feat: add required log (#221)

Example ## sign ## ``` ➜ ./notation sign $IMAGE -e 2s Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 ➜ ./notation sign $IMAGE -e 2s -v Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 ➜ ./notation sign $IMAGE -e 2s -d Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/v1" DEBU[2022-12-02T13:10:25+08:00] Request method: "HEAD" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "200 OK" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "942" DEBU[2022-12-02T13:10:25+08:00] "Content-Type": "application/vnd.docker.distribution.manifest.v2+json" DEBU[2022-12-02T13:10:25+08:00] "Docker-Content-Digest": "sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "Etag": "\"sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47\"" DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" WARN[2022-12-02T13:10:25+08:00] Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed INFO[2022-12-02T13:10:25+08:00] Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing DEBU[2022-12-02T13:10:25+08:00] generic signing for sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 DEBU[2022-12-02T13:10:25+08:00] sign request: DEBU[2022-12-02T13:10:25+08:00] ContentType: application/vnd.cncf.notary.payload.v1+json DEBU[2022-12-02T13:10:25+08:00] Content: {"targetArtifact":{"mediaType":"application/vnd.docker.distribution.manifest.v2+json","digest":"sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47","size":942}} DEBU[2022-12-02T13:10:25+08:00] Expiry: 2022-12-02 13:10:26.218713827 +0800 CST m=+4.043056722 DEBU[2022-12-02T13:10:25+08:00] SigningTime: 2022-12-02 13:10:25.683371981 +0800 CST m=+3.507714874 DEBU[2022-12-02T13:10:25+08:00] SigningScheme: notary.x509 DEBU[2022-12-02T13:10:25+08:00] SigningAgent: Notation/1.0.0 DEBU[2022-12-02T13:10:25+08:00] generate annotation DEBU[2022-12-02T13:10:25+08:00] push signature, artifact descriptor: {MediaType:application/vnd.docker.distribution.manifest.v2+json Digest:sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 Size:942 URLs:[] Annotations:map[] Data:[] Platform:<nil> ArtifactType:}, annotations: map[io.cncf.notary.x509chain.thumbprint#S256:["676ae98f2cc491ce67cf897b3f7f59583a62193282c80d384814c900e4958c16"]] DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/uploads/" DEBU[2022-12-02T13:10:25+08:00] Request method: "POST" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "202 Accepted" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "Docker-Upload-Uuid": "97835b52-8e9c-4f35-82d8-8e19b434a738" DEBU[2022-12-02T13:10:25+08:00] "Location": "http://localhost:5000/v2/net-monitor/blobs/uploads/97835b52-8e9c-4f35-82d8-8e19b434a738?_state=LU0rqXS4CRHkO8Y3wL1-YxFRn2rqX55hlt9cI7NwYB97Ik5hbWUiOiJuZXQtbW9uaXRvciIsIlVVSUQiOiI5NzgzNWI1Mi04ZTljLTRmMzUtODJkOC04ZTE5YjQzNGE3MzgiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjItMTItMDJUMDU6MTA6MjUuNjg2OTgxNDg0WiJ9" DEBU[2022-12-02T13:10:25+08:00] "Range": "0-0" DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "0" DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/uploads/97835b52-8e9c-4f35-82d8-8e19b434a738?_state=LU0rqXS4CRHkO8Y3wL1-YxFRn2rqX55hlt9cI7NwYB97Ik5hbWUiOiJuZXQtbW9uaXRvciIsIlVVSUQiOiI5NzgzNWI1Mi04ZTljLTRmMzUtODJkOC04ZTE5YjQzNGE3MzgiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjItMTItMDJUMDU6MTA6MjUuNjg2OTgxNDg0WiJ9&digest=sha256%3A472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38" DEBU[2022-12-02T13:10:25+08:00] Request method: "PUT" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "Content-Type": "application/octet-stream" DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "201 Created" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "0" DEBU[2022-12-02T13:10:25+08:00] "Docker-Content-Digest": "sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38" DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "Location": "http://localhost:5000/v2/net-monitor/blobs/sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38" DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e" DEBU[2022-12-02T13:10:25+08:00] Request method: "PUT" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "Content-Type": "application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "201 Created" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "Docker-Content-Digest": "sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e" DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "Location": "http://localhost:5000/v2/net-monitor/manifests/sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e" DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "0" DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/referrers/sha256:0000000000000000000000000000000000000000000000000000000000000000" DEBU[2022-12-02T13:10:25+08:00] Request method: "GET" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "404 Not Found" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "Content-Type": "text/plain; charset=utf-8" DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "19" DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256-cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:10:25+08:00] Request method: "GET" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "200 OK" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "Docker-Content-Digest": "sha256:829256e18b2ee0980a39a2ff86182c8459303b15b676b00dc7006e123e7599ee" DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "Etag": "\"sha256:829256e18b2ee0980a39a2ff86182c8459303b15b676b00dc7006e123e7599ee\"" DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "901" DEBU[2022-12-02T13:10:25+08:00] "Content-Type": "application/vnd.oci.image.index.v1+json" DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256-cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:10:25+08:00] Request method: "PUT" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "Content-Type": "application/vnd.oci.image.index.v1+json" DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "201 Created" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "0" DEBU[2022-12-02T13:10:25+08:00] "Docker-Content-Digest": "sha256:490010607becd94467b45783303458b5b1533bcc17a813dbaf60a4f4aa96f582" DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "Location": "http://localhost:5000/v2/net-monitor/manifests/sha256:490010607becd94467b45783303458b5b1533bcc17a813dbaf60a4f4aa96f582" DEBU[2022-12-02T13:10:25+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:829256e18b2ee0980a39a2ff86182c8459303b15b676b00dc7006e123e7599ee" DEBU[2022-12-02T13:10:25+08:00] Request method: "DELETE" DEBU[2022-12-02T13:10:25+08:00] Request headers: DEBU[2022-12-02T13:10:25+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:10:25+08:00] Response Status: "202 Accepted" DEBU[2022-12-02T13:10:25+08:00] Response headers: DEBU[2022-12-02T13:10:25+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:10:25+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:10:25+08:00] "Date": "Fri, 02 Dec 2022 05:10:25 GMT" DEBU[2022-12-02T13:10:25+08:00] "Content-Length": "0" sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 ``` ## verify ## ``` ➜ ./notation verify $IMAGE Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing Error: signature verification failed ➜ ./notation verify $IMAGE -v Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing INFO passing a nil signature to check 'skip' level ERRO integrity validation failed. Failure reason: unable to parse the digital signature, error : signature envelope format with media type "" is not supported INFO check over. not 'skip' level INFO processing signature with digest: sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a ERRO expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:09:58 +0800" INFO processing signature with digest: sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0 ERRO expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:10:04 +0800" INFO processing signature with digest: sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e ERRO expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:10:26 +0800" Error: signature verification failed ➜ ./notation verify $IMAGE -d Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing INFO[2022-12-02T13:14:39+08:00] passing a nil signature to check 'skip' level DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]} ERRO[2022-12-02T13:14:39+08:00] integrity validation failed. Failure reason: unable to parse the digital signature, error : signature envelope format with media type "" is not supported INFO[2022-12-02T13:14:39+08:00] check over. not 'skip' level DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:14:39+08:00] Request method: "HEAD" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47\"" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "942" DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.docker.distribution.manifest.v2+json" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] fetch signature manifest DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/referrers/sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47?artifactType=application%2Fvnd.cncf.notary.v2.signature" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "404 Not Found" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "text/plain; charset=utf-8" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "19" DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256-cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "1308" DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.image.index.v1+json" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:490010607becd94467b45783303458b5b1533bcc17a813dbaf60a4f4aa96f582" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:490010607becd94467b45783303458b5b1533bcc17a813dbaf60a4f4aa96f582\"" INFO[2022-12-02T13:14:39+08:00] processing signature with digest: sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a\"" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "628" DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/sha256:9e27c57b266d8bcd206a90af96dba94a6c2d9ac8fe93d47979aaf7ce47a34f68" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "Range": "bytes=0-2220" DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "206 Partial Content" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "2221" DEBU[2022-12-02T13:14:39+08:00] "Content-Range": "bytes 