diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3e5dd26fe..88ca88208 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,11 +15,11 @@ name: "CodeQL" on: push: - branches: + branches: - main - release-* pull_request: - branches: + branches: - main - release-* schedule: diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index df91dbea0..eb442fc46 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -83,6 +83,10 @@ Example - Inspect signatures on an OCI artifact identified by a tag (Notation w Example - Inspect signatures on an OCI artifact identified by a digest and output as json: notation inspect --output json /@ +` + experimentalExamples := ` +Example - [Experimental] Inspect signatures on an OCI artifact identified by a digest using the Referrers API, if not supported (returns 404), fallback to the Referrers tag schema + notation inspect --allow-referrers-api /@ ` command := &cobra.Command{ Use: "inspect [reference]", @@ -102,9 +106,6 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } - if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } return runInspect(cmd, opts) }, } @@ -114,6 +115,7 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu cmd.SetPflagOutput(command.Flags(), &opts.outputFormat, cmd.PflagOutputUsage) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "inspect")) + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api"}) return command } @@ -127,9 +129,7 @@ func runInspect(command *cobra.Command, opts *inspectOpts) error { // initialize reference := opts.reference - // always use the Referrers API, if not supported, automatically fallback to - // the referrers tag schema - sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, false) + sigRepo, err := getRemoteRepository(ctx, &opts.SecureFlagOpts, reference, opts.allowReferrersAPI) if err != nil { return err } diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 387134907..a651386eb 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -17,7 +17,6 @@ import ( "context" "errors" "fmt" - "os" notationregistry "github.com/notaryproject/notation-go/registry" cmderr "github.com/notaryproject/notation/cmd/notation/internal/errors" @@ -53,6 +52,9 @@ Example - List signatures of an OCI artifact identified by a tag (Notation will notation list /: ` experimentalExamples := ` +Example - [Experimental] List signatures of an OCI artifact using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema + notation list --allow-referrers-api /@ + Example - [Experimental] List signatures of an OCI artifact referenced in an OCI layout notation list --oci-layout "@" @@ -81,9 +83,6 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } - if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } return runList(cmd.Context(), opts) }, } @@ -91,8 +90,9 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag opts.SecureFlagOpts.ApplyFlags(command.Flags()) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "list")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] list signatures stored in OCI image layout") + experimental.HideFlags(command, "", []string{"allow-referrers-api", "oci-layout"}) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) return command } @@ -102,9 +102,7 @@ func runList(ctx context.Context, opts *listOpts) error { // initialize reference := opts.reference - // always use the Referrers API, if not supported, automatically fallback to - // the referrers tag schema - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, false) + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, opts.allowReferrersAPI) if err != nil { return err } diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index bc9352179..d4c748a36 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -21,6 +21,7 @@ import ( "github.com/notaryproject/notation-go/log" notationregistry "github.com/notaryproject/notation-go/registry" + "github.com/notaryproject/notation/cmd/notation/internal/experimental" notationauth "github.com/notaryproject/notation/internal/auth" "github.com/notaryproject/notation/internal/httputil" "github.com/notaryproject/notation/pkg/configutil" @@ -40,10 +41,10 @@ const ( // getRepository returns a notationregistry.Repository given user input // type and user input reference -func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, forceReferrersTag bool) (notationregistry.Repository, error) { +func getRepository(ctx context.Context, inputType inputType, reference string, opts *SecureFlagOpts, allowReferrersAPI bool) (notationregistry.Repository, error) { switch inputType { case inputTypeRegistry: - return getRemoteRepository(ctx, opts, reference, forceReferrersTag) + return getRemoteRepository(ctx, opts, reference, allowReferrersAPI) case inputTypeOCILayout: layoutPath, _, err := parseOCILayoutReference(reference) if err != nil { @@ -56,18 +57,17 @@ func getRepository(ctx context.Context, inputType inputType, reference string, o } // getRemoteRepository returns a registry.Repository. -// When forceReferrersTag is true, Notation will always generate an image index -// according to the Referrers tag schema to store signature. -// -// When forceReferrersTag is false, Notation will first try to store the -// signature as a referrer according to the Referrers API. If the Referrers API -// is not supported, fallback to use the referrers tag schema. -// This flag is always FALSE when verify/list/inspect signatures. +// When experimental feature is disabled OR allowReferrersAPI is not set, +// Notation always uses referrers tag schema to store and consume signatures +// by