diff --git a/notation.go b/notation.go index 967a790f..86fb6173 100644 --- a/notation.go +++ b/notation.go @@ -18,6 +18,7 @@ package notation import ( "context" "crypto/sha256" + "crypto/x509" "encoding/hex" "encoding/json" "errors" @@ -62,8 +63,11 @@ type SignerSignOptions struct { // SigningAgent sets the signing agent name SigningAgent string - // TSA denotes the TSA server URL + // TSAServerURL denotes the TSA server URL TSAServerURL string + + // TSARootCertificate denotes the TSA trust anchor + TSARootCertificate *x509.Certificate } // Signer is a generic interface for signing an OCI artifact. diff --git a/signer/signer.go b/signer/signer.go index cc3728ed..53ad03c5 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -118,11 +118,12 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts ContentType: envelope.MediaTypePayloadV1, Content: payloadBytes, }, - Signer: s.signer, - SigningTime: time.Now(), - SigningScheme: signature.SigningSchemeX509, - SigningAgent: signingAgentId, - TSAServerURL: opts.TSAServerURL, + Signer: s.signer, + SigningTime: time.Now(), + SigningScheme: signature.SigningSchemeX509, + SigningAgent: signingAgentId, + TSAServerURL: opts.TSAServerURL, + TSARootCertificate: opts.TSARootCertificate, } // Add expiry only if ExpiryDuration is not zero @@ -137,7 +138,6 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts logger.Debugf(" SigningScheme: %v", signReq.SigningScheme) logger.Debugf(" SigningAgent: %v", signReq.SigningAgent) logger.Debugf(" TSAServerURL: %v", signReq.TSAServerURL) - logger.Debugf(" TSARootCertificate Subject: %v", signReq.TSARootCertificate.Subject) // perform signing sigEnv, err := signature.NewEnvelope(opts.SignatureMediaType)