diff --git a/notation.go b/notation.go index 284ec775..f87f2a9b 100644 --- a/notation.go +++ b/notation.go @@ -159,6 +159,7 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts if err != nil { return ocispec.Descriptor{}, fmt.Errorf("failed to resolve reference: %w", err) } + // artifactRef is a tag or a digest, if it's a digest it has to match // the resolved digest if artifactRef != targetDesc.Digest.String() { @@ -166,6 +167,7 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts // artifactRef is a digest, but does not match the resolved digest return ocispec.Descriptor{}, fmt.Errorf("user input digest %s does not match the resolved digest %s", artifactRef, targetDesc.Digest.String()) } + // artifactRef is a tag logger.Warnf("Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed", artifactRef) logger.Infof("Resolved artifact tag `%s` to digest `%v` before signing", artifactRef, targetDesc.Digest) @@ -178,11 +180,11 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts if err != nil { return ocispec.Descriptor{}, err } + var pluginAnnotations map[string]string if signerAnts, ok := signer.(signerAnnotation); ok { pluginAnnotations = signerAnts.PluginAnnotations() } - logger.Debug("Generating annotation") annotations, err := generateAnnotations(signerInfo, pluginAnnotations) if err != nil { @@ -193,13 +195,13 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts _, _, err = repo.PushSignature(ctx, signOpts.SignatureMediaType, sig, targetDesc, annotations) if err != nil { var referrerError *remote.ReferrersError + // do not log an error for failing to delete referral index if !errors.As(err, &referrerError) || !referrerError.IsReferrersIndexDelete() { logger.Error("Failed to push the signature") } return ocispec.Descriptor{}, ErrorPushSignatureFailed{Msg: err.Error()} } - return targetDesc, nil } @@ -210,15 +212,12 @@ func SignBlob(ctx context.Context, signer BlobSigner, blobReader io.Reader, sign if err := validateSignArguments(signer, signBlobOpts.SignerSignOptions); err != nil { return nil, nil, err } - if blobReader == nil { return nil, nil, errors.New("blobReader cannot be nil") } - if signBlobOpts.ContentMediaType == "" { return nil, nil, errors.New("content media-type cannot be empty") } - if err := validateContentMediaType(signBlobOpts.ContentMediaType); err != nil { return nil, nil, err } @@ -243,33 +242,26 @@ func validateSignArguments(signer any, signOpts SignerSignOptions) error { if err := validateSigMediaType(signOpts.SignatureMediaType); err != nil { return err } - return nil } func addUserMetadataToDescriptor(ctx context.Context, desc ocispec.Descriptor, userMetadata map[string]string) (ocispec.Descriptor, error) { logger := log.GetLogger(ctx) - if desc.Annotations == nil && len(userMetadata) > 0 { desc.Annotations = map[string]string{} } - for k, v := range userMetadata { logger.Debugf("Adding metadata %v=%v to annotations", k, v) - for _, reservedPrefix := range reservedAnnotationPrefixes { if strings.HasPrefix(k, reservedPrefix) { return desc, fmt.Errorf("error adding user metadata: metadata key %v has reserved prefix %v", k, reservedPrefix) } } - if _, ok := desc.Annotations[k]; ok { return desc, fmt.Errorf("error adding user metadata: metadata key %v is already present in the target artifact", k) } - desc.Annotations[k] = v } - return desc, nil } @@ -311,6 +303,7 @@ type VerificationOutcome struct { Error error } +// UserMetadata returns the user metadata from the signature envelope. func (outcome *VerificationOutcome) UserMetadata() (map[string]string, error) { if outcome.EnvelopeContent == nil { return nil, errors.New("unable to find envelope content for verification outcome") @@ -321,11 +314,9 @@ func (outcome *VerificationOutcome) UserMetadata() (map[string]string, error) { if err != nil { return nil, errors.New("failed to unmarshal the payload content in the signature blob to envelope.Payload") } - if payload.TargetArtifact.Annotations == nil { return map[string]string{}, nil } - return payload.TargetArtifact.Annotations, nil } @@ -382,7 +373,7 @@ type BlobVerifierVerifyOptions struct { type BlobVerifier interface { // VerifyBlob verifies the `signature` against