default. +// When experimental feature is enabled AND allowReferrersAPI is set, Notation +// tries the Referrers API, if not supported, fallback to use the Referrers +// tag schema. // // References: -// https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers -// https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#referrers-tag-schema -func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, forceReferrersTag bool) (notationregistry.Repository, error) { +// https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers +// https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#referrers-tag-schema +func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference string, allowReferrersAPI bool) (notationregistry.Repository, error) { logger := log.GetLogger(ctx) ref, err := registry.ParseReference(reference) if err != nil { @@ -82,13 +82,13 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st return nil, err } - if forceReferrersTag { - logger.Info("The referrers tag schema is always attempted") + if !experimental.IsDisabled() && allowReferrersAPI { + logger.Info("Trying to use the referrers API") + } else { + logger.Info("Using the referrers tag schema") if err := remoteRepo.SetReferrersCapability(false); err != nil { return nil, err } - } else { - logger.Info("Allowed to access the referrers API, fallback if not supported") } return notationregistry.NewRepository(remoteRepo), nil } diff --git a/cmd/notation/registry_test.go b/cmd/notation/registry_test.go index ac915eb1c..5d5526a1f 100644 --- a/cmd/notation/registry_test.go +++ b/cmd/notation/registry_test.go @@ -19,6 +19,8 @@ import ( "net/http/httptest" "net/url" "testing" + + "github.com/notaryproject/notation/cmd/notation/internal/experimental" ) const ( @@ -26,6 +28,10 @@ const ( ) func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { + t.Setenv("NOTATION_EXPERIMENTAL", "1") + if experimental.IsDisabled() { + t.Fatal("failed to enable experimental") + } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusOK) @@ -50,6 +56,10 @@ func TestRegistry_getRemoteRepositoryWithReferrersAPISupported(t *testing.T) { } func TestRegistry_getRemoteRepositoryWithReferrersAPINotSupported(t *testing.T) { + t.Setenv("NOTATION_EXPERIMENTAL", "1") + if experimental.IsDisabled() { + t.Fatal("failed to enable experimental") + } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet && r.URL.Path == "/v2/test/v1/referrers/"+zeroDigest { w.WriteHeader(http.StatusNotFound) diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 23b227a49..5a1c5c8f7 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -14,6 +14,7 @@ package main import ( + "context" "errors" "fmt" "os" @@ -21,6 +22,7 @@ import ( "time" "github.com/notaryproject/notation-go" + notationregistry "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" "github.com/notaryproject/notation/internal/envelope" @@ -39,7 +41,6 @@ type signOpts struct { userMetadata []string reference string allowReferrersAPI bool - forceReferrersTag bool ociLayout bool inputType inputType } @@ -71,11 +72,11 @@ Example - Sign an OCI artifact identified by a tag (Notation will resolve tag to Example - Sign an OCI artifact stored in a registry and specify the signature expiry duration, for example 24 hours notation sign --expiry 24h /@ - -Example - Sign an OCI artifact and store signature using the Referrers API. If it's not supported, fallback to the Referrers tag schema - notation sign --force-referrers-tag=false /@ ` experimentalExamples := ` +Example - [Experimental] Sign an OCI artifact and store signature using the Referrers API. If it's not supported (returns 404), fallback to the Referrers tag schema + notation sign --allow-referrers-api /@ + Example - [Experimental] Sign an OCI artifact referenced in an OCI layout notation sign --oci-layout "@" @@ -101,15 +102,6 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { - // allow-referrers-api flag is set - if cmd.Flags().Changed("allow-referrers-api") { - if opts.allowReferrersAPI { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.") - opts.forceReferrersTag = false - } else { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } - } return runSign(cmd, opts) }, } @@ -120,10 +112,9 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) - cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") - command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") - experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) + command.MarkFlagsMutuallyExclusive("oci-layout", "allow-referrers-api") + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout"}) return command } @@ -136,11 +127,14 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { if err != nil { return err } - sigRepo, err := getRepository(ctx, cmdOpts.inputType, cmdOpts.reference, &cmdOpts.SecureFlagOpts, cmdOpts.forceReferrersTag) + if cmdOpts.allowReferrersAPI { + fmt.Fprintln(os.Stderr, "Warning: using the Referrers API to store signature. On success, must set the `--allow-referrers-api` flag to list, inspect, and verify the signature.") + } + sigRepo, err := getRepository(ctx, cmdOpts.inputType, cmdOpts.reference, &cmdOpts.SecureFlagOpts, cmdOpts.allowReferrersAPI) if err != nil { return err } - signOpts, err := prepareSigningOpts(cmdOpts) + signOpts, err := prepareSigningOpts(ctx, cmdOpts, sigRepo) if err != nil { return err } @@ -168,7 +162,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { return nil } -func prepareSigningOpts(opts *signOpts) (notation.SignOptions, error) { +func prepareSigningOpts(ctx context.Context, opts *signOpts, sigRepo notationregistry.Repository) (notation.SignOptions, error) { mediaType, err := envelope.GetEnvelopeMediaType(opts.SignerFlagOpts.SignatureFormat) if err != nil { return notation.SignOptions{}, err diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index c98b80817..77c4c5540 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -36,7 +36,6 @@ func TestSignCommand_BasicArgs(t *testing.T) { Key: "key", SignatureFormat: envelope.JWS, }, - forceReferrersTag: true, } if err := command.ParseFlags([]string{ expected.reference, @@ -68,7 +67,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { SignatureFormat: envelope.COSE, }, expiry: 24 * time.Hour, - forceReferrersTag: true, + allowReferrersAPI: true, } if err := command.ParseFlags([]string{ expected.reference, @@ -78,8 +77,7 @@ func TestSignCommand_MoreArgs(t *testing.T) { "--insecure-registry", "--signature-format", expected.SignerFlagOpts.SignatureFormat, "--expiry", expected.expiry.String(), - "--force-referrers-tag", - }); err != nil { + "--allow-referrers-api"}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -99,9 +97,8 @@ func TestSignCommand_CorrectConfig(t *testing.T) { Key: "key", SignatureFormat: envelope.COSE, }, - expiry: 365 * 24 * time.Hour, - pluginConfig: []string{"key0=val0", "key1=val1"}, - forceReferrersTag: false, + expiry: 365 * 24 * time.Hour, + pluginConfig: []string{"key0=val0", "key1=val1"}, } if err := command.ParseFlags([]string{ expected.reference, @@ -109,9 +106,7 @@ func TestSignCommand_CorrectConfig(t *testing.T) { "--signature-format", expected.SignerFlagOpts.SignatureFormat, "--expiry", expected.expiry.String(), "--plugin-config", "key0=val0", - "--plugin-config", "key1=val1", - "--force-referrers-tag=false", - }); err != nil { + "--plugin-config", "key1=val1"}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -159,9 +154,7 @@ func TestSignCommmand_OnDemandKeyOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--id", expected.KeyID, - "--plugin", expected.PluginName, - "--force-referrers-tag=false", - }); err != nil { + "--plugin", expected.PluginName}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -195,9 +188,7 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "--password", expected.Password, "--id", expected.KeyID, "--plugin", expected.PluginName, - "--key", expected.Key, - "--force-referrers-tag=false", - }); err != nil { + "--key", expected.Key}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -231,9 +222,7 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--id", expected.KeyID, - "--key", expected.Key, - "--force-referrers-tag=false", - }); err != nil { + "--key", expected.Key}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -267,9 +256,7 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { "-u", expected.Username, "--password", expected.Password, "--plugin", expected.PluginName, - "--key", expected.Key, - "--force-referrers-tag=false", - }); err != nil { + "--key", expected.Key}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -301,9 +288,7 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { expected.reference, "-u", expected.Username, "--password", expected.Password, - "--id", expected.KeyID, - "--force-referrers-tag=false", - }); err != nil { + "--id", expected.KeyID}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { @@ -335,9 +320,7 @@ func TestSignCommmand_OnDemandKeyBadOptions(t *testing.T) { expected.reference, "-u", expected.Username, "--password", expected.Password, - "--plugin", expected.PluginName, - "--force-referrers-tag=false", - }); err != nil { + "--plugin", expected.PluginName}); err != nil { t.Fatalf("Parse Flag failed: %v", err) } if err := command.Args(command, command.Flags().Args()); err != nil { diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 6417b10c6..2ac0b9f48 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -60,6 +60,9 @@ Example - Verify a signature on an OCI artifact identified by a tag (Notation w notation verify /: ` experimentalExamples := ` +Example - [Experimental] Verify an OCI artifact using the Referrers API, if not supported (returns 404), fallback to the Referrers tag schema + notation verify --allow-referrers-api /@ + Example - [Experimental] Verify a signature on an OCI artifact referenced in an OCI layout using trust policy statement specified by scope. notation verify --oci-layout /@ --scope @@ -87,9 +90,6 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t if opts.maxSignatureAttempts <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatureAttempts) } - if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } return runVerify(cmd, opts) }, } @@ -97,12 +97,12 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t opts.SecureFlagOpts.ApplyFlags(command.Flags()) command.Flags().StringArrayVar(&opts.pluginConfig, "plugin-config", nil, "{key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values") cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataVerifyUsage) - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "verify")) command.Flags().IntVar(&opts.maxSignatureAttempts, "max-signatures", 100, "maximum number of signatures to evaluate or examine") + cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "verify")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] verify the artifact stored as OCI image layout") command.Flags().StringVar(&opts.trustPolicyScope, "scope", "", "[Experimental] set trust policy scope for artifact verification, required and can only be used when flag \"--oci-layout\" is