0-2220/2221" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Accept-Ranges": "bytes" DEBU[2022-12-02T13:14:39+08:00] "Cache-Control": "max-age=31536000" DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/octet-stream" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:9e27c57b266d8bcd206a90af96dba94a6c2d9ac8fe93d47979aaf7ce47a34f68" DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:9e27c57b266d8bcd206a90af96dba94a6c2d9ac8fe93d47979aaf7ce47a34f68\"" DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]} DEBU[2022-12-02T13:14:39+08:00] verify cert chain DEBU[2022-12-02T13:14:39+08:00] verify trust identity DEBU[2022-12-02T13:14:39+08:00] verify expiry ERRO[2022-12-02T13:14:39+08:00] expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:09:58 +0800" INFO[2022-12-02T13:14:39+08:00] processing signature with digest: sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0 DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0\"" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "628" DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/sha256:b804160dff6d263d918c4ec4088876a325f4b59f003c0eaba55fd71419f73557" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "Range": "bytes=0-2220" DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "206 Partial Content" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Accept-Ranges": "bytes" DEBU[2022-12-02T13:14:39+08:00] "Cache-Control": "max-age=31536000" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "2221" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:b804160dff6d263d918c4ec4088876a325f4b59f003c0eaba55fd71419f73557" DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:b804160dff6d263d918c4ec4088876a325f4b59f003c0eaba55fd71419f73557\"" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Content-Range": "bytes 0-2220/2221" DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/octet-stream" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]} DEBU[2022-12-02T13:14:39+08:00] verify cert chain DEBU[2022-12-02T13:14:39+08:00] verify trust identity DEBU[2022-12-02T13:14:39+08:00] verify expiry ERRO[2022-12-02T13:14:39+08:00] expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:10:04 +0800" INFO[2022-12-02T13:14:39+08:00] processing signature with digest: sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e\"" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "628" DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.artifact.manifest.v1+json" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e" DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38" DEBU[2022-12-02T13:14:39+08:00] Request method: "GET" DEBU[2022-12-02T13:14:39+08:00] Request headers: DEBU[2022-12-02T13:14:39+08:00] "Range": "bytes=0-2220" DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased" DEBU[2022-12-02T13:14:39+08:00] Response Status: "206 Partial Content" DEBU[2022-12-02T13:14:39+08:00] Response headers: DEBU[2022-12-02T13:14:39+08:00] "Content-Range": "bytes 0-2220/2221" DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38" DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0" DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff" DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT" DEBU[2022-12-02T13:14:39+08:00] "Accept-Ranges": "bytes" DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "2221" DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38\"" DEBU[2022-12-02T13:14:39+08:00] "Cache-Control": "max-age=31536000" DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/octet-stream" DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]} DEBU[2022-12-02T13:14:39+08:00] verify cert chain DEBU[2022-12-02T13:14:39+08:00] verify trust identity DEBU[2022-12-02T13:14:39+08:00] verify expiry ERRO[2022-12-02T13:14:39+08:00] expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:10:26 +0800" DEBU[2022-12-02T13:14:39+08:00] Signature verification failed for all the signatures associated with digest sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 Error: signature verification failed ``` > warning logs for successful verification will added in notaryproject/notation#450 By Patrick Signed-off-by: Junjie Gao <[email protected]>
notaryproject · Dec 5, 2022 · e9545a7 · e9545a7
1 parent bc022cc
commit e9545a7
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 6 deletions.
diff --git a/notation.go b/notation.go
@@ -87,10 +87,13 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, opts Sig
 	if err != nil {
 		return ocispec.Descriptor{}, err
 	}
+	logger.Debug("Generating annotation")
 	annotations, err := generateAnnotations(signerInfo)
 	if err != nil {
 		return ocispec.Descriptor{}, err
 	}
+	logger.Debugf("Generated annotations: %+v", annotations)
+	logger.Debugf("Pushing signature of artifact descriptor: %+v, signature media type: %v", targetDesc, opts.SignatureMediaType)
 	_, _, err = repo.PushSignature(ctx, opts.SignatureMediaType, sig, targetDesc, annotations)
 	if err != nil {
 		return ocispec.Descriptor{}, err
@@ -191,14 +194,17 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, re
 	}
 
