-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verification helpers #72
Conversation
Signed-off-by: rgnote <[email protected]>
Signed-off-by: rgnote <[email protected]>
Signed-off-by: rgnote <[email protected]>
// TrustStores this policy statement uses | ||
TrustStores []string `json:"trustStores,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we update the spec first then the code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed this change in yesterday's call. Made the code update as it is minor. If the spec deviates, I can come back and make those changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shizhMSFT I'll be submitting a spec PR for this, we discussed the change and use case in Thursday call . Rakesh has been working on verification workflow logic and it was simpler to update it in a single pass.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related spec update PR.
verification/helpers.go
Outdated
func getArtifactDigestFromUri(artifactUri string) (string, error) { | ||
i := strings.LastIndex(artifactUri, ":") | ||
if i < 0 { | ||
return "", fmt.Errorf("artifact URI %q could not be parsed, make sure it is the fully qualified OCI artifact URI without the scheme/protocol. e.g domain.com:80/my/repository:digest", artifactUri) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
digest
is digest like sha256:xxx
or a tag like v1
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spec is not supporting tags yet. We can come back and update this code when we support tags.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
domain.com:80/my/repository:digest
this reference string makes me confused. If it is for digest, it should be in the form of domain.com:80/my/repository@digest
. That is, @
instead of :
.
Signed-off-by: rgnote <[email protected]>
Signed-off-by: rgnote <[email protected]>
// TrustStores this policy statement uses | ||
TrustStores []string `json:"trustStores,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shizhMSFT I'll be submitting a spec PR for this, we discussed the change and use case in Thursday call . Rakesh has been working on verification workflow logic and it was simpler to update it in a single pass.
Signed-off-by: rgnote <[email protected]>
Signed-off-by: rgnote <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
lgtm |
verification/helpers.go
Outdated
func getArtifactDigestFromUri(artifactUri string) (string, error) { | ||
i := strings.LastIndex(artifactUri, ":") | ||
if i < 0 { | ||
return "", fmt.Errorf("artifact URI %q could not be parsed, make sure it is the fully qualified OCI artifact URI without the scheme/protocol. e.g domain.com:80/my/repository:digest", artifactUri) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
domain.com:80/my/repository:digest
this reference string makes me confused. If it is for digest, it should be in the form of domain.com:80/my/repository@digest
. That is, @
instead of :
.
verification/helpers_test.go
Outdated
digest string | ||
wantErr bool | ||
}{ | ||
{"domain.com:80/repository:digest", "digest", false}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should set wantErr: true
for this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the code to accept domain.com:80/repository@<alg>:<digest>
My understanding is that <alg>
is not included when querying manifests from the registry, is that correct? Or the entire thing <alg>:<digest>
is considered a digest and we need to use that when resolving?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NVM. Alg is needed to query with a digest. I addressed it in the latest revision
Signed-off-by: rgnote <[email protected]>
Signed-off-by: rgnote <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
func getArtifactDigestFromUri(artifactUri string) (string, error) { | ||
invalidUriErr := fmt.Errorf("artifact URI %q could not be parsed, make sure it is the fully qualified OCI artifact URI without the scheme/protocol. e.g domain.com:80/my/repository@sha256:digest", artifactUri) | ||
i := strings.LastIndex(artifactUri, "@") | ||
if i < 0 || i+1 == len(artifactUri) { | ||
return "", invalidUriErr | ||
} | ||
|
||
j := strings.LastIndex(artifactUri[i+1:], ":") | ||
if j < 0 || j+1 == len(artifactUri[i+1:]) { | ||
return "", invalidUriErr | ||
} | ||
|
||
return artifactUri[i+1:], nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This block of code is workable but fragile. Try registry.ParseReference().
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: A digest is usually with the algorithm, not just the hash value.
* Add verification helpers * fix build Signed-off-by: rgnote <[email protected]> Signed-off-by: Junjie Gao <[email protected]>
Changes:
trustPolicy.TrustStore
totrustPolicy.TrustStores
Type
field to X509TrustStore to be able to filter trust stores based on their typeVerificationResult
andSignatureVerificationOutsome
types to encapsulate verification results.