set") command.MarkFlagsRequiredTogether("oci-layout", "scope") - experimental.HideFlags(command, experimentalExamples, []string{"oci-layout", "scope"}) + experimental.HideFlags(command, experimentalExamples, []string{"allow-referrers-api", "oci-layout", "scope"}) return command } @@ -130,9 +130,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { // core verify process reference := opts.reference - // always use the Referrers API, if not supported, automatically fallback to - // the referrers tag schema - sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, false) + sigRepo, err := getRepository(ctx, opts.inputType, reference, &opts.SecureFlagOpts, opts.allowReferrersAPI) if err != nil { return err } diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 196768b2c..8d93e6708 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -112,14 +112,6 @@ var ( PflagReferrersUsageFormat = "[Experimental] use the Referrers API to %s signatures, if not supported (returns 404), fallback to the Referrers tag schema" SetPflagReferrersAPI = func(fs *pflag.FlagSet, p *bool, usage string) { fs.BoolVar(p, PflagReferrersAPI.Name, false, usage) - fs.MarkHidden(PflagReferrersAPI.Name) - } - - PflagReferrersTag = &pflag.Flag{ - Name: "force-referrers-tag", - } - SetPflagReferrersTag = func(fs *pflag.FlagSet, p *bool, usage string) { - fs.BoolVar(p, PflagReferrersTag.Name, true, usage) } PflagOutput = &pflag.Flag{ diff --git a/specs/commandline/inspect.md b/specs/commandline/inspect.md index b068bff2c..5dc9b334d 100644 --- a/specs/commandline/inspect.md +++ b/specs/commandline/inspect.md @@ -36,6 +36,7 @@ Usage: notation inspect [flags] Flags: + --allow-referrers-api [Experimental] use the Referrers API to inspect signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for inspect --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/specs/commandline/list.md b/specs/commandline/list.md index 2540633d0..d73be9758 100644 --- a/specs/commandline/list.md +++ b/specs/commandline/list.md @@ -27,6 +27,7 @@ Aliases: list, ls Flags: + --allow-referrers-api [Experimental] use the Referrers API to list signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for list --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index f7e9577ae..1bb445797 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -30,7 +30,7 @@ Usage: notation sign [flags] Flags: - --force-referrers-tag force to store signatures using the referrers tag schema (default true) + --allow-referrers-api [Experimental] use the Referrers API to store signatures in the registry, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m -h, --help help for sign @@ -190,6 +190,6 @@ notation list --oci-layout hello-world@sha256:xxx ``` [oci-artifact-manifest]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/artifact.md -[oci-image-spec]: https://github.com/opencontainers/image-spec/blob/v1.1.0/spec.md -[oci-referers-api]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers -[oci-image-layout]: https://github.com/opencontainers/image-spec/blob/v1.1.0/image-layout.md +[oci-image-spec]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/spec.md +[oci-referers-api]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers +[oci-image-layout]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/image-layout.md diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index fa56fdc94..943e7bcd3 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -38,6 +38,7 @@ Usage: notation verify [flags] Flags: + --allow-referrers-api [Experimental] use the Referrers API to verify signatures, if not supported (returns 404), fallback to the Referrers tag schema -d, --debug debug mode -h, --help help for verify --insecure-registry use HTTP protocol while connecting to registries. Should be used only for testing diff --git a/test/e2e/suite/command/inspect.go b/test/e2e/suite/command/inspect.go index 49ba33e77..7937e8066 100644 --- a/test/e2e/suite/command/inspect.go +++ b/test/e2e/suite/command/inspect.go @@ -77,58 +77,4 @@ var _ = Describe("notation inspect", func() { NoMatchErrKeyWords(HTTPSRequest) }) }) - - It("sign with --force-referrers-tag set", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(inspectSuccessfully...) - }) - }) - - It("sign with --force-referrers-tag set to false", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(inspectSuccessfully...) - }) - }) - - It("sign with --allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(inspectSuccessfully...) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(inspectSuccessfully...) - }) - }) - - It("sign with --allow-referrers-api set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(inspectSuccessfully...) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(inspectSuccessfully...) - }) - }) }) diff --git a/test/e2e/suite/command/list.go b/test/e2e/suite/command/list.go index 889ccb396..62c11f8f0 100644 --- a/test/e2e/suite/command/list.go +++ b/test/e2e/suite/command/list.go @@ -85,76 +85,4 @@ var _ = Describe("notation list", func() { MatchKeyWords("has no associated signature") }) }) - - It("sign with --force-referrers-tag set", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - }) - }) - - It("sign with --force-referrers-tag set to false", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - }) - }) - - It("sign with --allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - - notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - }) - }) - - It("sign with --allow-referrers-api set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - - notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - }) - }) }) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 