notaryproject · shizhMSFT · Nov 9, 2022 · Nov 8, 2022 · Nov 8, 2022 · Nov 8, 2022
@@ -6,18 +6,17 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.4
 	github.com/notaryproject/notation-core-go v0.2.0-beta.1
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.2
+	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/oras-project/artifacts-spec v1.0.0-rc.2
 	github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83
-	oras.land/oras-go/v2 v2.0.0-rc.3
+	oras.land/oras-go/v2 v2.0.0-rc.4
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
 	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
-	github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect

@@ -1,7 +1,7 @@
 github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU=
 github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
 github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
@@ -12,12 +12,10 @@ github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQA
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/notaryproject/notation-core-go v0.2.0-beta.1 h1:8tFxNycWCcPLti9ZYST5kjkX2wMXtX9YPvMjiBAQ1tA=
 github.com/notaryproject/notation-core-go v0.2.0-beta.1/go.mod h1:s8DZptmN1rZS0tBLTPt/w+d4o6eAcGWTYYJlXaJhQ4U=
-github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU=
-github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
-github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034=
+github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
 github.com/oras-project/artifacts-spec v1.0.0-rc.2 h1:9SMCNSxkJEHqWGDiMCuy6TXHgvjgwXGdXZZGXLKQvVE=
 github.com/oras-project/artifacts-spec v1.0.0-rc.2/go.mod h1:Xch2aLzSwtkhbFFN6LUzTfLtukYvMMdXJ4oZ8O7BOdc=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -43,5 +41,5 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-oras.land/oras-go/v2 v2.0.0-rc.3 h1:O4GeIwJ9Ge7rbCkqa/M7DLrL55ww+ZEc+Rhc63OYitU=
-oras.land/oras-go/v2 v2.0.0-rc.3/go.mod h1:PrY+cCglzK/DrQoJUtxbYVbL94ZHecVS3eJR01RglpE=
+oras.land/oras-go/v2 v2.0.0-rc.4 h1:hg/R2znUQ1+qd43gRmL16VeX1GIZ8hQlLalBjYhhKSk=
+oras.land/oras-go/v2 v2.0.0-rc.4/go.mod h1:YGHvWBGuqRlZgUyXUIoKsR3lcuCOb3DAtG0SEsEw1iY=
@@ -6,9 +6,9 @@ import (
 
 	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-go"
+	"github.com/notaryproject/notation-go/internal/registry"
 	"github.com/notaryproject/notation-go/plugin"
 	"github.com/notaryproject/notation-go/plugin/manager"
-	"github.com/notaryproject/notation-go/registry"
 	"github.com/opencontainers/go-digest"
 )
 