 	// passing nil signature to check 'skip'
+	logger.Info("Checking whether signature verification should be skipped or not")
 	outcome, err := verifier.Verify(ctx, ocispec.Descriptor{}, nil, opts)
 	if err != nil {
 		if outcome == nil {
 			return ocispec.Descriptor{}, nil, err
 		}
 	} else if reflect.DeepEqual(outcome.VerificationLevel, trustpolicy.LevelSkip) {
+		logger.Infoln("Verification skipped for", remoteOpts.ArtifactReference)
 		return ocispec.Descriptor{}, []*VerificationOutcome{outcome}, nil
 	}
+	logger.Info("Check over. Trust policy is not configured to skip signature verification")
 
 	// check MaxSignatureAttempts
 	if remoteOpts.MaxSignatureAttempts <= 0 {
@@ -229,18 +235,21 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, re
 	numOfSignatureProcessed := 0
 
 	// get signature manifests
+	logger.Debug("Fetching signature manifests using referrers API")
 	err = repo.ListSignatures(ctx, artifactDescriptor, func(signatureManifests []ocispec.Descriptor) error {
 		// process signatures
 		for _, sigManifestDesc := range signatureManifests {
 			if numOfSignatureProcessed >= remoteOpts.MaxSignatureAttempts {
 				break
 			}
 			numOfSignatureProcessed++
+			logger.Infof("Processing signature with digest: %v", sigManifestDesc.Digest)
 			// get signature envelope
 			sigBlob, sigDesc, err := repo.FetchSignatureBlob(ctx, sigManifestDesc)
 			if err != nil {
 				return ErrorSignatureRetrievalFailed{Msg: fmt.Sprintf("unable to retrieve digital signature with digest %q associated with %q from the registry, error : %v", sigManifestDesc.Digest, artifactRef, err.Error())}
 			}
+
 			// using signature media type fetched from registry
 			opts.SignatureMediaType = sigDesc.MediaType
 
@@ -253,10 +262,10 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, re
 				}
 				continue
 			}
-
 			// at this point, the signature is verified successfully. Add
 			// it to the verificationOutcomes.
 			verificationOutcomes = append(verificationOutcomes, outcome)
+			logger.Debugf("Signature verification succeeded for artifact %v with signature digest %v", artifactDescriptor.Digest, sigManifestDesc.Digest)
 
 			// early break on success
 			return errDoneVerification
@@ -283,6 +292,7 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, re
 
 	// Verification Failed
 	if len(verificationOutcomes) == 0 {
+		logger.Debugf("Signature verification failed for all the signatures associated with artifact %v", artifactDescriptor.Digest)
 		return ocispec.Descriptor{}, verificationOutcomes, ErrorVerificationFailed{}
 	}
 

diff --git a/plugin/plugin.go b/plugin/plugin.go
@@ -14,6 +14,7 @@ import (
 	"path/filepath"
 
 	"github.com/notaryproject/notation-go/internal/slices"
+	"github.com/notaryproject/notation-go/log"
 	"github.com/notaryproject/notation-go/plugin/proto"
 )
 
@@ -83,6 +84,8 @@ func NewCLIPlugin(ctx context.Context, name, path string) (*CLIPlugin, error) {
 
 // GetMetadata returns the metadata information of the plugin.
 func (p *CLIPlugin) GetMetadata(ctx context.Context, req *proto.GetMetadataRequest) (*proto.GetMetadataResponse, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debugf("Plugin get-plugin-metadata request: %+v", req)
 	var metadata proto.GetMetadataResponse
 	err := run(ctx, p.name, p.path, req, &metadata)
 	if err != nil {
@@ -95,54 +98,67 @@ func (p *CLIPlugin) GetMetadata(ctx context.Context, req *proto.GetMetadataReque
 	if metadata.Name != p.name {
 		return nil, fmt.Errorf("executable name must be %q instead of %q", binName(metadata.Name), filepath.Base(p.path))
 	}
+	logger.Debugf("Plugin get-plugin-metadata response: %+v", metadata)
 	return &metadata, nil
 }
 
