Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Improve output when there is no signature associated #666

Merged
merged 1 commit into from
May 16, 2023

Conversation

priteshbandi
Copy link
Contributor

Fixes: #624

➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1 has no associated signature

➜  notation git:(no-sig) ✗ ./notation ls $IMAGE      
Warning: Always list the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1 has no associated signature

➜  notation git:(no-sig) ✗ ./notation sign $IMAGE -e 123h
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Successfully signed localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1

➜  notation git:(no-sig) ✗ ./notation ls $IMAGE          
Warning: Always list the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1
└── application/vnd.cncf.notary.signature
    └── sha256:be23f992f68a6b3003c83506eb9275188355a451294006e4cac651d2a1b7c716

➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE     
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
Inspecting all signatures for signed artifact
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1
└── application/vnd.cncf.notary.signature
    └── sha256:be23f992f68a6b3003c83506eb9275188355a451294006e4cac651d2a1b7c716
        ├── media type: application/jose+json
        ├── signature algorithm: RSASSA-PSS-SHA-256
        ├── signed attributes
        │   ├── signingTime: Fri May 12 20:16:27 2023
        │   ├── expiry: Wed May 17 23:16:27 2023
        │   └── signingScheme: notary.x509
        ├── user defined attributes
        │   └── (empty)
        ├── unsigned attributes
        │   └── signingAgent: Notation/1.0.0
        ├── certificates
        │   └── SHA1 fingerprint: 091c1a5e57aa401de7fb22ac52b56d79f211bd03
        │       ├── issued to: CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US
        │       ├── issued by: CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US
        │       └── expiry: Sun May 14 00:58:40 2023
        └── signed artifact
            ├── media type: application/vnd.docker.distribution.manifest.v2+json
            ├── digest: sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1
            └── size: 942

@codecov-commenter
Copy link

codecov-commenter commented May 13, 2023

Codecov Report

Merging #666 (b630b3a) into main (5516199) will decrease coverage by 0.12%.
The diff coverage is 0.00%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@            Coverage Diff             @@
##             main     #666      +/-   ##
==========================================
- Coverage   33.33%   33.21%   -0.12%     
==========================================
  Files          32       32              
  Lines        2019     2026       +7     
==========================================
  Hits          673      673              
- Misses       1324     1331       +7     
  Partials       22       22              
Impacted Files Coverage Δ
cmd/notation/inspect.go 14.21% <0.00%> (-0.15%) ⬇️
cmd/notation/list.go 27.84% <0.00%> (-1.10%) ⬇️
cmd/notation/manifest.go 0.00% <0.00%> (ø)
cmd/notation/verify.go 32.81% <0.00%> (+0.50%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@priteshbandi priteshbandi changed the title fix: Improve output when there is no signature assoicated fix: Improve output when there is no signature associated May 14, 2023
Comment on lines +116 to +118
if !titlePrinted {
fmt.Printf("%s has no associated signature\n", ref)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this printout? If there is no associated signature, the output of list is just empty.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, otherwise the output (as shown below) looks incomplete.

For unsigned image referred by tag, user wont know which image was inspected/listed.

# unsigned image referred by tag
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.

For unsigned image referred by digest, not printing anything doesn't looks right and would like to keep output consistent with unsigned image refereed by tag

# unsigned image referred by digest
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, otherwise the output (as shown below) looks incomplete.

For unsigned image referred by tag, user wont know which image was inspected/listed.

# unsigned image referred by tag
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.

For unsigned image referred by digest, not printing anything doesn't looks right and would like to keep output consistent with unsigned image refereed by tag

# unsigned image referred by digest
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 

Got it. Makes sense to me.

cmd/notation/inspect.go Outdated Show resolved Hide resolved
cmd/notation/inspect.go Outdated Show resolved Hide resolved
Copy link
Contributor

@Two-Hearts Two-Hearts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@JeyJeyGao JeyJeyGao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@priteshbandi priteshbandi merged commit fb191d4 into notaryproject:main May 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Improve the output message of notation inspect images without signatures
5 participants