From 22c1f9490ca04b08fc7d4b5284558f7826f61347 Mon Sep 17 00:00:00 2001 From: Andreea-Lupu Date: Wed, 4 Oct 2023 08:45:06 +0300 Subject: [PATCH] fix(meta): add support for uploaded index when signing using notation ci(notation): update to latest notation version Signed-off-by: Andreea-Lupu --- Makefile | 2 +- pkg/meta/parse.go | 5 +++++ pkg/meta/parse_test.go | 13 +++++++++++++ pkg/storage/storage.go | 13 +++++++++++++ test/blackbox/annotations.bats | 6 +++--- test/blackbox/sync.bats | 10 +++++----- 6 files changed, 40 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 01fea1ba08..3dfab59082 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ STACKER := $(shell which stacker) GOLINTER := $(TOOLSDIR)/bin/golangci-lint GOLINTER_VERSION := v1.52.2 NOTATION := $(TOOLSDIR)/bin/notation -NOTATION_VERSION := 1.0.0-rc.4 +NOTATION_VERSION := 1.0.0 COSIGN := $(TOOLSDIR)/bin/cosign COSIGN_VERSION := 2.2.0 HELM := $(TOOLSDIR)/bin/helm diff --git a/pkg/meta/parse.go b/pkg/meta/parse.go index d9317f65cf..6f307ee2c7 100644 --- a/pkg/meta/parse.go +++ b/pkg/meta/parse.go @@ -299,6 +299,11 @@ func getNotationSignatureLayersInfo( return layers, err } + // skip if is a notation index + if manifestContent.MediaType == ispec.MediaTypeImageIndex { + return []mTypes.LayerInfo{}, nil + } + if len(manifestContent.Layers) != 1 { log.Error().Err(zerr.ErrBadManifest).Str("repository", repo).Str("reference", manifestDigest). Msg("load-repo: notation signature manifest requires exactly one layer but it does not") diff --git a/pkg/meta/parse_test.go b/pkg/meta/parse_test.go index fcccea0bf0..dc85638fa8 100644 --- a/pkg/meta/parse_test.go +++ b/pkg/meta/parse_test.go @@ -612,6 +612,19 @@ func TestGetSignatureLayersInfo(t *testing.T) { So(layers, ShouldBeEmpty) }) + Convey("notation index", t, func() { + notationIndex := ispec.Index{ + MediaType: ispec.MediaTypeImageIndex, + } + + notationIndexBlob, err := json.Marshal(notationIndex) + So(err, ShouldBeNil) + layers, err := meta.GetSignatureLayersInfo("repo", "tag", "123", zcommon.NotationSignature, notationIndexBlob, + nil, log.NewLogger("debug", "")) + So(err, ShouldBeNil) + So(layers, ShouldBeEmpty) + }) + Convey("error while unmarshaling manifest content", t, func() { _, err := meta.GetSignatureLayersInfo("repo", "tag", "123", zcommon.CosignSignature, []byte("bad manifest"), nil, log.NewLogger("debug", "")) diff --git a/pkg/storage/storage.go b/pkg/storage/storage.go index 56da20b74e..dc88b8a722 100644 --- a/pkg/storage/storage.go +++ b/pkg/storage/storage.go @@ -214,6 +214,19 @@ func compareImageStore(root1, root2 string) bool { // - error: any errors that occur. func CheckIsImageSignature(repoName string, manifestBlob []byte, reference string, ) (bool, string, godigest.Digest, error) { + // check notation index signature + notationTagRule := regexp.MustCompile(`sha256\-[A-Za-z0-9]*$`) + if tag := reference; notationTagRule.MatchString(reference) { + prefixLen := len("sha256-") + digestLen := 64 + signedImageManifestDigestEncoded := tag[prefixLen : prefixLen+digestLen] + + signedImageManifestDigest := godigest.NewDigestFromEncoded(godigest.SHA256, + signedImageManifestDigestEncoded) + + return true, NotationType, signedImageManifestDigest, nil + } + var manifestContent ispec.Manifest err := json.Unmarshal(manifestBlob, &manifestContent) diff --git a/test/blackbox/annotations.bats b/test/blackbox/annotations.bats index dc9f9e3ab1..67670aed6d 100644 --- a/test/blackbox/annotations.bats +++ b/test/blackbox/annotations.bats @@ -163,10 +163,10 @@ function teardown_file() { } EOF - run notation sign --key "notation-sign-test" --plain-http localhost:8080/annotations:latest + run notation sign --key "notation-sign-test" --insecure-registry localhost:8080/annotations:latest [ "$status" -eq 0 ] - run notation verify --plain-http localhost:8080/annotations:latest + run notation verify --insecure-registry localhost:8080/annotations:latest [ "$status" -eq 0 ] - run notation list --plain-http localhost:8080/annotations:latest + run notation list --insecure-registry localhost:8080/annotations:latest [ "$status" -eq 0 ] } diff --git a/test/blackbox/sync.bats b/test/blackbox/sync.bats index 02bb92b595..07f298c4ea 100644 --- a/test/blackbox/sync.bats +++ b/test/blackbox/sync.bats @@ -291,11 +291,11 @@ function teardown_file() { } EOF - run notation sign --key "notation-sign-sync-test" --plain-http localhost:9000/golang:1.20 + run notation sign --key "notation-sign-sync-test" --insecure-registry localhost:9000/golang:1.20 [ "$status" -eq 0 ] - run notation verify --plain-http localhost:9000/golang:1.20 + run notation verify --insecure-registry localhost:9000/golang:1.20 [ "$status" -eq 0 ] - run notation list --plain-http localhost:9000/golang:1.20 + run notation list --insecure-registry localhost:9000/golang:1.20 [ "$status" -eq 0 ] } @@ -303,7 +303,7 @@ EOF # wait for signatures to be copied run sleep 15s - run notation verify --plain-http localhost:8081/golang:1.20 + run notation verify --insecure-registry localhost:8081/golang:1.20 [ "$status" -eq 0 ] run cosign verify --key ${BATS_FILE_TMPDIR}/cosign-sign-sync-test.pub localhost:8081/golang:1.20 @@ -311,7 +311,7 @@ EOF } @test "sync signatures ondemand" { - run notation verify --plain-http localhost:8082/golang:1.20 + run notation verify --insecure-registry localhost:8082/golang:1.20 [ "$status" -eq 0 ] run cosign verify --key ${BATS_FILE_TMPDIR}/cosign-sign-sync-test.pub localhost:8082/golang:1.20