 // DescribeKey returns the KeySpec of a key.
 //
 // if ContractVersion is not set, it will be set by the function.
 func (p *CLIPlugin) DescribeKey(ctx context.Context, req *proto.DescribeKeyRequest) (*proto.DescribeKeyResponse, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debugf("Plugin describe-key request: %+v", req)
 	var resp proto.DescribeKeyResponse
 	if req.ContractVersion == "" {
 		req.ContractVersion = proto.ContractVersion
 	}
 	err := run(ctx, p.name, p.path, req, &resp)
+	logger.Debugf("Plugin describe-key response: %+v", resp)
 	return &resp, err
 }
 
 // GenerateSignature generates the raw signature based on the request.
 //
 // if ContractVersion is not set, it will be set by the function.
 func (p *CLIPlugin) GenerateSignature(ctx context.Context, req *proto.GenerateSignatureRequest) (*proto.GenerateSignatureResponse, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debugf("Plugin generate-signature request: {ContractVersion: %v, KeyID: %v, KeySpec: %v, Hash: %v, PluginConfig: %v}", req.ContractVersion, req.KeyID, req.KeySpec, req.Hash, req.PluginConfig)
 	var resp proto.GenerateSignatureResponse
 	if req.ContractVersion == "" {
 		req.ContractVersion = proto.ContractVersion
 	}
 	err := run(ctx, p.name, p.path, req, &resp)
+	logger.Debugf("Plugin generate-signature response: {keyId: %v, SigningAlgorithm: %v}", resp.KeyID, resp.SigningAlgorithm)
 	return &resp, err
 }
 
 // GenerateEnvelope generates the Envelope with signature based on the request.
 //
 // if ContractVersion is not set, it will be set by the function.
 func (p *CLIPlugin) GenerateEnvelope(ctx context.Context, req *proto.GenerateEnvelopeRequest) (*proto.GenerateEnvelopeResponse, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debugf("Plugin generate-envelope request: {ContractVersion: %v, KeyID: %v, PayloadType: %v, SignatureEnvelope: %v, ExpiryDurationInSeconds: %v, PluginConfig: %v}", req.ContractVersion, req.KeyID, req.PayloadType, req.SignatureEnvelopeType, req.ExpiryDurationInSeconds, req.PluginConfig)
 	var resp proto.GenerateEnvelopeResponse
 	if req.ContractVersion == "" {
 		req.ContractVersion = proto.ContractVersion
 	}
 	err := run(ctx, p.name, p.path, req, &resp)
+	logger.Debugf("Plugin generate-envelope response: {SignatureEnvelopeType: %v, Annotations:%v}", resp.SignatureEnvelopeType, resp.Annotations)
 	return &resp, err
 }
 
 // VerifySignature validates the signature based on the request.
 //
 // if ContractVersion is not set, it will be set by the function.
 func (p *CLIPlugin) VerifySignature(ctx context.Context, req *proto.VerifySignatureRequest) (*proto.VerifySignatureResponse, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debugf("Plugin verify-signature request: {ContractVersion: %v, TrustPolicy: %v, PluginConfig: %v, Signature: {CriticalAttributes: %v, UnprocessedAttributes: %v}}", req.ContractVersion, req.TrustPolicy, req.PluginConfig, req.Signature.CriticalAttributes, req.Signature.UnprocessedAttributes)
 	var resp proto.VerifySignatureResponse
 	if req.ContractVersion == "" {
 		req.ContractVersion = proto.ContractVersion
 	}
 	err := run(ctx, p.name, p.path, req, &resp)
+	logger.Debugf("Plugin verify-signature response: %+v", resp)
 	return &resp, err
 }
 

