From ae0d432efbb2d75910e5fecaf391200ee6660a61 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 25 Feb 2025 17:07:51 +0800 Subject: [PATCH] feat: OCI 1.1 support (#1192) Signed-off-by: Patrick Zheng --- cmd/notation/inspect.go | 13 ++--- cmd/notation/list.go | 16 ++---- cmd/notation/registry.go | 4 +- cmd/notation/sign.go | 15 +----- cmd/notation/sign_test.go | 2 +- cmd/notation/verify.go | 8 +-- internal/cmd/flags.go | 11 +--- specs/commandline/sign.md | 3 +- test/e2e/suite/command/inspect.go | 34 ------------ test/e2e/suite/command/list.go | 46 ---------------- test/e2e/suite/command/sign.go | 89 +++++-------------------------- test/e2e/suite/command/verify.go | 34 ------------ test/e2e/suite/plugin/sign.go | 8 +-- 13 files changed, 33 insertions(+), 250 deletions(-) diff --git a/cmd/notation/inspect.go b/cmd/notation/inspect.go index 673d15608..3727970e9 100644 --- a/cmd/notation/inspect.go +++ b/cmd/notation/inspect.go @@ -21,7 +21,6 @@ import ( "github.com/notaryproject/notation-core-go/signature" "github.com/notaryproject/notation/cmd/notation/internal/display" cmderr "github.com/notaryproject/notation/cmd/notation/internal/errors" - "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/cmd/notation/internal/option" "github.com/notaryproject/notation/internal/cmd" ocispec "github.com/opencontainers/image-spec/specs-go/v1" @@ -33,9 +32,8 @@ type inspectOpts struct { SecureFlagOpts option.Common option.Format - reference string - allowReferrersAPI bool - maxSignatures int + reference string + maxSignatures int } func inspectCommand(opts *inspectOpts) *cobra.Command { @@ -69,23 +67,18 @@ Example - Inspect signatures on an OCI artifact identified by a digest and outpu return err } opts.Common.Parse(cmd) - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api") + return nil }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } - if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } return runInspect(cmd, opts) }, } - opts.LoggingFlagOpts.ApplyFlags(command.Flags()) opts.SecureFlagOpts.ApplyFlags(command.Flags()) command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "inspect")) // set output format opts.Format.ApplyFlags(command.Flags(), option.FormatTypeTree, option.FormatTypeJSON) diff --git a/cmd/notation/list.go b/cmd/notation/list.go index 387134907..1b9c1c477 100644 --- a/cmd/notation/list.go +++ b/cmd/notation/list.go @@ -17,7 +17,6 @@ import ( "context" "errors" "fmt" - "os" notationregistry "github.com/notaryproject/notation-go/registry" cmderr "github.com/notaryproject/notation/cmd/notation/internal/errors" @@ -31,11 +30,10 @@ import ( type listOpts struct { cmd.LoggingFlagOpts SecureFlagOpts - reference string - allowReferrersAPI bool - ociLayout bool - inputType inputType - maxSignatures int + reference string + ociLayout bool + inputType inputType + maxSignatures int } func listCommand(opts *listOpts) *cobra.Command { @@ -75,21 +73,17 @@ Example - [Experimental] List signatures of an OCI artifact identified by a tag if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") + return experimental.CheckFlagsAndWarn(cmd, "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatures <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatures) } - if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } return runList(cmd.Context(), opts) }, } opts.LoggingFlagOpts.ApplyFlags(command.Flags()) opts.SecureFlagOpts.ApplyFlags(command.Flags()) - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "list")) command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] list signatures stored in OCI image layout") command.Flags().IntVar(&opts.maxSignatures, "max-signatures", 100, "maximum number of signatures to evaluate or examine") experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) diff --git a/cmd/notation/registry.go b/cmd/notation/registry.go index bc9352179..3be53c5ae 100644 --- a/cmd/notation/registry.go +++ b/cmd/notation/registry.go @@ -83,12 +83,10 @@ func getRemoteRepository(ctx context.Context, opts *SecureFlagOpts, reference st } if forceReferrersTag { - logger.Info("The referrers tag schema is always attempted") + logger.Info("Force to store signatures using the referrers tag schema") if err := remoteRepo.SetReferrersCapability(false); err != nil { return nil, err } - } else { - logger.Info("Allowed to access the referrers API, fallback if not supported") } return notationregistry.NewRepository(remoteRepo), nil } diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 215b759c2..e85da5d30 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -51,7 +51,6 @@ type signOpts struct { pluginConfig []string userMetadata []string reference string - allowReferrersAPI bool forceReferrersTag bool ociLayout bool inputType inputType @@ -116,7 +115,7 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced if opts.ociLayout { opts.inputType = inputTypeOCILayout } - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout") + return experimental.CheckFlagsAndWarn(cmd, "oci-layout") }, RunE: func(cmd *cobra.Command, args []string) error { // timestamping @@ -129,15 +128,6 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced } } - // allow-referrers-api flag is set - if cmd.Flags().Changed("allow-referrers-api") { - if opts.allowReferrersAPI { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.") - opts.forceReferrersTag = false - } else { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } - } return runSign(cmd, opts) }, } @@ -147,12 +137,11 @@ Example - [Experimental] Sign an OCI artifact identified by a tag and referenced cmd.SetPflagExpiry(command.Flags(), &opts.expiry) cmd.SetPflagPluginConfig(command.Flags(), &opts.pluginConfig) cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataSignUsage) - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "sign")) command.Flags().StringVar(&opts.tsaServerURL, "timestamp-url", "", "RFC 3161 Timestamping Authority (TSA) server URL") command.Flags().StringVar(&opts.tsaRootCertificatePath, "timestamp-root-cert", "", "filepath of timestamp authority root certificate") cmd.SetPflagReferrersTag(command.Flags(), &opts.forceReferrersTag, "force to store signatures using the referrers tag schema") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] sign the artifact stored as OCI image layout") - command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag", "allow-referrers-api") + command.MarkFlagsMutuallyExclusive("oci-layout", "force-referrers-tag") command.MarkFlagsRequiredTogether("timestamp-url", "timestamp-root-cert") experimental.HideFlags(command, experimentalExamples, []string{"oci-layout"}) return command diff --git a/cmd/notation/sign_test.go b/cmd/notation/sign_test.go index c98b80817..c7270bac9 100644 --- a/cmd/notation/sign_test.go +++ b/cmd/notation/sign_test.go @@ -36,7 +36,7 @@ func TestSignCommand_BasicArgs(t *testing.T) { Key: "key", SignatureFormat: envelope.JWS, }, - forceReferrersTag: true, + forceReferrersTag: false, } if err := command.ParseFlags([]string{ expected.reference, diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index ecfec843a..acf217fc7 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -16,7 +16,6 @@ package main import ( "errors" "fmt" - "os" "github.com/notaryproject/notation-go" "github.com/notaryproject/notation/cmd/notation/internal/display" @@ -36,7 +35,6 @@ type verifyOpts struct { reference string pluginConfig []string userMetadata []string - allowReferrersAPI bool ociLayout bool trustPolicyScope string inputType inputType @@ -82,15 +80,12 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t opts.inputType = inputTypeOCILayout } opts.Common.Parse(cmd) - return experimental.CheckFlagsAndWarn(cmd, "allow-referrers-api", "oci-layout", "scope") + return experimental.CheckFlagsAndWarn(cmd, "oci-layout", "scope") }, RunE: func(cmd *cobra.Command, args []string) error { if opts.maxSignatureAttempts <= 0 { return fmt.Errorf("max-signatures value %d must be a positive number", opts.maxSignatureAttempts) } - if cmd.Flags().Changed("allow-referrers-api") { - fmt.Fprintln(os.Stderr, "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.") - } return runVerify(cmd, opts) }, } @@ -98,7 +93,6 @@ Example - [Experimental] Verify a signature on an OCI artifact identified by a t opts.SecureFlagOpts.ApplyFlags(command.Flags()) command.Flags().StringArrayVar(&opts.pluginConfig, "plugin-config", nil, "{key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values") cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataVerifyUsage) - cmd.SetPflagReferrersAPI(command.Flags(), &opts.allowReferrersAPI, fmt.Sprintf(cmd.PflagReferrersUsageFormat, "verify")) command.Flags().IntVar(&opts.maxSignatureAttempts, "max-signatures", 