@@ -0,0 +1,28 @@
+package registry
+
+import (
+	"context"
+
+	"github.com/notaryproject/notation-go"
+	"github.com/opencontainers/go-digest"
+)
+
+// SignatureRepository provides a storage for signatures
+type SignatureRepository interface {
+	// ListSignatureManifests returns all signature manifests given the manifest digest
+	ListSignatureManifests(ctx context.Context, manifestDigest digest.Digest) ([]SignatureManifest, error)
+
+	// GetBlob downloads the content of the specified digest's Blob
+	GetBlob(ctx context.Context, digest digest.Digest) ([]byte, error)
+
+	// PutSignatureManifest creates and uploads an signature artifact linking the manifest and the signature
+	PutSignatureManifest(ctx context.Context, signature []byte, signatureMediaType string, manifest notation.Descriptor, annotations map[string]string) (notation.Descriptor, SignatureManifest, error)
+}
+
+// Repository provides functions for verification and signing workflows
+type Repository interface {
+	SignatureRepository
+
+	// Resolve resolves a reference(tag or digest) to a manifest descriptor
+	Resolve(ctx context.Context, reference string) (notation.Descriptor, error)
+}
@@ -0,0 +1,4 @@
+package registry
+
+// ArtifactTypeNotation specifies the artifact type for a notation object.
+const ArtifactTypeNotation = "application/vnd.cncf.notary.v2.signature"
@@ -0,0 +1,190 @@
+package registry
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/notaryproject/notation-go"
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
+	"oras.land/oras-go/v2"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote"
+)
+
+const (
+	maxBlobSizeLimit     = 32 * 1024 * 1024 // 32 MiB
+	maxManifestSizeLimit = 4 * 1024 * 1024  // 4 MiB
+)
+
+type RepositoryClient struct {
+	remote.Repository
+}
+
+type SignatureManifest struct {
+	Blob        notation.Descriptor
+	Annotations map[string]string
+}
+
+// NewRepositoryClient creates a new registry client.
+func NewRepositoryClient(client remote.Client, ref registry.Reference, plainHTTP bool) *RepositoryClient {
+	return &RepositoryClient{
+		Repository: remote.Repository{
+			Client:    client,
+			Reference: ref,
+			PlainHTTP: plainHTTP,
+		},
+	}
+}
+
+// Resolve resolves a reference(tag or digest) to a manifest descriptor
+func (c *RepositoryClient) Resolve(ctx context.Context, reference string) (notation.Descriptor, error) {
+	desc, err := c.Repository.Resolve(ctx, reference)
+	if err != nil {
+		return notation.Descriptor{}, err
+	}
+	return notationDescriptorFromOCI(desc), nil
+}
+
+// ListSignatureManifests returns all signature manifests given the manifest digest
+func (c *RepositoryClient) ListSignatureManifests(ctx context.Context, manifestDigest digest.Digest) ([]SignatureManifest, error) {
+	var signatureManifests []SignatureManifest
+	if err := c.Repository.Referrers(ctx, ocispec.Descriptor{
+		Digest: manifestDigest,
+	}, ArtifactTypeNotation, func(referrers []ocispec.Descriptor) error {
+		for _, desc := range referrers {
+			if desc.MediaType != artifactspec.MediaTypeArtifactManifest {
+				continue
+			}
+			artifact, err := c.getArtifactManifest(ctx, desc.Digest)
+			if err != nil {
+				return fmt.Errorf("failed to fetch manifest: %v: %v", desc.Digest, err)
+			}
+			if len(artifact.Blobs) == 0 {
+				continue
+			}
+			signatureManifests = append(signatureManifests, SignatureManifest{
+				Blob:        notationDescriptorFromArtifact(artifact.Blobs[0]),
+				Annotations: artifact.Annotations,
+			})
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return signatureManifests, nil
+}
+
+// GetBlob downloads the content of the specified digest's Blob
+func (c *RepositoryClient) GetBlob(ctx context.Context, digest digest.Digest) ([]byte, error) {
+	desc, err := c.Repository.Blobs().Resolve(ctx, digest.String())
+	if err != nil {
+		return nil, err
+	}
+	if desc.Size > maxBlobSizeLimit {
+		return nil, fmt.Errorf("signature blob too large: %d", desc.Size)
+	}
+	return content.FetchAll(ctx, c.Repository.Blobs(), desc)
+}
+
+// PutSignatureManifest creates and uploads an signature artifact linking the manifest and the signature
+func (c *RepositoryClient) PutSignatureManifest(ctx context.Context, signature []byte, signatureMediaType string, subjectManifest notation.Descriptor, annotations map[string]string) (notation.Descriptor, SignatureManifest, error) {
+	signatureDesc, err := c.uploadSignature(ctx, signature, signatureMediaType)
+	if err != nil {
+		return notation.Descriptor{}, SignatureManifest{}, err
+	}
+
+	manifestDesc, err := c.uploadSignatureManifest(ctx, ociDescriptorFromNotation(subjectManifest), signatureDesc, annotations)
+	if err != nil {
+		return notation.Descriptor{}, SignatureManifest{}, err
+	}
+
+	signatureManifest := SignatureManifest{
+		Blob:        notationDescriptorFromOCI(signatureDesc),
+		Annotations: annotations,
+	}
+	return notationDescriptorFromOCI(manifestDesc), signatureManifest, nil
+}
+
+func (c *RepositoryClient) getArtifactManifest(ctx context.Context, manifestDigest digest.Digest) (artifactspec.Manifest, error) {
+	repo := c.Repository
+	repo.ManifestMediaTypes = []string{
+		artifactspec.MediaTypeArtifactManifest,
+	}
+	store := repo.Manifests()
+	desc, err := store.Resolve(ctx, manifestDigest.String())
+	if err != nil {
+		return artifactspec.Manifest{}, err
+	}
+	if desc.Size > maxManifestSizeLimit {
+		return artifactspec.Manifest{}, fmt.Errorf("manifest too large: %d", desc.Size)
+	}
+	manifestJSON, err := content.FetchAll(ctx, store, desc)
+	if err != nil {
+		return artifactspec.Manifest{}, err
+	}
+
+	var manifest artifactspec.Manifest
+	err = json.Unmarshal(manifestJSON, &manifest)
+	if err != nil {
+		return artifactspec.Manifest{}, err
+	}
+	return manifest, nil
+}
+
+// uploadSignature uploads the signature to the registry
+func (c *RepositoryClient) uploadSignature(ctx context.Context, signature []byte, signatureMediaType string) (ocispec.Descriptor, error) {
+	desc := ocispec.Descriptor{
+		MediaType: signatureMediaType,
+		Digest:    digest.FromBytes(signature),
+		Size:      int64(len(signature)),
+	}
+	if err := c.Repository.Blobs().Push(ctx, desc, bytes.NewReader(signature)); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	return desc, nil
+}
+
+// uploadSignatureManifest uploads the signature manifest to the registry
+func (c *RepositoryClient) uploadSignatureManifest(ctx context.Context, subjectManifest, signatureDesc ocispec.Descriptor, annotations map[string]string) (ocispec.Descriptor, error) {
+	opts := oras.PackOptions{
+		Subject:             &subjectManifest,
+		ManifestAnnotations: annotations,
+	}
+
+	return oras.Pack(
+		ctx,
+		c.Repository.Manifests(),
+		ArtifactTypeNotation,
+		[]ocispec.Descriptor{signatureDesc},
+		opts,
+	)
+}
+
+func ociDescriptorFromNotation(desc notation.Descriptor) ocispec.Descriptor {
+	return ocispec.Descriptor{
+		MediaType: desc.MediaType,
+		Digest:    desc.Digest,
+		Size:      desc.Size,
+	}
+}
+
+func notationDescriptorFromArtifact(desc artifactspec.Descriptor) notation.Descriptor {
+	return notation.Descriptor{
+		MediaType: desc.MediaType,
+		Digest:    desc.Digest,
+		Size:      desc.Size,
+	}
+}
+
+func notationDescriptorFromOCI(desc ocispec.Descriptor) notation.Descriptor {
+	return notation.Descriptor{
+		MediaType: desc.MediaType,
+		Digest:    desc.Digest,
+		Size:      desc.Size,
+	}
+}
@@ -1,28 +1,24 @@
+// Package registry provides Repository for remote signing and verification
 package registry
 