the target blob using the // descriptor returned by descGenFunc parameter and - // returns the outcome upon successful verification. + // returns the outcome upon successful verification. VerifyBlob(ctx context.Context, descGenFunc BlobDescriptorGenerator, signature []byte, opts BlobVerifierVerifyOptions) (*VerificationOutcome, error) } @@ -428,23 +419,18 @@ func VerifyBlob(ctx context.Context, blobVerifier BlobVerifier, blobReader io.Re if blobVerifier == nil { return ocispec.Descriptor{}, nil, errors.New("blobVerifier cannot be nil") } - if blobReader == nil { return ocispec.Descriptor{}, nil, errors.New("blobReader cannot be nil") } - if len(signature) == 0 { return ocispec.Descriptor{}, nil, errors.New("signature cannot be nil or empty") } - if err := validateContentMediaType(verifyBlobOpts.ContentMediaType); err != nil { return ocispec.Descriptor{}, nil, err } - if err := validateSigMediaType(verifyBlobOpts.SignatureMediaType); err != nil { return ocispec.Descriptor{}, nil, err } - getDescFunc := getDescriptorFunc(ctx, blobReader, verifyBlobOpts.ContentMediaType, verifyBlobOpts.UserMetadata) vo, err := blobVerifier.VerifyBlob(ctx, getDescFunc, signature, verifyBlobOpts.BlobVerifierVerifyOptions) if err != nil { @@ -455,12 +441,11 @@ func VerifyBlob(ctx context.Context, blobVerifier BlobVerifier, blobReader io.Re if err = json.Unmarshal(vo.EnvelopeContent.Payload.Content, &desc); err != nil { return ocispec.Descriptor{}, nil, err } - return desc, vo, nil } // Verify performs signature verification on each of the notation supported -// verification types (like integrity, authenticity, etc.) and return the +// verification types (like integrity, authenticity, etc.) and returns the // successful signature verification outcome. // For more details on signature verification, see // https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#signature-verification @@ -484,7 +469,6 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve PluginConfig: verifyOpts.PluginConfig, UserMetadata: verifyOpts.UserMetadata, } - if skipChecker, ok := verifier.(verifySkipper); ok { logger.Info("Checking whether signature verification should be skipped or not") skip, verificationLevel, err := skipChecker.SkipVerify(ctx, opts) @@ -558,6 +542,7 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve } // at this point, the signature is verified successfully verificationSucceeded = true + // on success, verificationOutcomes only contains the // succeeded outcome verificationOutcomes = []*VerificationOutcome{outcome} @@ -566,14 +551,11 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve // early break on success return errDoneVerification } - if numOfSignatureProcessed >= verifyOpts.MaxSignatureAttempts { return errExceededMaxVerificationLimit } - return nil }) - if err != nil && !errors.Is(err, errDoneVerification) { if errors.Is(err, errExceededMaxVerificationLimit) { return ocispec.Descriptor{}, verificationOutcomes, err diff --git a/signer/plugin.go b/signer/plugin.go index 1f2eeaa9..c4746da9 100644 --- a/signer/plugin.go +++ b/signer/plugin.go @@ -70,7 +70,6 @@ func NewPluginSigner(plugin plugin.SignPlugin, keyID string, pluginConfig map[st if keyID == "" { return nil, errors.New("keyID not specified") } - return &PluginSigner{ plugin: plugin, keyID: keyID, @@ -88,20 +87,17 @@ func (s *PluginSigner) PluginAnnotations() map[string]string { func (s *PluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { logger := log.GetLogger(ctx) mergedConfig := s.mergeConfig(opts.PluginConfig) - logger.Debug("Invoking plugin's get-plugin-metadata command") metadata, err := s.plugin.GetMetadata(ctx, &plugin.GetMetadataRequest{PluginConfig: mergedConfig}) if err != nil { return nil, nil, err } - logger.Debugf("Using plugin %v with capabilities %v to sign oci artifact %v in signature media type %v", metadata.Name, metadata.Capabilities, desc.Digest, opts.SignatureMediaType) if metadata.HasCapability(plugin.CapabilitySignatureGenerator) { ks, err := s.getKeySpec(ctx, mergedConfig) if err != nil { return nil, nil, fmt.Errorf("failed to sign with the plugin %s: %w", metadata.Name, err) } - sig, signerInfo, err := s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig) if err != nil { return nil, nil, fmt.Errorf("failed to sign with the plugin %s: %w", metadata.Name, err) @@ -114,7 +110,6 @@ func (s *PluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts n } return sig, signerInfo, nil } - return nil, nil, fmt.Errorf("plugin does not have signing capabilities") } @@ -123,13 +118,11 @@ func (s *PluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts n func (s *PluginSigner) SignBlob(ctx context.Context, descGenFunc notation.BlobDescriptorGenerator, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { logger := log.GetLogger(ctx) mergedConfig := s.mergeConfig(opts.PluginConfig) - logger.Debug("Invoking plugin's get-plugin-metadata command") metadata, err := s.plugin.GetMetadata(ctx, &plugin.GetMetadataRequest{PluginConfig: mergedConfig}) if err != nil { return nil, nil, err } - logger.Debug("Invoking plugin's describe-key command") ks, err := s.getKeySpec(ctx, mergedConfig) if err != nil { @@ -141,7 +134,6 @@ func (s *PluginSigner) SignBlob(ctx context.Context, descGenFunc notation.BlobDe if err != nil { return nil, nil, err } - logger.Debugf("Using plugin %v with capabilities %v to sign blob using descriptor %+v", metadata.Name, metadata.Capabilities, desc) if metadata.HasCapability(plugin.CapabilitySignatureGenerator) { return s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig) @@ -158,11 +150,9 @@ func (s *PluginSigner) getKeySpec(ctx context.Context, config map[string]string) if err != nil { return signature.KeySpec{}, err } - if s.keyID != descKeyResp.KeyID { return signature.KeySpec{}, fmt.Errorf("keyID in describeKey response %q does not match request %q", descKeyResp.KeyID, s.keyID) } - return proto.DecodeKeySpec(descKeyResp.KeySpec) } @@ -178,7 +168,6 @@ func (s *PluginSigner) generateSignature(ctx context.Context, desc ocispec.Descr keySpec: ks, }, } - opts.SigningAgent = fmt.Sprintf("%s %s/%s", signingAgent, metadata.Name, metadata.Version) return genericSigner.Sign(ctx, desc, opts) } @@ -191,6 +180,7 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp if err != nil { return nil, nil, fmt.Errorf("envelope payload can't be marshalled: %w", err) } + // Execute plugin sign command. req := &plugin.GenerateEnvelopeRequest{ ContractVersion: plugin.ContractVersion, @@ -213,13 +203,11 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp resp.SignatureEnvelopeType, req.SignatureEnvelopeType, ) } - logger.Debug("Verifying signature envelope generated by the plugin") sigEnv, err := signature.ParseEnvelope(opts.SignatureMediaType, resp.SignatureEnvelope) if err != nil { return nil, nil, err } - envContent, err := sigEnv.Verify() if err != nil { return nil, nil, fmt.Errorf("generated signature failed verification: %w", err) @@ -227,31 +215,29 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp if err := envelope.ValidatePayloadContentType(&envContent.Payload); err != nil { return nil, nil, err } - content := envContent.Payload.Content var signedPayload envelope.Payload if err = json.Unmarshal(content, &signedPayload); err != nil { return nil, nil, fmt.Errorf("signed envelope payload can't be unmarshalled: %w", err) } - if !isPayloadDescriptorValid(desc, signedPayload.TargetArtifact) { return nil, nil, fmt.Errorf("during signing descriptor subject has changed from %+v to %+v", desc, signedPayload.TargetArtifact) } - if unknownAttributes := areUnknownAttributesAdded(content); len(unknownAttributes) != 0 { return nil, nil, fmt.Errorf("during signing, following unknown attributes were added to subject descriptor: %+q", unknownAttributes) } - s.manifestAnnotations = resp.Annotations return resp.SignatureEnvelope, &envContent.SignerInfo, nil } func (s *PluginSigner) mergeConfig(config map[string]string) map[string]string { c := make(map[string]string, len(s.pluginConfig)+len(config)) + // First clone s.PluginConfig. for k, v := range s.pluginConfig { c[k] = v } + // Then set or override entries from config. for k, v := range config { c[k] = v @@ -269,7 +255,6 @@ func (s *PluginSigner) describeKey(ctx context.Context, config map[string]string if err != nil { return nil, err } - return