feat: add inspect blob commands #888
Conversation
rrsemlani
requested review from
gokarnm,
JeyJeyGao,
justincormack,
NiazFK,
priteshbandi,
rgnote,
shizhMSFT,
SteveLasker,
toddysm and
Two-Hearts
as code owners
rrsemlani
force-pushed
the
rsemlani_notation_inspect
branch
4 times, most recently
from
1ffee89 to
3b75784
Compare
|
Also as per spec we have a new field called |
rrsemlani
force-pushed
the
rsemlani_notation_inspect
branch
from
665c5f8 to
53d25cf
Compare
rrsemlani
force-pushed
the
rsemlani_notation_inspect
branch
from
53d25cf to
3272be7
Compare
rrsemlani
force-pushed
the
rsemlani_notation_inspect
branch
from
3272be7 to
9788c7a
Compare
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
rrsemlani
force-pushed
the
rsemlani_notation_inspect
branch
from
9788c7a to
7e8dbe0
Compare
Signed-off-by: Rishab Semlani <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #888 +/- ##
==========================================
+ Coverage 64.93% 71.05% +6.12%
==========================================
Files 45 49 +4
Lines 2729 2246 -483
==========================================
- Hits 1772 1596 -176
+ Misses 795 453 -342
- Partials 162 197 +35 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
| } | ||
| } | ||
|
|
||
| func Signatures(mediaType string, digest string, output InspectOutput, sigFile []byte) (error, []SignatureOutput) { |
There was a problem hiding this comment.
This function is called Signatures and returning an array of SignatureOutput, so it seems to be processing multiple signatures. However, from its input sigFile []byte and logic sigEnvelope, err := signature.ParseEnvelope(mediaType, sigFile), it actually can only process one signature per call. Please make sure this is by design.
| skippedSignatures := false | ||
| if err != nil { | ||
| logSkippedSignature(digest, err) | ||
| skippedSignatures = true |
There was a problem hiding this comment.
Since you are return nil, nil right after this line, toggling this local bool seems redundant?
|
|
||
| certListNode := sigNode.Add("certificates") | ||
| for _, cert := range signature.Certificates { | ||
| certNode := certListNode.AddPair("SHA256 fingerprint", cert.SHA256Fingerprint) |
There was a problem hiding this comment.
I have a use case that the user would like to have an array of SHA256 fingerprints, starting from the leaf cert to the root cert, in the output. For example, if the SHA256 fingerprints for leaf is aaaaa, for intermediate 1 is bbbbb, for intermediate 2 is ccccc, and for root is ddddd. Then when I run notation blob inspect my_sig, I could get an array ["aaaaa", "bbbbb", "ccccc", "ddddd"] from the final output.
The current implementation does not support it, where I have to copy/paste/assemble such an array myself. Can we add a new field to the output to show the array?
/cc: @yizha1 @FeynmanZhou
There was a problem hiding this comment.
Displaying duplicate information in CLI output is not recommended. Instead, users can opt to emit notation output in JSON format and utilize tools like jq to extract the desired text.
There was a problem hiding this comment.
Displaying duplicate information in CLI output is not recommended. Instead, users can opt to emit notation output in JSON format and utilize tools like jq to extract the desired text.
Asking users to do a jq on the output is extra work though, where we could save this effort for them by adding a field in the output. @yizha1 for your comments please.
There was a problem hiding this comment.
@priteshbandi Here is the scenario:
Users produce OCI signatures based on Notary Project specifications. When users attach signatures to OCI artifact in OCI registries, users need to add a specific annotation io.cncf.notary.x509chain.thumbprint#S256 per Notary Project OCI signature spec. It is not easy for users to 1) generate the fingerprints, 2) figure out the order based on the spec.
As blob inspect has all these information, so it will improve the user experience to get ordered x509 chain thumbprints in an easy way, and help more users to adopt Notary Project spec. So, my suggestion would be blob inspect to support output certificate SHA256 fingerprints with a new field under current certificates, for example
certificate SHA256 fingerprints: ["leaf-sha256-fingerprint","intermediate-sha256-fingerprint","root-sha256-fingerprint"]
This will not block this PR, if you agree, we can create a new issue to track this work. It will be a simple work, but save a big effort for our users.
shizhMSFT
changed the title
|
This PR is stale because it has been opened for 45 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days. |
Signed-off-by: Rishab Semlani <[email protected]>
Signed-off-by: Rishab Semlani <[email protected]>
|
This PR is stale because it has been opened for 45 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days. |
|
PR closed due to no activity in the past 30 days. |
Adding inspect blob commands.
Spec Pr used for ref: #811