diff --git a/signer/plugin.go b/signer/plugin.go
@@ -11,6 +11,7 @@ import (
 	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/internal/envelope"
+	"github.com/notaryproject/notation-go/log"
 	"github.com/notaryproject/notation-go/plugin"
 	"github.com/notaryproject/notation-go/plugin/proto"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -46,13 +47,17 @@ func NewFromPlugin(plugin plugin.Plugin, keyID string, pluginConfig map[string]s
 // Sign signs the artifact described by its descriptor and returns the
 // marshalled envelope.
 func (s *pluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignOptions) ([]byte, *signature.SignerInfo, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debug("Invoking plugin's get-plugin-metadata command")
 	req := &proto.GetMetadataRequest{
 		PluginConfig: s.mergeConfig(opts.PluginConfig),
 	}
 	metadata, err := s.plugin.GetMetadata(ctx, req)
 	if err != nil {
 		return nil, nil, err
 	}
+
+	logger.Debugf("Using plugin %v with capabilities %v to sign artifact %v in signature media type %v", metadata.Name, metadata.Capabilities, desc.Digest, opts.SignatureMediaType)
 	if metadata.HasCapability(proto.CapabilitySignatureGenerator) {
 		return s.generateSignature(ctx, desc, opts)
 	} else if metadata.HasCapability(proto.CapabilityEnvelopeGenerator) {
@@ -62,6 +67,8 @@ func (s *pluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts n
 }
 
 func (s *pluginSigner) generateSignature(ctx context.Context, desc ocispec.Descriptor, opts notation.SignOptions) ([]byte, *signature.SignerInfo, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debug("Generating signature by plugin")
 	config := s.mergeConfig(opts.PluginConfig)
 	// Get key info.
 	key, err := s.describeKey(ctx, config)
@@ -87,11 +94,12 @@ func (s *pluginSigner) generateSignature(ctx context.Context, desc ocispec.Descr
 			keySpec:      ks,
 		},
 	}
-
 	return genericSigner.Sign(ctx, desc, opts)
 }
 
 func (s *pluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocispec.Descriptor, opts notation.SignOptions) ([]byte, *signature.SignerInfo, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debug("Generating signature envelope by plugin")
 	payload := envelope.Payload{TargetArtifact: envelope.SanitizeTargetArtifact(desc)}
 	payloadBytes, err := json.Marshal(payload)
 	if err != nil {
@@ -119,6 +127,7 @@ func (s *pluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp
 		)
 	}
 
+	logger.Debug("Verifying signature envelope generated by the plugin")
 	sigEnv, err := signature.ParseEnvelope(opts.SignatureMediaType, resp.SignatureEnvelope)
 	if err != nil {
 		return nil, nil, err

diff --git a/signer/signer.go b/signer/signer.go
@@ -16,6 +16,7 @@ import (
 	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/internal/envelope"
+	"github.com/notaryproject/notation-go/log"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
@@ -72,6 +73,8 @@ func NewFromFiles(keyPath, certChainPath string) (notation.Signer, error) {
 // Sign signs the artifact described by its descriptor and returns the
 // marshalled envelope.
 func (s *genericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignOptions) ([]byte, *signature.SignerInfo, error) {
+	logger := log.GetLogger(ctx)
+	logger.Debugf("Generic signing for %v in signature media type %v", desc.Digest, opts.SignatureMediaType)
 	// Generate payload to be signed.
 	payload := envelope.Payload{TargetArtifact: envelope.SanitizeTargetArtifact(desc)}
 	payloadBytes, err := json.Marshal(payload)
@@ -94,6 +97,13 @@ func (s *genericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 	if opts.ExpiryDuration != 0 {
 		signReq.Expiry = signReq.SigningTime.Add(opts.ExpiryDuration)
 	}
+	logger.Debugf("Sign request:")
+	logger.Debugf("  ContentType:   %v", signReq.Payload.ContentType)
+	logger.Debugf("  Content:       %s", string(signReq.Payload.Content))
+	logger.Debugf("  SigningTime:   %v", signReq.SigningTime)
+	logger.Debugf("  Expiry:        %v", signReq.Expiry)
+	logger.Debugf("  SigningScheme: %v", signReq.SigningScheme)
+	logger.Debugf("  SigningAgent:  %v", signReq.SigningAgent)
 
 	// perform signing
 	sigEnv, err := signature.NewEnvelope(opts.SignatureMediaType)