fix(meta): add support for uploaded index when signing using notation

ci(notation): update to latest notation version Signed-off-by: Andreea-Lupu <[email protected]>
project-zot · Oct 4, 2023 · 22c1f94 · 22c1f94
1 parent ca1c328
commit 22c1f94
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 9 deletions.
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ STACKER := $(shell which stacker)
 GOLINTER := $(TOOLSDIR)/bin/golangci-lint
 GOLINTER_VERSION := v1.52.2
 NOTATION := $(TOOLSDIR)/bin/notation
-NOTATION_VERSION := 1.0.0-rc.4
+NOTATION_VERSION := 1.0.0
 COSIGN := $(TOOLSDIR)/bin/cosign
 COSIGN_VERSION := 2.2.0
 HELM := $(TOOLSDIR)/bin/helm

diff --git a/pkg/meta/parse.go b/pkg/meta/parse.go
@@ -299,6 +299,11 @@ func getNotationSignatureLayersInfo(
 		return layers, err
 	}
 
+	// skip if is a notation index
+	if manifestContent.MediaType == ispec.MediaTypeImageIndex {
+		return []mTypes.LayerInfo{}, nil
+	}
+
 	if len(manifestContent.Layers) != 1 {
 		log.Error().Err(zerr.ErrBadManifest).Str("repository", repo).Str("reference", manifestDigest).
 			Msg("load-repo: notation signature manifest requires exactly one layer but it does not")

diff --git a/pkg/meta/parse_test.go b/pkg/meta/parse_test.go
@@ -612,6 +612,19 @@ func TestGetSignatureLayersInfo(t *testing.T) {
 		So(layers, ShouldBeEmpty)
 	})
 
+	Convey("notation index", t, func() {
+		notationIndex := ispec.Index{
+			MediaType: ispec.MediaTypeImageIndex,
+		}
+
+		notationIndexBlob, err := json.Marshal(notationIndex)
+		So(err, ShouldBeNil)
+		layers, err := meta.GetSignatureLayersInfo("repo", "tag", "123", zcommon.NotationSignature, notationIndexBlob,
+			nil, log.NewLogger("debug", ""))
+		So(err, ShouldBeNil)
+		So(layers, ShouldBeEmpty)
+	})
+
 	Convey("error while unmarshaling manifest content", t, func() {
 		_, err := meta.GetSignatureLayersInfo("repo", "tag", "123", zcommon.CosignSignature, []byte("bad manifest"),
 			nil, log.NewLogger("debug", ""))

diff --git a/pkg/storage/storage.go b/pkg/storage/storage.go
@@ -214,6 +214,19 @@ func compareImageStore(root1, root2 string) bool {
 // - error: any errors that occur.
 func CheckIsImageSignature(repoName string, manifestBlob []byte, reference string,
 ) (bool, string, godigest.Digest, error) {
+	// check notation index signature
+	notationTagRule := regexp.MustCompile(`sha256\-[A-Za-z0-9]*$`)
+	if tag := reference; notationTagRule.MatchString(reference) {
+		prefixLen := len("sha256-")
+		digestLen := 64
+		signedImageManifestDigestEncoded := tag[prefixLen : prefixLen+digestLen]
+
+		signedImageManifestDigest := godigest.NewDigestFromEncoded(godigest.SHA256,
+			signedImageManifestDigestEncoded)
+
+		return true, NotationType, signedImageManifestDigest, nil
+	}
+
 	var manifestContent ispec.Manifest
 
 	err := json.Unmarshal(manifestBlob, &manifestContent)

diff --git a/test/blackbox/annotations.bats b/test/blackbox/annotations.bats
@@ -163,10 +163,10 @@ function teardown_file() {
 }
 EOF
 
-    run notation sign --key "notation-sign-test" --plain-http localhost:8080/annotations:latest
+    run notation sign --key "notation-sign-test" --insecure-registry localhost:8080/annotations:latest
     [ "$status" -eq 0 ]
-    run notation verify --plain-http localhost:8080/annotations:latest
+    run notation verify --insecure-registry localhost:8080/annotations:latest
     [ "$status" -eq 0 ]
-    run notation list --plain-http localhost:8080/annotations:latest
+    run notation list --insecure-registry localhost:8080/annotations:latest
     [ "$status" -eq 0 ]
 }
diff --git a/test/blackbox/sync.bats b/test/blackbox/sync.bats
@@ -291,27 +291,27 @@ function teardown_file() {
 }
 EOF
 
-    run notation sign --key "notation-sign-sync-test" --plain-http localhost:9000/golang:1.20
+    run notation sign --key "notation-sign-sync-test" --insecure-registry localhost:9000/golang:1.20
     [ "$status" -eq 0 ]
-    run notation verify --plain-http localhost:9000/golang:1.20
+    run notation verify --insecure-registry localhost:9000/golang:1.20
     [ "$status" -eq 0 ]
-    run notation list --plain-http localhost:9000/golang:1.20
+    run notation list --insecure-registry localhost:9000/golang:1.20
     [ "$status" -eq 0 ]
 }
 
 @test "sync signatures periodically" {
     # wait for signatures to be copied
     run sleep 15s
 
-    run notation verify --plain-http localhost:8081/golang:1.20
+    run notation verify --insecure-registry localhost:8081/golang:1.20
     [ "$status" -eq 0 ]
 
     run cosign verify --key ${BATS_FILE_TMPDIR}/cosign-sign-sync-test.pub localhost:8081/golang:1.20
     [ "$status" -eq 0 ]
 }
 
 @test "sync signatures ondemand" {
-    run notation verify --plain-http localhost:8082/golang:1.20
+    run notation verify --insecure-registry localhost:8082/golang:1.20
     [ "$status" -eq 0 ]
 
     run cosign verify --key ${BATS_FILE_TMPDIR}/cosign-sign-sync-test.pub localhost:8082/golang:1.20