8354d8696..11045ed6e 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -78,84 +78,6 @@ var _ = Describe("notation sign", func() { }) }) - It("with force-referrers-tag set", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with referrers tag schema"). - Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag"). - MatchKeyWords(SignSuccessfully) - - OldNotation().WithDescription("verify by tag schema"). - Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("with force-referrers-tag set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag=false"). - MatchKeyWords(SignSuccessfully) - - OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). - Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("with allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.", - ). - MatchKeyWords(SignSuccessfully) - - OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). - Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("with allow-referrers-api set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with referrers tag schema"). - Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api=false"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(SignSuccessfully) - - OldNotation().WithDescription("verify by tag schema"). - Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("with both force-referrers-tag and allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - ExpectFailure(). - Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag", "--allow-referrers-api"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "[allow-referrers-api force-referrers-tag] were all set", - ) - }) - }) - - It("with allow-referrers-api set and experimental off", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - ExpectFailure(). - Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). - MatchErrKeyWords( - "Error: flag(s) --allow-referrers-api in \"notation sign\" is experimental and not enabled by default.") - }) - }) - It("with specific key", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { const keyName = "sKey" diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index f27384301..7df83ee3d 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -63,56 +63,22 @@ var _ = Describe("notation verify", func() { }) }) - It("sign with --force-referrers-tag set", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("sign with --force-referrers-tag set to false", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--force-referrers-tag=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("sign with --allow-referrers-api set", func() { + It("by digest with the Referrers API", func() { Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) - It("sign with --allow-referrers-api set to false", func() { + It("by digest, sign with the Referrers tag schema, verify with the Referrers API", func() { Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). + notation.Exec("sign", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/trust_store.go b/test/e2e/suite/trustpolicy/trust_store.go index 736917493..099801bf3 100644 --- a/test/e2e/suite/trustpolicy/trust_store.go +++ b/test/e2e/suite/trustpolicy/trust_store.go @@ -35,12 +35,12 @@ var _ = Describe("notation trust policy trust store test", func() { }) It("invalid trust store", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("invalid_trust_store_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("the trust store \"invalid_store\" of type \"ca\" does not exist") }) }) @@ -82,14 +82,14 @@ var _ = Describe("notation trust policy trust store test", func() { AddTrustPolicyOption("multiple_trust_store_trustpolicy.json"), AddTrustStoreOption("e2e-new", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), - ) + EnableExperimental()) notation.WithDescription("verify artifact1 with trust store ca/e2e-new"). - Exec("verify", artifact1.ReferenceWithDigest(), "-v"). + Exec("verify", "--allow-referrers-api", artifact1.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) notation.WithDescription("verify artifact2 with trust store ca/e2e"). - Exec("verify", artifact2.ReferenceWithDigest(), "-v"). + Exec("verify", "--allow-referrers-api", artifact2.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/trusted_identity.go b/test/e2e/suite/trustpolicy/trusted_identity.go index 2f276a2b4..8e26477df 100644 --- a/test/e2e/suite/trustpolicy/trusted_identity.go +++ b/test/e2e/suite/trustpolicy/trusted_identity.go @@ -34,21 +34,21 @@ var _ = Describe("notation trust policy trusted identity test", func() { }) It("with valid trusted identity", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("valid_trusted_identity_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) It("with invalid trusted identity", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("invalid_trusted_identity_trustpolicy.json")) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Failure reason: signing certificate from the digital signature does not match the X.509 trusted identities", VerifyFailed) }) @@ -89,12 +89,13 @@ var _ = Describe("notation trust policy trusted identity test", func() { AddTrustPolicyOption("multiple_trusted_identity_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")), + EnableExperimental(), ) - notation.Exec("verify", artifact1.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact1.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) - notation.Exec("verify", artifact2.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact2.