100, "maximum number of signatures to evaluate or examine") command.Flags().BoolVar(&opts.ociLayout, "oci-layout", false, "[Experimental] verify the artifact stored as OCI image layout") command.Flags().StringVar(&opts.trustPolicyScope, "scope", "", "[Experimental] set trust policy scope for artifact verification, required and can only be used when flag \"--oci-layout\" is set") diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go index 0b63be85e..a9d458661 100644 --- a/internal/cmd/flags.go +++ b/internal/cmd/flags.go @@ -101,20 +101,11 @@ var ( fs.StringArrayVarP(p, PflagUserMetadata.Name, PflagUserMetadata.Shorthand, nil, usage) } - PflagReferrersAPI = &pflag.Flag{ - Name: "allow-referrers-api", - } - PflagReferrersUsageFormat = "[Experimental] use the Referrers API to %s signatures, if not supported (returns 404), fallback to the Referrers tag schema" - SetPflagReferrersAPI = func(fs *pflag.FlagSet, p *bool, usage string) { - fs.BoolVar(p, PflagReferrersAPI.Name, false, usage) - fs.MarkHidden(PflagReferrersAPI.Name) - } - PflagReferrersTag = &pflag.Flag{ Name: "force-referrers-tag", } SetPflagReferrersTag = func(fs *pflag.FlagSet, p *bool, usage string) { - fs.BoolVar(p, PflagReferrersTag.Name, true, usage) + fs.BoolVar(p, PflagReferrersTag.Name, false, usage) } ) diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index efc5dd6c0..379fe86d4 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -30,7 +30,7 @@ Usage: notation sign [flags] Flags: - --force-referrers-tag force to store signatures using the referrers tag schema (default true) + --force-referrers-tag force to store signatures using the referrers tag schema -d, --debug debug mode -e, --expiry duration optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m -h, --help help for sign @@ -205,7 +205,6 @@ export NOTATION_EXPERIMENTAL=1 notation list --oci-layout hello-world@sha256:xxx ``` -[oci-artifact-manifest]: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/artifact.md [oci-image-spec]: https://github.com/opencontainers/image-spec/blob/v1.1.0/spec.md [oci-referers-api]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers [oci-image-layout]: https://github.com/opencontainers/image-spec/blob/v1.1.0/image-layout.md diff --git a/test/e2e/suite/command/inspect.go b/test/e2e/suite/command/inspect.go index 405643fec..a811855f6 100644 --- a/test/e2e/suite/command/inspect.go +++ b/test/e2e/suite/command/inspect.go @@ -131,40 +131,6 @@ var _ = Describe("notation inspect", func() { }) }) - It("sign with --allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(inspectSuccessfully...) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(inspectSuccessfully...) - }) - }) - - It("sign with --allow-referrers-api set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(inspectSuccessfully...) - - notation.Exec("inspect", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(inspectSuccessfully...) - }) - }) - It("with timestamping", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.Exec("sign", "--timestamp-url", "http://rfc3161timestamp.globalsign.com/advanced", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()). diff --git a/test/e2e/suite/command/list.go b/test/e2e/suite/command/list.go index 889ccb396..7599ae949 100644 --- a/test/e2e/suite/command/list.go +++ b/test/e2e/suite/command/list.go @@ -111,50 +111,4 @@ var _ = Describe("notation list", func() { ) }) }) - - It("sign with --allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - - notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - }) - }) - - It("sign with --allow-referrers-api set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("list", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - - notation.Exec("list", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords( - "└── application/vnd.cncf.notary.signature", - "└── sha256:", - ) - }) - }) }) diff --git a/test/e2e/suite/command/sign.go b/test/e2e/suite/command/sign.go index 590c5a6ad..970529ee5 100644 --- a/test/e2e/suite/command/sign.go +++ b/test/e2e/suite/command/sign.go @@ -30,11 +30,11 @@ var _ = Describe("notation sign", func() { notation.Exec("sign", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - OldNotation().WithDescription("verify by digest"). + notation.WithDescription("verify by digest"). Exec("verify", artifact.ReferenceWithDigest()). MatchKeyWords(VerifySuccessfully) - OldNotation().WithDescription("verify by tag"). + notation.WithDescription("verify by tag"). Exec("verify", artifact.ReferenceWithTag()). MatchKeyWords(VerifySuccessfully) }) @@ -45,11 +45,11 @@ var _ = Describe("notation sign", func() { notation.Exec("sign", "--signature-format", "cose", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - OldNotation().WithDescription("verify by digest"). + notation.WithDescription("verify by digest"). Exec("verify", artifact.ReferenceWithTag()). MatchKeyWords(VerifySuccessfully) - OldNotation().WithDescription("verify by tag"). + notation.WithDescription("verify by tag"). Exec("verify", artifact.ReferenceWithTag()). MatchKeyWords(VerifySuccessfully) }) @@ -61,7 +61,7 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithTag(), "--signature-format", "jws"). MatchKeyWords(SignSuccessfully) - OldNotation().WithDescription("verify JWS signature"). + notation.WithDescription("verify JWS signature"). Exec("verify", artifact.ReferenceWithTag()). MatchKeyWords(VerifySuccessfully) }) @@ -73,19 +73,19 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithTag(), "--signature-format", "cose"). MatchKeyWords(SignSuccessfully) - OldNotation().WithDescription("verify COSE signature"). + notation.WithDescription("verify COSE signature"). Exec("verify", artifact.ReferenceWithTag()). MatchKeyWords(VerifySuccessfully) }) }) - It("with force-referrers-tag set", func() { + It("with force-referrers-tag set to true", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { notation.WithDescription("store signature with referrers tag schema"). - Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag"). + Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag=true"). MatchKeyWords(SignSuccessfully) - OldNotation().WithDescription("verify by tag schema"). + notation.WithDescription("verify by tag schema"). Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) @@ -97,66 +97,12 @@ var _ = Describe("notation sign", func() { Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag=false"). MatchKeyWords(SignSuccessfully) - OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). - Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("with allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions, use '--force-referrers-tag=false' instead.", - ). - MatchKeyWords(SignSuccessfully) - - OldNotation(BaseOptionsWithExperimental()...).WithDescription("verify by referrers api"). - Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("with allow-referrers-api set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with referrers tag schema"). - Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api=false"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(SignSuccessfully) - - OldNotation().WithDescription("verify by tag schema"). + notation.WithDescription("verify by referrers api"). Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchKeyWords(VerifySuccessfully) }) }) - It("with both force-referrers-tag and allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - ExpectFailure(). - Exec("sign", artifact.ReferenceWithDigest(), "--force-referrers-tag", "--allow-referrers-api"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "[allow-referrers-api force-referrers-tag] were all set", - ) - }) - }) - - It("with allow-referrers-api set and experimental off", func() { - Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.WithDescription("store signature with Referrers API"). - ExpectFailure(). - Exec("sign", artifact.ReferenceWithDigest(), "--allow-referrers-api"). - MatchErrKeyWords( - "Error: flag(s) --allow-referrers-api in \"notation sign\" is experimental and not enabled by default.") - }) - }) - It("with specific key", func() { Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { const keyName = "sKey" @@ -165,13 +111,6 @@ var _ = Describe("notation sign", func() { notation.Exec("sign", "--key", keyName, artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - - // copy