specification.md#payload).

Example of the Notary Project OCI signature payload
Example

```jsonc
{
Expand All @@ -58,21 +54,6 @@ Example of the Notary Project OCI signature payload
}
```

Example of the Notary Project blob signature payload:

```jsonc
{
"targetArtifact": {
"mediaType": "application/octet-stream",
"digest": "sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345",
"size": 1024,
"annotations": {
"io.wabbit-networks.buildId": "123" // user defined metadata
}
}
}
```

## Protected Headers

The JWS envelope for the Notary Project signature uses following headers
Expand Down
82 changes: 16 additions & 66 deletions specs/signature-specification.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@
This document provides the following details for Notary Project signature:

- **[Signature Envelope](#signature-envelope)**: Describes the structure of the Notary Project signature.
- **[OCI Signatures](#oci-signatures)**: Describes how signatures for OCI artifacts are stored and retrieved from an OCI registry.
- **[Blob Signatures](#blob-signatures)**: Describes how signatures for signed Blobs are stored on file system.
- **[Signature](#signature)**: Describes how signatures are stored and retrieved from an OCI registry.

## Signature Envelope

Expand All @@ -30,25 +29,15 @@ The Notary Project signature supports following envelope formats:
The Notary Project signature payload is a JSON document with media type `application/vnd.cncf.notary.payload.v1+json` and has following properties.

- `targetArtifact` : Required property whose value is the descriptor of the target artifact manifest that is being signed.
- For OCI artifacts, this MUST be a valid [OCI descriptor][oci-descriptor].
- This MUST be a valid [OCI descriptor][oci-descriptor].
- Descriptor MUST contain `mediaType`, `digest`, and `size` fields.
- Descriptor MAY contain `annotations` and if present it MUST follow the [annotation rules][annotation-rules].
- Descriptor MAY contain `artifactType` field for the `config.mediaType` of OCI image manifests.
- For Blob artifacts, the descriptor MUST describe the blob that is being signed
- Descriptor MUST contain `mediaType`, `digest`, and `size` fields.
- `digest` MUST be in the format of `<digest algorithm>:<digest value>`. Example: `sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345`
- `digest algorithm` MUST be deduced from signing certificate's public key. See [Algorithm Selection](#algorithm-selection)
- `mediaType` can be any arbitrary media type that the user provides to describe the blob. An example can be `application/octet-stream`
- `size` MUST be the raw size of the blob in bytes.
- Blob descriptors MAY optionally contain `annotations` and if present it MUST follow the [annotation rules][annotation-rules].

NOTE: The Notary Project signature uses annotations for storing both Notary Project specific and user defined metadata. The prefix `io.cncf.notary` in `annotations` key is reserved for use in Notary Project signature and MUST NOT be used outside this specification.


#### Examples

##### OCI Payload

```jsonc
{
"targetArtifact": {
Expand All @@ -58,7 +47,7 @@ NOTE: The Notary Project signature uses annotations for storing both Notary Proj
}
}
```
##### OCI Payload with artifactType and annotations
##### Payload with artifactType and annotations

```jsonc
{
Expand All @@ -73,31 +62,6 @@ NOTE: The Notary Project signature uses annotations for storing both Notary Proj
}
}
```
##### Blob Payload

```jsonc
{
"targetArtifact": {
"mediaType": "application/octet-stream",
"digest": "sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345",
"size": 1024
}
}
```
##### Blob Payload with annotations

```jsonc
{
"targetArtifact": {
"mediaType": "application/octet-stream",
"digest": "sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345",
"size": 1024,
"annotations": {
"io.wabbit-networks.buildId": "123" // user defined metadata
}
}
}
```

### Signed Attributes

Expand Down Expand Up @@ -152,10 +116,10 @@ These attributes are considered unsigned with respect to the signing key that ge
- **Timestamp Signature**: An OPTIONAL countersignature generated by a trusted third party, such as a Timestamp Authority (TSA). Its purpose is to demonstrate that the primitive signature, computed on payload and signed attributes, was generated before the timestamp. Only [RFC 3161][ietf-rfc3161] compliant timestamp signatures are supported. If present, this claim is validated and used solely under the [`notary.x509`](./signing-scheme.md/#notaryx509) signing scheme.
- **Signing Agent**: An OPTIONAL claim that provides the identifier of the software (e.g. Notation) that produced the signature on behalf of the user. It is an opaque string set by the software that produces the signature. It's intended primarily for diagnostic and troubleshooting purposes, this attribute is unsigned, the verifier MUST NOT validate formatting, or fail validation based on the content of this claim. The suggested format is one or more tokens of the form `{id}/{version}` containing identifier and version of the software, separated by spaces. E.g. "notation/1.0.0", "notation/1.0.0 myplugin/0.8".