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/trustpolicy/verification_level.go b/test/e2e/suite/trustpolicy/verification_level.go index 6ada0259b..938e9a4ab 100644 --- a/test/e2e/suite/trustpolicy/verification_level.go +++ b/test/e2e/suite/trustpolicy/verification_level.go @@ -24,10 +24,10 @@ import ( var _ = Describe("notation trust policy verification level test", func() { It("strict level with expired signature", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -40,9 +40,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - ) + EnableExperimental()) - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -53,35 +53,35 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - ) + EnableExperimental()) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) }) }) It("strict level with invalid integrity", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("permissive level with expired signature", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry was set to \"log\" and failed with error: digital signature has expired"). MatchKeyWords(VerifySuccessfully) }) @@ -94,9 +94,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - ) + EnableExperimental()) - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -108,37 +108,37 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - ) + EnableExperimental()) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) }) }) It("permissive level with invalid integrity", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("audit level with expired signature", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("digital signature has expired", "expiry was set to \"log\""). MatchKeyWords(VerifySuccessfully) @@ -152,9 +152,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - ) + EnableExperimental()) - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -166,13 +166,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - ) + EnableExperimental()) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -180,35 +180,35 @@ var _ = Describe("notation trust policy verification level test", func() { }) It("audit level with invalid integrity", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("integrity validation failed", VerifyFailed) }) }) It("skip level with invalid integrity", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("skip_trustpolicy.json")) artifact := GenerateArtifact("e2e-invalid-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords("Trust policy is configured to skip signature verification") }) }) It("strict level with Expiry overridden as log level", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_strict_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("digital signature has expired", "expiry was set to \"log\""). MatchKeyWords(VerifySuccessfully) @@ -222,9 +222,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_strict_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - ) + EnableExperimental()) - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticTimestamp was set to \"log\"", "error: certificate \"O=Internet Widgits Pty Ltd,ST=Some-State,C=AU\" is not valid anymore, it was expired"). MatchKeyWords(VerifySuccessfully) @@ -236,13 +236,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_strict_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - ) + EnableExperimental()) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -250,12 +250,12 @@ var _ = Describe("notation trust policy verification level test", func() { }) It("permissive level with Expiry overridden as enforce level", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_permissive_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -270,9 +270,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - ) + EnableExperimental()) - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -283,11 +283,11 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - ) + EnableExperimental()) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("Warning: authenticity was set to \"log\"", "signature is not produced by a trusted signer"). MatchKeyWords(VerifySuccessfully) @@ -299,22 +299,22 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_integrity_for_permissive_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - ) + EnableExperimental()) artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords(`"integrity" verification can not be overridden in custom signature verification`) }) }) It("audit level with Expiry overridden as enforce level", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { + Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) { vhost.SetOption(AddTrustPolicyOption("override_audit_trustpolicy.json")) artifact := GenerateArtifact("e2e-expired-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed.", VerifyFailed) }) @@ -329,9 +329,9 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "localkeys", "expired_e2e.crt")), - ) + EnableExperimental()) - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticTimestamp validation failed", VerifyFailed) }) @@ -342,13 +342,13 @@ var _ = Describe("notation trust policy verification level test", func() { vhost.SetOption(AuthOption("", ""), AddTrustPolicyOption("override_audit_trustpolicy.json"), AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt")), - ) + EnableExperimental()) // the artifact signed with a different cert from the cert in // trust store. artifact := GenerateArtifact("e2e-valid-signature", "") - notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", "--allow-referrers-api", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("authenticity validation failed", VerifyFailed) })