From b8136e2c8045e1544996962260412fb8161ff7fc Mon Sep 17 00:00:00 2001 From: Pritesh Bandi Date: Thu, 21 Mar 2024 12:40:21 -0700 Subject: [PATCH 1/3] fix: Add contract version to plugin sign request and plugin verify request (#390) Add contract version to plugin sign request and plugin verify request. As per [specification](https://github.com/notaryproject/specifications/blob/main/specs/plugin-extensibility.md) `contractVersion` is a mandatory field. Signed-off-by: Pritesh Bandi --- signer/plugin.go | 17 ++++++++++------- verifier/verifier.go | 7 ++++--- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/signer/plugin.go b/signer/plugin.go index d0c96e6b..37bb352d 100644 --- a/signer/plugin.go +++ b/signer/plugin.go @@ -180,6 +180,7 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp } // Execute plugin sign command. req := &plugin.GenerateEnvelopeRequest{ + ContractVersion: plugin.ContractVersion, KeyID: s.keyID, Payload: payloadBytes, SignatureEnvelopeType: opts.SignatureMediaType, @@ -247,8 +248,9 @@ func (s *PluginSigner) mergeConfig(config map[string]string) map[string]string { func (s *PluginSigner) describeKey(ctx context.Context, config map[string]string) (*plugin.DescribeKeyResponse, error) { req := &plugin.DescribeKeyRequest{ - KeyID: s.keyID, - PluginConfig: config, + ContractVersion: plugin.ContractVersion, + KeyID: s.keyID, + PluginConfig: config, } resp, err := s.plugin.DescribeKey(ctx, req) if err != nil { @@ -344,11 +346,12 @@ func (s *pluginPrimitiveSigner) Sign(payload []byte) ([]byte, []*x509.Certificat } req := &plugin.GenerateSignatureRequest{ - KeyID: s.keyID, - KeySpec: keySpec, - Hash: keySpecHash, - Payload: payload, - PluginConfig: s.pluginConfig, + ContractVersion: plugin.ContractVersion, + KeyID: s.keyID, + KeySpec: keySpec, + Hash: keySpecHash, + Payload: payload, + PluginConfig: s.pluginConfig, } resp, err := s.plugin.GenerateSignature(s.ctx, req) diff --git a/verifier/verifier.go b/verifier/verifier.go index 81fe30f8..e6436050 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -681,9 +681,10 @@ func executePlugin(ctx context.Context, installedPlugin pluginframework.VerifyPl } req := &pluginframework.VerifySignatureRequest{ - Signature: signature, - TrustPolicy: policy, - PluginConfig: pluginConfig, + ContractVersion: pluginframework.ContractVersion, + Signature: signature, + TrustPolicy: policy, + PluginConfig: pluginConfig, } return installedPlugin.VerifySignature(ctx, req) } From 57ff8e68a0a8770ca7d47f0579b11fbc2338e176 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 28 Mar 2024 00:52:54 +0800 Subject: [PATCH 2/3] bump: bump golang and dependency versions (#392) bumping up oras-go to v2.5.0 along with golang version to v1.21. Signed-off-by: Patrick Zheng --- go.mod | 8 ++++---- go.sum | 12 ++++++------ registry/repository.go | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index ecb4bd05..6a78eeab 100644 --- a/go.mod +++ b/go.mod @@ -1,22 +1,22 @@ module github.com/notaryproject/notation-go -go 1.20 +go 1.21 require ( github.com/go-ldap/ldap/v3 v3.4.6 - github.com/notaryproject/notation-core-go v1.0.2 + github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/veraison/go-cose v1.1.0 golang.org/x/crypto v0.21.0 golang.org/x/mod v0.16.0 - oras.land/oras-go/v2 v2.4.0 + oras.land/oras-go/v2 v2.5.0 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/fxamacker/cbor/v2 v2.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.3.1 // indirect diff --git a/go.sum b/go.sum index 62b45020..725505f1 100644 --- a/go.sum +++ b/go.sum @@ -5,8 +5,8 @@ github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1L github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= -github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= @@ -15,8 +15,8 @@ github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOW github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/notaryproject/notation-core-go v1.0.2 h1:VEt+mbsgdANd9b4jqgmx2C7U0DmwynOuD2Nhxh3bANw= -github.com/notaryproject/notation-core-go v1.0.2/go.mod h1:2HkQzUwg08B3x9oVIztHsEh7Vil2Rj+tYgxH+JObLX4= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo= +github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -82,5 +82,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= -oras.land/oras-go/v2 v2.4.0/go.mod h1:osvtg0/ClRq1KkydMAEu/IxFieyjItcsQ4ut4PPF+f8= +oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c= +oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg= diff --git a/registry/repository.go b/registry/repository.go index 908040f8..e778613a 100644 --- a/registry/repository.go +++ b/registry/repository.go @@ -215,7 +215,7 @@ func (c *repositoryClient) uploadSignatureManifest(ctx context.Context, subject, ConfigDescriptor: &configDesc, } - return oras.PackManifest(ctx, c.GraphTarget, oras.PackManifestVersion1_1_RC4, "", opts) + return oras.PackManifest(ctx, c.GraphTarget, oras.PackManifestVersion1_1, "", opts) } // pushNotationManifestConfig pushes an empty notation manifest config, if it From fbf15e6c8c73dd03f8813168b40726448fb97b34 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 04:23:42 +0000 Subject: [PATCH 3/3] build(deps): bump actions/stale from 8 to 9 (#391) --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 7964fdd8..2afc2552 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -20,7 +20,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v8 + - uses: actions/stale@v9 with: stale-issue-message: "This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days." stale-pr-message: "This PR is stale because it has been opened for 45 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days."