 import (
 	"context"
 
-	"github.com/notaryproject/notation-go"
-	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
-// SignatureRepository provides a storage for signatures
-type SignatureRepository interface {
-	// ListSignatureManifests returns all signature manifests given the manifest digest
-	ListSignatureManifests(ctx context.Context, manifestDigest digest.Digest) ([]SignatureManifest, error)
-
-	// GetBlob downloads the content of the specified digest's Blob
-	GetBlob(ctx context.Context, digest digest.Digest) ([]byte, error)
-
-	// PutSignatureManifest creates and uploads an signature artifact linking the manifest and the signature
-	PutSignatureManifest(ctx context.Context, signature []byte, signatureMediaType string, manifest notation.Descriptor, annotations map[string]string) (notation.Descriptor, SignatureManifest, error)
-}
-
-// Repository provides functions for verification and signing workflows
+// Repository provides registry functionalities for remote signing and
+// verification.
 type Repository interface {
-	SignatureRepository
-
 	// Resolve resolves a reference(tag or digest) to a manifest descriptor
-	Resolve(ctx context.Context, reference string) (notation.Descriptor, error)
+	Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error)
+	// ListSignatures returns signature manifests filtered by fn given the
+	// artifact manifest descriptor
+	ListSignatures(ctx context.Context, desc ocispec.Descriptor, fn func(signatureManifests []ocispec.Descriptor) error) error
+	// FetchSignatureBlob returns signature envelope blob and descriptor given
+	// signature manifest descriptor
+	FetchSignatureBlob(ctx context.Context, desc ocispec.Descriptor) ([]byte, ocispec.Descriptor, error)
+	// PushSignature creates and uploads an signature manifest along with its
+	// linked signature envelope blob.
+	PushSignature(ctx context.Context, blob []byte, mediaType string, subject ocispec.Descriptor, annotations map[string]string) (blobDesc, manifestDesc ocispec.Descriptor, err error)
 }