feat: simplify signing experience#579
Conversation
Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com>
kody-kimberl
requested review from
JeyJeyGao,
NiazFK,
SteveLasker,
gokarnm,
justincormack,
patrickzheng200,
priteshbandi,
rgnote and
shizhMSFT
as code owners
internal/cmd/flags.go
Outdated
| fs.StringVar(p, PflagPlugin.Name, "", PflagPlugin.Usage) | ||
| } | ||
|
|
||
| PflagTimestamp = &pflag.Flag{ |
There was a problem hiding this comment.
nit: Can we please remove timestamp flag as we will not be supporting in rc3?
There was a problem hiding this comment.
@patrickzheng200 @shizhMSFT I didn't see timestamp flag in the command line. Is it the flag that we should have removed it earlier?
There was a problem hiding this comment.
This is a dead code not referenced anywhere.
Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com>
kody-kimberl
left a comment
kody-kimberl
left a comment
There was a problem hiding this comment.
New commit addresses above comments. Option checking has been moved to PreRunE, and timestamp pflag has been removed.
internal/cmd/signer.go
Outdated
| // Construct a signer from preconfigured key pair in config.json | ||
| // if key name is provided as the CLI argument | ||
| key, err := configutil.ResolveKey(opts.Key) | ||
|
|
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return signer.NewFromPlugin(plugin, opts.KeyID, map[string]string{}) |
There was a problem hiding this comment.
There is a pluginConfig in SignerFlagOpts
There was a problem hiding this comment.
I believe that pluginConfig is only in signOpts, not SignerFlagOpts.
There was a problem hiding this comment.
PluginConfig in NewFromPlugin is used only when we are reading keys which includes pluginConfig from singingkeys.json then this plugin config is then merged with pluginConfig passed via CLI in Sign and Verify operation to generate final pluginConfig.
There was a problem hiding this comment.
There is a --plugin-config flag for sign command
There was a problem hiding this comment.
Yes, it is one of the options passed to sign, but it doesn't get passed via the SignerFlagOpts. The pluginConfig that is used here is intended to be the one from the key, which is later merged with the values from the pluginConfig command line option you are speaking of. That's what Pritesh was referring to above.
There was a problem hiding this comment.
@priteshbandi This is what I mentioned earlier in the comments of the original issue. A user might get confused on where did the key.PluginConfig go? (Although programmatically it works exactly the same, users have to remember to add those configs in notation sign's pluginConfig now)
internal/cmd/signer.go
Outdated
| if opts.KeyID != "" && opts.PluginName != "" && opts.Key == "" { | ||
| // Construct a signer from on-demand key | ||
| mgr := plugin.NewCLIManager(dir.PluginFS()) | ||
| plugin, err := mgr.Get(context.Background(), opts.PluginName) |
There was a problem hiding this comment.
We should use the context generated in runSign() because it contains the logger.
There was a problem hiding this comment.
Also please update line 41 to use the context from runSign()
There was a problem hiding this comment.
Added ctx (the context from runSign) to the function in latest commit
cmd/notation/sign.go
Outdated
| if opts.KeyID != "" && opts.PluginName != "" { | ||
| if opts.Key == "" { | ||
| // Valid, use ondemand key | ||
| return nil | ||
| } else { | ||
| return errors.New("incompatible options, do not provide a key name when providing a key ID and plugin name") | ||
| } | ||
| } else if opts.KeyID == "" && opts.PluginName == "" { | ||
| // Valid, use preconfigured key | ||
| return nil | ||
| } else { | ||
| if opts.Key == "" { | ||
| return errors.New("incompatible options, both a key ID and plugin name are required when not using an existing key") | ||
| } else { | ||
| return errors.New("incompatible options, do not provide a key ID or plugin name when providing a key name") | ||
| } |
There was a problem hiding this comment.
Can we simplify the validation? In fact, we just need to check invalid cases.
There was a problem hiding this comment.
This is resolved by using Command.MarkFlagsMutuallyExclusive and Command.MarkFlagsRequiredTogether as recommended by @patrickzheng200
cmd/notation/sign.go
Outdated
| // Check if the options are valid for the key (Key is mutually exclusive with [KeyID, PluginName]) | ||
| if opts.KeyID != "" && opts.PluginName != "" { | ||
| if opts.Key == "" { | ||
| // Valid, use ondemand key | ||
| return nil | ||
| } else { | ||
| return errors.New("incompatible options, do not provide a key name when providing a key ID and plugin name") | ||
| } | ||
| } else if opts.KeyID == "" && opts.PluginName == "" { | ||
| // Valid, use preconfigured key | ||
| return nil | ||
| } else { | ||
| if opts.Key == "" { | ||
| return errors.New("incompatible options, both a key ID and plugin name are required when not using an existing key") | ||
| } else { | ||
| return errors.New("incompatible options, do not provide a key ID or plugin name when providing a key name") | ||
| } |
There was a problem hiding this comment.
Since we are using the Cobra library as our CLI tool: github.com/spf13/cobra
- For mutual exclusive flags, we could try to use: Command.MarkFlagsMutuallyExclusive.
