# **Notation Inspect**
**Description**
Use notation inspect command to inspect/describe all the signatures associated to a signed artifact/image in a human readable format.
Upon successful execution,the digest of the signed artifact and details of all the signatures associated with artifact and it's respective certificate properties are displayed as following:
```
<registry>/<repository>@<digest>
└── application/vnd.cncf.notary.signature
├──<digest_of_signature_manifest>
├──<signed attributes...>
├──<user-defined attributes...>
├──<unsigned attributes...>
├──<Cert Properties...>
├──<payload...>
└──<digest_of_signature_manifest>
├──<signed attributes...> //user-defined attributes donot exist in some signatures.
├──<unsigned attributes...>
├──<Cert Properties...>
├──<payload...>
```
**Use Case / Scenarios:**
1. Debugging to find any value of the attributes.
2. Auditing signatures / attributes.
3. If verification of the image digest / signature digest fails due to wrong certificate configuration, user will execute the inspect command to extract the certificate thumb print, a hash of a certificate which is a unique identifier for certificates.
**Outline**
Inspect artifacts and displays the details of the signatures for all the listed signatures and the associated certificate properties.
Usage:
notation inspect [flags] <reference>
Aliases:
inspect
Flags:
* h, --help for describing the signature
* p, --password string password for registry operations (default to $NOTATION_PASSWORD if not specified)
* -plain-http registry access via plain HTTP
* u, --username string username for registry operations (default to $NOTATION_USERNAME if not specified)
* o, --output on command line sets the output to json
# **Usage**
Display the details of all the listed signatures and the associated certificate properties of the signed container image
### inspect an artifact stored in a registry
notation inspect <registry>/<repository>@<digest>
An example of a successful discovery:
$ notation inspect localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
### *An example output*:
**localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9**
└── application/vnd.cncf.notary.signature
**├── sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa**
```
├──"signed attributes":
{
"contentType": "application/vnd.cncf.notary.payload.v1+json",
"signingScheme": "notary.default.x509",
"signingTime": "2022-04-06T07:01:20Z"
<"expiry": "2022-10-06T07:01:20Z",>
<"verification plugin": "com.example.nv2plugin",> //extended attributes used by Notary v2 to support plugins.
...
}
"user-defined attributes":
{
"io.wabbit-networks.buildId": "123" //Notary v2 payload annotations is shown here has user defined metadata.
...
}
"unsigned attributes":
{
"io.cncf.notary.timestampSignature": "<Base64(TimeStampToken)>", //how TSA response (time stamp token) is represented in this header.
"io.cncf.notary.signingAgent": "notation/1.0.0" //provides the identifier of a client (e.g. Notation) that produced the signature.
...
}
"Certificate Properties":
{
"SHA1 fingerprint":"2f1cc5b8455381cdefac83b4bd305b789cc9c16e"
}
"payload": //descriptor of the target artifact manifest that is being signed.
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333",
"size": 16724,
}
```
**└── sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb**
```
├──"signed attributes":
{
"contentType": "application/vnd.cncf.notary.payload.v1+json",
"signingScheme": " notary.signingAuthority.x509",
"authenticSigningTime": "2022-04-06T07:01:20Z"
"expiry": "2022-10-06T07:01:20Z",
<"verification plugin": "com.example.nv2plugin",> //extended attributes used by Notary v2 to support plugins.
...
}
"unsigned attributes":
{
io.cncf.notary.timestampSignature": "<Base64(TimeStampToken)>", //how TSA response (time stamp token) is represented in this header.
"io.cncf.notary.signingAgent": "notation/1.0.0" //provides the identifier of a client (e.g. Notation) that produced the signature.
...
}
"Certificate Properties":
{
"SHA1 Fingerprint":"2f1rr5b8455381frdajc83b4bd305b743cc9513u"
}
"payload": //descriptor of the target artifact manifest that is being signed.
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333",
"size": 16724,
}
```
Sign in with Wallet
Connect another wallet