the generated cert file and create the new trust policy for verify signature with generated new key. - OldNotation(AuthOption("", ""), - AddTrustStoreOption(keyName, vhost.AbsolutePath(NotationDirName, LocalKeysDirName, keyName+".crt")), - AddTrustPolicyOption("generate_test_trustpolicy.json", false), - ).Exec("verify", artifact.ReferenceWithTag()). - MatchKeyWords(VerifySuccessfully) }) }) @@ -180,7 +119,7 @@ var _ = Describe("notation sign", func() { notation.Exec("sign", "--expiry", "24h", artifact.ReferenceWithDigest()). MatchKeyWords(SignSuccessfully) - OldNotation().Exec("verify", artifact.ReferenceWithTag()). + notation.Exec("verify", artifact.ReferenceWithTag()). MatchKeyWords(VerifySuccessfully) }) }) @@ -193,7 +132,7 @@ var _ = Describe("notation sign", func() { // sleep to wait for expiry time.Sleep(2100 * time.Millisecond) - OldNotation().ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). + notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). MatchErrKeyWords("expiry validation failed."). MatchErrKeyWords("signature verification failed for all the signatures") }) @@ -242,7 +181,7 @@ var _ = Describe("notation sign", func() { MatchErrKeyWords(HTTPSRequest). NoMatchErrKeyWords(HTTPRequest) - OldNotation().Exec("verify", artifact.DomainReferenceWithDigest()). + notation.Exec("verify", artifact.DomainReferenceWithDigest()). MatchKeyWords(VerifySuccessfully) }) }) @@ -254,7 +193,7 @@ var _ = Describe("notation sign", func() { MatchErrKeyWords(HTTPRequest). NoMatchErrKeyWords(HTTPSRequest) - OldNotation().Exec("verify", artifact.DomainReferenceWithDigest()). + notation.Exec("verify", artifact.DomainReferenceWithDigest()). MatchKeyWords(VerifySuccessfully) }) }) diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go index 9ab8d29d0..2dd862bbc 100644 --- a/test/e2e/suite/command/verify.go +++ b/test/e2e/suite/command/verify.go @@ -84,40 +84,6 @@ var _ = Describe("notation verify", func() { }) }) - It("sign with --allow-referrers-api set", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(VerifySuccessfully) - }) - }) - - It("sign with --allow-referrers-api set to false", func() { - Host(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) { - notation.Exec("sign", "--allow-referrers-api=false", artifact.ReferenceWithDigest()). - MatchKeyWords(SignSuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchKeyWords(VerifySuccessfully) - - notation.Exec("verify", artifact.ReferenceWithDigest(), "--allow-referrers-api", "-v"). - MatchErrKeyWords( - "Warning: This feature is experimental and may not be fully tested or completed and may be deprecated.", - "Warning: flag '--allow-referrers-api' is deprecated and will be removed in future versions.", - ). - MatchKeyWords(VerifySuccessfully) - }) - }) - It("by digest with oci layout", func() { HostWithOCILayout(BaseOptionsWithExperimental(), func(notation *utils.ExecOpts, ociLayout *OCILayout, vhost *utils.VirtualHost) { notation.Exec("sign", "--oci-layout", ociLayout.ReferenceWithDigest()). diff --git a/test/e2e/suite/plugin/sign.go b/test/e2e/suite/plugin/sign.go index 2f6eea071..b95e8fe5c 100644 --- a/test/e2e/suite/plugin/sign.go +++ b/test/e2e/suite/plugin/sign.go @@ -50,7 +50,7 @@ var _ = Describe("notation plugin sign", func() { ). MatchKeyWords(SignSuccessfully) - OldNotation().Exec("verify", artifact.ReferenceWithDigest()). + notation.Exec("verify", artifact.ReferenceWithDigest()). MatchKeyWords(VerifySuccessfully) }) }) @@ -72,7 +72,7 @@ var _ = Describe("notation plugin sign", func() { ). MatchKeyWords(SignSuccessfully) - OldNotation().Exec("verify", artifact.ReferenceWithDigest()). + notation.Exec("verify", artifact.ReferenceWithDigest()). MatchKeyWords(VerifySuccessfully) }) }) @@ -93,7 +93,7 @@ var _ = Describe("notation plugin sign", func() { ). MatchKeyWords(SignSuccessfully) - OldNotation().Exec("verify", artifact.ReferenceWithDigest()). + notation.Exec("verify", artifact.ReferenceWithDigest()). MatchKeyWords(VerifySuccessfully) }) }) @@ -114,7 +114,7 @@ var _ = Describe("notation plugin sign", func() { ). MatchKeyWords(SignSuccessfully) - OldNotation().Exec("verify", artifact.ReferenceWithDigest()). + notation.Exec("verify", artifact.ReferenceWithDigest()). MatchKeyWords(VerifySuccessfully) }) })