## OCI Signatures
## Signature

This section describes how a Notary Project signature is stored in an OCI Distribution conformant registry.
OCI image manifest is used to store signatures in the registry, see [OCI image spec v1.1.0-rc3][oci-image-manifest] for details.
OCI image manifest is used to store signatures in the registry, see [OCI image spec v1.1.0][oci-image-manifest] for details.
The signature manifest has a configuration media type that specifies it's a Notary Project signature, a subject referencing the manifest of the artifact being signed, a layer referencing the signature, and a collection of annotations.

![Signature storage inside registry](../media/oci-signature-specification.svg)
Expand Down Expand Up @@ -207,29 +171,18 @@ Besides the [image manifest property requirements][image-manifest-property-descr
Keys using the `io.cncf.notary` namespace are reserved for use in the Notary Project signature specification and MUST NOT be used by other specifications.
- **`io.cncf.notary.x509chain.thumbprint#S256`**: A REQUIRED annotation whose value contains the list of SHA-256 fingerprints of signing certificate and certificate chain (including root) used for signature generation. The list of fingerprints is present as a JSON array string, corresponding to ordered certificates in [*Certificate Chain* unsigned attribute](#unsigned-attributes) in the signature envelope. The annotation name contains the hash algorithm as a suffix (`#S256`) and can be extended to support other hashing algorithms in future.

### OCI Signature Discovery
### Signature Discovery

The client should be able to discover all the signatures belonging to an artifact (such as image manifest) by using [OCI Distribution Referrers API][oci-distribution-referrers].
OCI Distribution Referrers API returns a paginated list of all artifacts belonging to a target artifact (such as container images, SBoMs).
The implementation can filter Notary Project signatures by either using OCI Distribution Referrers API or using custom logic on the client.
Each Notary Project signature refers to a signature envelope blob.

### OCI Signature Filtering
### Signature Filtering

An OCI artifact can have multiple signatures, implementations of the Notary Project signature specification uses annotations of the signature manifest to filter relevant signatures based on the applicable trust policy.
The Notary Project signature manifest's `io.cncf.notary.x509chain.thumbprint#S256` annotation key MUST contain the list of SHA-256 fingerprints of certificate and certificate chain used for signing.

## Blob Signatures

The Notary Project facilitates signing arbitrary blobs using detached signatures. These detached signatures can be transported via any preferred medium and verified on the receiving end. A detached signature refers to a signature that is not embedded within (and therefore does not modify) the original blob, instead it consists of a detached signature envelope with a signature over the unique representation of the blob (i.e. blob's digest). The file extension can either be 'jws' or 'cose', indicating the signature envelope format.

![Signature storage inside file system](../media/blob-signature-specification.svg)

### Differences between OCI and blob signatures

1. Apart from the `payload` field, all other fields of a signature envelope are identical between OCI and blob signatures.
1. OCI signatures have signature manifest files, containing the mediaType of the signature envelope (application/jose+json or application/cose). However, blob signatures lack such manifest file and this mediaType information is instead found in the signature file extension.

## Signature Algorithm Requirements

The implementation MUST support the following set of algorithms:
Expand Down Expand Up @@ -331,7 +284,7 @@ An `authentic signing time` is a signing time authenticated by a `Signing Author

This is an optional feature that provides a "best by use" time for the artifact, as defined by the signer. The Notary Project signature specification allows users to include an optional expiry time when they generate a signature. The expiry time is not set by default and requires explicit configuration by users at the time of signature generation. The artifact is considered expired when the current time is greater than or equal to expiry time, users performing verification can either configure their trust policies to fail the verification or even accept the artifact with expiry date in the past using policy. This is an advanced feature that allows implementing controls for user defined semantics like deprecation for older artifacts, or block older artifacts in a production environment. Users should only include an expiry time in the signed artifact after considering the behavior they expect for consumers of the artifact after it expires. Users can choose to consume an artifact even after the expiry time based on their specific needs.