- For "Required Together" flags such as
pluginandkey id, we could try to use: Command.MarkFlagsRequiredTogether.
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #579 +/- ##
==========================================
- Coverage 34.36% 34.03% -0.34%
==========================================
Files 32 32
Lines 1848 1866 +18
==========================================
Hits 635 635
- Misses 1192 1210 +18
Partials 21 21
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com>
kody-kimberl
left a comment
kody-kimberl
left a comment
There was a problem hiding this comment.
Latest commit addresses above comments. Some of the error messages have changed as a result of using Cobra's functions for validation (see below). I have also added unit testing for each of the below scenarios.
Successful sign/verify:
c889f3b9d811:notation kodysk$ ./bin/notation sign --plugin com.example.plugin --id example:test-id $IMAGE
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Successfully signed localhost:5000/net-monitor@sha256:07c30edca95116e23f6a150ba3f7ed296eca71021dba9d9569eb07820f8c0e7d
c889f3b9d811:notation kodysk$ ./bin/notation verify $IMAGE
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
Successfully verified signature for localhost:5000/net-monitor@sha256:07c30edca95116e23f6a150ba3f7ed296eca71021dba9d9569eb07820f8c0e7d
Error when providing only one of the options
c889f3b9d811:notation kodysk$ ./bin/notation sign --plugin com.example.plugin $IMAGE
Error: if any flags in the group [id plugin] are set they must all be set; missing [id]
c889f3b9d811:notation kodysk$ ./bin/notation sign --id example:test-id $IMAGE
Error: if any flags in the group [id plugin] are set they must all be set; missing [plugin]
Error when providing key with one of the other options
c889f3b9d811:notation kodysk$ ./bin/notation sign --plugin com.example.plugin --key my-key $IMAGE
Error: if any flags in the group [id plugin] are set they must all be set; missing [id]
c889f3b9d811:notation kodysk$ ./bin/notation sign --id example:test-id --key my-key $IMAGE
Error: if any flags in the group [id plugin] are set they must all be set; missing [plugin]
Error when providing key with both plugin and id:
c889f3b9d811:notation kodysk$ ./bin/notation sign --plugin com.example.plugin --id example:test-id --key my-key $IMAGE
Error: if any flags in the group [key id] are set none of the others can be; [id key] were all set
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return signer.NewFromPlugin(plugin, opts.KeyID, map[string]string{}) |
There was a problem hiding this comment.
PluginConfig in NewFromPlugin is used only when we are reading keys which includes pluginConfig from singingkeys.json then this plugin config is then merged with pluginConfig passed via CLI in Sign and Verify operation to generate final pluginConfig.
Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com>
Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com>
|
Hi @kody-kimberl @priteshbandi @JeyJeyGao @patrickzheng200 , It seems the CLI example was not added to the CLI help info. Just a kindly reminder, when we change CLI commands and flags, we need to add or update the CLI examples in notation/cmd accordingly. I will raise another PR to add it. |
This PR introduces a new option for users to sign using an on-demand key. Users are able to sign without needing to add a key first. This PR intends to address the following issue: notaryproject#537 based on spec changes in notaryproject#553 ``` c889f3b9d811:notation kodysk$ ./bin/notation sign --plugin com.example.plugin --id example:test-id $IMAGE Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed. Successfully signed localhost:5000/net-monitor@sha256:07c30edca95116e23f6a150ba3f7ed296eca71021dba9d9569eb07820f8c0e7d ``` Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com> Signed-off-by: Josh Duffney <jduffney@microsoft.com>
This PR introduces a new option for users to sign using an on-demand key. Users are able to sign without needing to add a key first. This PR intends to address the following issue: notaryproject#537 based on spec changes in notaryproject#553 ``` c889f3b9d811:notation kodysk$ ./bin/notation sign --plugin com.example.plugin --id example:test-id $IMAGE Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed. Successfully signed localhost:5000/net-monitor@sha256:07c30edca95116e23f6a150ba3f7ed296eca71021dba9d9569eb07820f8c0e7d ``` Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com>
This PR introduces a new option for users to sign using an on-demand key. Users are able to sign without needing to add a key first. This PR intends to address the following issue: notaryproject#537 based on spec changes in notaryproject#553 ``` c889f3b9d811:notation kodysk$ ./bin/notation sign --plugin com.example.plugin --id example:test-id $IMAGE Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed. Successfully signed localhost:5000/net-monitor@sha256:07c30edca95116e23f6a150ba3f7ed296eca71021dba9d9569eb07820f8c0e7d ``` Signed-off-by: Kody Kimberl <kody.kimberl.work@gmail.com>
7 participants
This PR introduces a new option for users to sign using an on-demand key. Users are able to sign without needing to add a key first
This PR intends to address the following issue: #537
Based on spec changes in #553
Successful sign/verify:
Error when providing only one of the options
Error when providing key with both plugin and id:
Error when providing key with one of the other options
Signed-off-by: Kody Kimberl kody.kimberl.work@gmail.com