resp, nil } @@ -279,6 +264,7 @@ func isDescriptorSubset(original, newDesc ocispec.Descriptor) bool { if !content.Equal(original, newDesc) { return false } + // Plugins may append additional annotations but not replace/override // existing. for k, v := range original.Annotations { @@ -296,6 +282,7 @@ func isPayloadDescriptorValid(originalDesc, newDesc ocispec.Descriptor) bool { func areUnknownAttributesAdded(content []byte) []string { var targetArtifactMap map[string]interface{} + // Ignoring error because we already successfully unmarshalled before this // point _ = json.Unmarshal(content, &targetArtifactMap) @@ -352,12 +339,10 @@ func (s *pluginPrimitiveSigner) Sign(payload []byte) ([]byte, []*x509.Certificat if err != nil { return nil, nil, err } - keySpecHash, err := proto.HashAlgorithmFromKeySpec(s.keySpec) if err != nil { return nil, nil, err } - req := &plugin.GenerateSignatureRequest{ ContractVersion: plugin.ContractVersion, KeyID: s.keyID, @@ -366,7 +351,6 @@ func (s *pluginPrimitiveSigner) Sign(payload []byte) ([]byte, []*x509.Certificat Payload: payload, PluginConfig: s.pluginConfig, } - resp, err := s.plugin.GenerateSignature(s.ctx, req) if err != nil { return nil, nil, err diff --git a/signer/signer.go b/signer/signer.go index ad22ac7d..d1512adc 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -12,7 +12,7 @@ // limitations under the License. // Package signer provides notation signing functionality. It implements the -// [notation.Signer] and [notation.BlobSigner] interface by providing +// [notation.Signer] and [notation.BlobSigner] interfaces by providing // builtinSigner for local signing and [PluginSigner] for remote signing. package signer @@ -181,17 +181,14 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts func (s *GenericSigner) SignBlob(ctx context.Context, genDesc notation.BlobDescriptorGenerator, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { logger := log.GetLogger(ctx) logger.Debugf("Generic blob signing for signature media type %s", opts.SignatureMediaType) - ks, err := s.signer.KeySpec() if err != nil { return nil, nil, err } - desc, err := getDescriptor(ks, genDesc) if err != nil { return nil, nil, err } - return s.Sign(ctx, desc, opts) } @@ -200,6 +197,5 @@ func getDescriptor(ks signature.KeySpec, genDesc notation.BlobDescriptorGenerato if !ok { return ocispec.Descriptor{}, fmt.Errorf("unknown hashing algo %v", ks.SignatureAlgorithm().Hash()) } - return genDesc(digestAlg) } diff --git a/verifier/trustpolicy/blob.go b/verifier/trustpolicy/blob.go index b316a022..3d6ea3d4 100644 --- a/verifier/trustpolicy/blob.go +++ b/verifier/trustpolicy/blob.go @@ -63,7 +63,7 @@ func LoadBlobDocument() (*BlobDocument, error) { // Validate validates a blob trust policy document according to its version's // rule set. -// If any rule is violated, returns an error +// If any rule is violated, returns an error. func (policyDoc *BlobDocument) Validate() error { // sanity check if policyDoc == nil { @@ -72,7 +72,7 @@ func (policyDoc *BlobDocument) Validate() error { // Validate Version if policyDoc.Version == "" { - return errors.New("blob trust policy has empty version, version must be specified") + return errors.New("blob trust policy document has empty version, version must be specified") } if !slices.Contains(supportedBlobPolicyVersions, policyDoc.Version) { return fmt.Errorf("blob trust policy document uses unsupported version %q", policyDoc.Version) @@ -82,7 +82,6 @@ func (policyDoc *BlobDocument) Validate() error { if len(policyDoc.TrustPolicies) == 0 { return errors.New("blob trust policy document can not have zero trust policy statements") } - policyNames := set.New[string]() var foundGlobalPolicy bool for _, statement := range policyDoc.TrustPolicies { @@ -90,11 +89,9 @@ func (policyDoc *BlobDocument) Validate() error { if policyNames.Contains(statement.Name) { return fmt.Errorf("multiple blob trust policy statements use the same name %q, statement names must be unique", statement.Name) } - if err := validatePolicyCore(statement.Name, statement.SignatureVerification, statement.TrustStores, statement.TrustedIdentities); err != nil { return fmt.Errorf("blob