### OCI Signature Portability
### Signature Portability

Portability of signatures is associated with the portability of associated artifacts which are being signed.
OCI artifacts are inherently registry agnostic, artifacts can be pulled from and pushed to any OCI compliant registry to which a user has access.
Expand All @@ -345,13 +298,13 @@ Signatures associated with these artifacts require broad portability.
E.g. Images for containerized applications and services used within an organization, or shared with limited authorized parties.
Based on user requirements a private artifact can have different levels of portability, the signature’s portability should at least match the the artifact’s portability.

*The Notary Project OCI signature portability* is based on the following
*The Notary Project signature portability* is based on the following

#### Signature discovery

The Notary Project OCI signature specification addressed signature discovery by storing signatures in the same registry (location) where an artifact is present.
The Notary Project signature specification addressed signature discovery by storing signatures in the same registry (location) where an artifact is present.
This is supported through [OCI Distribution Referrers API][oci-distribution-referrers] which allows reference artifacts such as signatures, SBOMs to be associated with existing artifacts like Images.
The Notary Project OCI signature specification allows multiple signatures to be associated with an artifact, and clients may automatically push signatures for an artifact to a destination registry when a signed artifact moves from one registry to other.
The Notary Project signature specification allows multiple signatures to be associated with an artifact, and clients may automatically push signatures of an artifact to a destination registry when a signed artifact moves from one registry to another.

#### Verification requirements

Expand All @@ -369,9 +322,6 @@ The Notary Project signatures without any critical extended attributes do not im
Whereas, the Notary Project signatures that contain critical extended attributes will require additional dependencies for signature validation, either on Notation compliant plugins or equivalent tooling which may not be available in all environments.
Similarly, Notation compliant plugin vendors should be aware that usage of extended signed attributes which are marked critical in signature will have implications on portability of the signature.

### Blob Signature Portability
Notary Project blob signatures provide the maximum portability as there are no requirements on storage or transport medium. Users can store and transport their blobs and associated detached signatures as required.

### Guidelines for implementations of the Notary Project signature specification

Implementations of the Notary Project signature specification, can choose to be [Notation plugin protocol](./plugin-extensibility.md#plugin-contract) aware or not. If an implementation chooses to be plugin protocol aware, and it encounters the Verification Plugin and Verification Plugin minimum version attributes during signature verification, it MUST process these attributes. This involves finding the appropriate plugin and the version to use, and executing `verify-signature` plugin command with correct inputs and processing the plugin response, as per the [Verification Plugin interface](./plugin-extensibility.md#verification-extensibility).
Expand All @@ -382,9 +332,9 @@ Alternatively, an implementation of the Notary Project signature specification c
- An implementation MUST fail signature verification if it cannot perform the equivalent verification logic, as skipping the plugin equivalent verification logic will cause incorrect and inconsistent signature verification behavior.
- An implementation MAY choose to support a set of known plugin’s verification logic and fail others.

[annotation-rules]: https://github.com/opencontainers/image-spec/blob/v1.0.0/annotations.md#rules
[oci-descriptor]: https://github.com/opencontainers/image-spec/blob/v1.0.0/descriptor.md
[annotation-rules]: https://github.com/opencontainers/image-spec/blob/v1.1.0/annotations.md#rules
[oci-descriptor]: https://github.com/opencontainers/image-spec/blob/v1.1.0/descriptor.md
[ietf-rfc3161]: https://datatracker.ietf.org/doc/html/rfc3161#section-2.4.2
[oci-distribution-referrers]: https://github.com/opencontainers/distribution-spec/blob/v1.0.0/spec.md#listing-referrers
[oci-image-manifest]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc3/manifest.md
[image-manifest-property-descriptions]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc3/manifest.md#image-manifest-property-descriptions
[oci-distribution-referrers]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers
[oci-image-manifest]: https://github.com/opencontainers/image-spec/blob/v1.1.0/manifest.md
[image-manifest-property-descriptions]: https://github.com/opencontainers/image-spec/blob/v1.1.0/manifest.md#image-manifest-property-descriptions
Loading