From d9a44b5901e9f714ecf5848a42085cdab9f98dfe Mon Sep 17 00:00:00 2001 From: Yi Zha Date: Tue, 19 Mar 2024 01:52:39 +0800 Subject: [PATCH 1/4] chore: add GitHub action for stale issues and PRs (#365) This PR enables the `notation-go` repo to run stale action at 1:30 every day to label or close stale PRs and issues. See guideline https://github.com/marketplace/actions/close-stale-issues This is the definition for stale PRs or issues that we discussed during community call and to be updated in [contributing PR](https://github.com/notaryproject/.github/pull/25). "A stale issue is one that remains inactive or without updates for a period of 60 days. A stale pull request (PR) is one that remains inactive or without updates for a period of 45 days. When an issue or PR becomes stale, it is labelled as `stale`. Normally maintainers will comment on stale issues or PRs to prompt participants to take action. If there is no activity for additional 30 days, this issue or PR will be closed. If an update/comment occur on stale issues or pull requests, the stale label will be removed, and the timer will restart" Signed-off-by: Yi Zha --- .github/workflows/stale.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/stale.yml diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 00000000..7964fdd8 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,33 @@ +# Copyright The Notary Project Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: "Close stale issues and PRs" +on: + schedule: + - cron: "30 1 * * *" + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v8 + with: + stale-issue-message: "This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days." + stale-pr-message: "This PR is stale because it has been opened for 45 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days." + close-issue-message: "Issue closed due to no activity in the past 30 days." + close-pr-message: "PR closed due to no activity in the past 30 days." + days-before-issue-stale: 60 + days-before-pr-stale: 45 + days-before-issue-close: 30 + days-before-pr-close: 30 + exempt-all-milestones: true From 85df75983687e9b8e414015cd5624cd958535a38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 17:55:42 +0000 Subject: [PATCH 2/4] build(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 (#389) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 891f89f5..9ef6ff96 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/veraison/go-cose v1.1.0 - golang.org/x/crypto v0.20.0 + golang.org/x/crypto v0.21.0 golang.org/x/mod v0.15.0 oras.land/oras-go/v2 v2.4.0 ) diff --git a/go.sum b/go.sum index b43532c1..61d1fc28 100644 --- a/go.sum +++ b/go.sum @@ -38,8 +38,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg= -golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= From e686d8b995a987786b0de8506c3046d943ceb0f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 17:04:45 +0000 Subject: [PATCH 3/4] build(deps): bump golang.org/x/mod from 0.15.0 to 0.16.0 (#388) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9ef6ff96..ecb4bd05 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/opencontainers/image-spec v1.1.0 github.com/veraison/go-cose v1.1.0 golang.org/x/crypto v0.21.0 - golang.org/x/mod v0.15.0 + golang.org/x/mod v0.16.0 oras.land/oras-go/v2 v2.4.0 ) diff --git a/go.sum b/go.sum index 61d1fc28..62b45020 100644 --- a/go.sum +++ b/go.sum @@ -42,8 +42,8 @@ golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= -golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= From b8136e2c8045e1544996962260412fb8161ff7fc Mon Sep 17 00:00:00 2001 From: Pritesh Bandi Date: Thu, 21 Mar 2024 12:40:21 -0700 Subject: [PATCH 4/4] fix: Add contract version to plugin sign request and plugin verify request (#390) Add contract version to plugin sign request and plugin verify request. As per [specification](https://github.com/notaryproject/specifications/blob/main/specs/plugin-extensibility.md) `contractVersion` is a mandatory field. Signed-off-by: Pritesh Bandi --- signer/plugin.go | 17 ++++++++++------- verifier/verifier.go | 7 ++++--- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/signer/plugin.go b/signer/plugin.go index d0c96e6b..37bb352d 100644 --- a/signer/plugin.go +++ b/signer/plugin.go @@ -180,6 +180,7 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp } // Execute plugin sign command. req := &plugin.GenerateEnvelopeRequest{ + ContractVersion: plugin.ContractVersion, KeyID: s.keyID, Payload: payloadBytes, SignatureEnvelopeType: opts.SignatureMediaType, @@ -247,8 +248,9 @@ func (s *PluginSigner) mergeConfig(config map[string]string) map[string]string { func (s *PluginSigner) describeKey(ctx context.Context, config map[string]string) (*plugin.DescribeKeyResponse, error) { req := &plugin.DescribeKeyRequest{ - KeyID: s.keyID, - PluginConfig: config, + ContractVersion: plugin.ContractVersion, + KeyID: s.keyID, + PluginConfig: config, } resp, err := s.plugin.DescribeKey(ctx, req) if err != nil { @@ -344,11 +346,12 @@ func (s *pluginPrimitiveSigner) Sign(payload []byte) ([]byte, []*x509.Certificat } req := &plugin.GenerateSignatureRequest{ - KeyID: s.keyID, - KeySpec: keySpec, - Hash: keySpecHash, - Payload: payload, - PluginConfig: s.pluginConfig, + ContractVersion: plugin.ContractVersion, + KeyID: s.keyID, + KeySpec: keySpec, + Hash: keySpecHash, + Payload: payload, + PluginConfig: s.pluginConfig, } resp, err := s.plugin.GenerateSignature(s.ctx, req) diff --git a/verifier/verifier.go b/verifier/verifier.go index 81fe30f8..e6436050 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -681,9 +681,10 @@ func executePlugin(ctx context.Context, installedPlugin pluginframework.VerifyPl } req := &pluginframework.VerifySignatureRequest{ - Signature: signature, - TrustPolicy: policy, - PluginConfig: pluginConfig, + ContractVersion: pluginframework.ContractVersion, + Signature: signature, + TrustPolicy: policy, + PluginConfig: pluginConfig, } return installedPlugin.VerifySignature(ctx, req) }