trust policy: %w", err) } - if statement.GlobalPolicy { if foundGlobalPolicy { return errors.New("multiple blob trust policy statements have globalPolicy set to true. Only one trust policy statement can be marked as global policy") @@ -104,12 +101,10 @@ func (policyDoc *BlobDocument) Validate() error { if reflect.DeepEqual(statement.SignatureVerification.VerificationLevel, LevelSkip) { return errors.New("global blob trust policy statement cannot have verification level set to skip") } - foundGlobalPolicy = true } policyNames.Add(statement.Name) } - return nil } @@ -126,7 +121,6 @@ func (policyDoc *BlobDocument) GetApplicableTrustPolicy(policyName string) (*Blo return (&policyStatement).clone(), nil } } - return nil, fmt.Errorf("no applicable blob trust policy with name %q", policyName) } @@ -139,7 +133,6 @@ func (policyDoc *BlobDocument) GetGlobalTrustPolicy() (*BlobTrustPolicy, error) return (&policyStatement).clone(), nil } } - return nil, fmt.Errorf("no global blob trust policy") } diff --git a/verifier/trustpolicy/blob_test.go b/verifier/trustpolicy/blob_test.go index 06ada681..9ceb9969 100644 --- a/verifier/trustpolicy/blob_test.go +++ b/verifier/trustpolicy/blob_test.go @@ -57,7 +57,7 @@ func TestValidate_BlobDocument_Error(t *testing.T) { policyDoc := dummyBlobPolicyDocument() policyDoc.Version = "" err = policyDoc.Validate() - if err == nil || err.Error() != "blob trust policy has empty version, version must be specified" { + if err == nil || err.Error() != "blob trust policy document has empty version, version must be specified" { t.Fatalf("empty version should return error") } diff --git a/verifier/trustpolicy/oci.go b/verifier/trustpolicy/oci.go index 19a73f88..072c09dc 100644 --- a/verifier/trustpolicy/oci.go +++ b/verifier/trustpolicy/oci.go @@ -79,6 +79,7 @@ var supportedOCIPolicyVersions = []string{"1.0"} // dir.PathOCITrustPolicy will be read. func LoadOCIDocument() (*OCIDocument, error) { var doc OCIDocument + // attempt to load the document from dir.PathOCITrustPolicy if err := getDocument(dir.PathOCITrustPolicy, &doc); err != nil { // if the document is not found at the first path, try the second path @@ -88,6 +89,7 @@ func LoadOCIDocument() (*OCIDocument, error) { } return &doc, nil } + // if an error occurred other than the document not found, return it return nil, err } @@ -114,18 +116,15 @@ func (policyDoc *OCIDocument) Validate() error { if len(policyDoc.TrustPolicies) == 0 { return errors.New("oci trust policy document can not have zero trust policy statements") } - policyNames := set.New[string]() for _, statement := range policyDoc.TrustPolicies { // Verify unique policy statement names across the policy document if policyNames.Contains(statement.Name) { return fmt.Errorf("multiple oci trust policy statements use the same name %q, statement names must be unique", statement.Name) } - if err := validatePolicyCore(statement.Name, statement.SignatureVerification, statement.TrustStores, statement.TrustedIdentities); err != nil { return fmt.Errorf("oci trust policy: %w", err) } - policyNames.Add(statement.Name) } @@ -133,7 +132,6 @@ func (policyDoc *OCIDocument) Validate() error { if err := validateRegistryScopes(policyDoc); err != nil { return err } - return nil } @@ -158,7 +156,6 @@ func (policyDoc *OCIDocument) GetApplicableTrustPolicy(artifactReference string) applicablePolicy = (&policyStatement).clone() } } - if applicablePolicy != nil { // a policy with exact match for registry scope takes precedence over // a wildcard (*) policy. @@ -221,7 +218,6 @@ func getArtifactPathFromReference(artifactReference string) (string, error) { if i < 0 { return "", fmt.Errorf("artifact URI %q could not be parsed, make sure it is the fully qualified oci artifact URI without the scheme/protocol. e.g domain.com:80/my/repository@sha256:digest", artifactReference) } - artifactPath := artifactReference[:i] if err := validateRegistryScopeFormat(artifactPath); err != nil { return "", err @@ -245,12 +241,10 @@ func validateRegistryScopeFormat(scope string) error { if len(scope) > 1 && strings.Contains(scope, "*") { return fmt.Errorf(errorWildCardMessage, scope) } - domain, repository, found := strings.Cut(scope, "/") if !found { return fmt.Errorf(errorMessage, scope) } - if domain == "" || repository == "" || !domainRegexp.MatchString(domain) || !repositoryRegexp.MatchString(repository) { return fmt.Errorf(errorMessage, scope) } diff --git a/verifier/trustpolicy/trustpolicy.go b/verifier/trustpolicy/trustpolicy.go index 8a6ba841..60a9c54b 100644 --- a/verifier/trustpolicy/trustpolicy.go +++ b/verifier/trustpolicy/trustpolicy.go @@ -158,9 +158,9 @@ func (e errPolicyNotExist) Error() string { return fmt.Sprintf("trust policy is not present. To create a trust policy, see: %s", trustPolicyLink) } -// GetVerificationLevel returns [VerificationLevel] struct for the given -// [SignatureVerification] struct throws error if SignatureVerification is -// invalid +// GetVerificationLevel returns [VerificationLevel] for the given +// [SignatureVerification] struct. +// It throws error if SignatureVerification is invalid. func (signatureVerification *SignatureVerification) GetVerificationLevel() (*VerificationLevel, error) { if signatureVerification.VerificationLevel == "" { return nil, errors.New("signature verification level is empty or missing in the trust policy statement") @@ -175,16 +175,13 @@ func (signatureVerification *SignatureVerification) GetVerificationLevel() (*Ver if baseLevel == nil { return nil, fmt.Errorf("invalid signature verification level %q", signatureVerification.VerificationLevel) } - if len(signatureVerification.Override) == 0 { // nothing to override, return the base verification level return baseLevel, nil } - if baseLevel == LevelSkip { return nil, fmt.Errorf("signature verification level %q can't be used to customize signature verification", baseLevel.Name) } - customVerificationLevel := &VerificationLevel{ Name: "custom", Enforcement: make(map[ValidationType]ValidationAction), @@ -219,13 +216,11 @@ func (signatureVerification *SignatureVerification) GetVerificationLevel() (*Ver if validationAction == "" { return nil, fmt.Errorf("verification action %q in custom signature verification is not supported, supported values are %q", value, ValidationActions) } - if validationType == TypeIntegrity { return nil, fmt.Errorf("%q verification can not be overridden in custom signature verification", key) } else if validationType != TypeRevocation && validationAction == ActionSkip { return nil, fmt.Errorf("%q verification can not be skipped in custom signature verification", key) } - customVerificationLevel.Enforcement[validationType] = validationAction } return customVerificationLevel, nil @@ -245,12 +240,10 @@ func getDocument(path string, v any) error { } return err } - mode := fileInfo.Mode() if mode.IsDir() || mode&fs.ModeSymlink != 0 { return fmt.Errorf("trust policy is not a regular file (symlinks are not supported). To create a trust policy, see: %s", trustPolicyLink) } - jsonFile, err := os.Open(path) if err != nil { if errors.Is(err, os.ErrPermission) { @@ -323,7 +316,6 @@ func validateTrustStore(policyName string, trustStores []string) error { return fmt.Errorf("trust policy statement %q uses an unsupported trust store name %q in trust store value %q. Named store name needs to follow [a-zA-Z0-9_.-]+ format", policyName, namedStore, trustStore) } } - return nil } @@ -342,7 +334,6 @@ func validateTrustedIdentities(policyName string, tis []string) error { if identity == "" { return fmt.Errorf("trust policy statement %q has an empty trusted identity", policyName) } - if identity != trustpolicy.Wildcard { identityPrefix, identityValue, found := strings.Cut(identity, ":") if !found { @@ -381,7 +372,6 @@ func validateOverlappingDNs(policyName string, parsedDNs []parsedDN) error { } } } - return nil } diff --git a/verifier/verifier.go b/verifier/verifier.go index 2a85c953..b7aa49d1 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -105,7 +105,7 @@ func NewOCIVerifierFromConfig() (*verifier, error) { // NewBlobVerifierFromConfig returns a Blob verifier based on local file system func NewBlobVerifierFromConfig() (*verifier, error) { - // load trust policy + // load blob trust policy policyDocument, err := trustpolicy.LoadBlobDocument() if err != nil { return nil, err