➜ ./notation verify $IMAGE -d
Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed
Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing
INFO[2022-12-02T13:14:39+08:00] passing a nil signature to check 'skip' level
DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47
DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]}
ERRO[2022-12-02T13:14:39+08:00] integrity validation failed. Failure reason: unable to parse the digital signature, error : signature envelope format with media type "" is not supported
INFO[2022-12-02T13:14:39+08:00] check over. not 'skip' level
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47"
DEBU[2022-12-02T13:14:39+08:00] Request method: "HEAD"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47\""
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "942"
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.docker.distribution.manifest.v2+json"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] fetch signature manifest
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/referrers/sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47?artifactType=application%2Fvnd.cncf.notary.v2.signature"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "404 Not Found"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "text/plain; charset=utf-8"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "19"
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256-cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "1308"
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.image.index.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:490010607becd94467b45783303458b5b1533bcc17a813dbaf60a4f4aa96f582"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:490010607becd94467b45783303458b5b1533bcc17a813dbaf60a4f4aa96f582\""
INFO[2022-12-02T13:14:39+08:00] processing signature with digest: sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a\""
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "628"
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:6e0a5084fc479f071a51cb11518f70b795a9f160ae62851dd34d821e3c7b371a"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/sha256:9e27c57b266d8bcd206a90af96dba94a6c2d9ac8fe93d47979aaf7ce47a34f68"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "Range": "bytes=0-2220"
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "206 Partial Content"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "2221"
DEBU[2022-12-02T13:14:39+08:00] "Content-Range": "bytes 0-2220/2221"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Accept-Ranges": "bytes"
DEBU[2022-12-02T13:14:39+08:00] "Cache-Control": "max-age=31536000"
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/octet-stream"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:9e27c57b266d8bcd206a90af96dba94a6c2d9ac8fe93d47979aaf7ce47a34f68"
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:9e27c57b266d8bcd206a90af96dba94a6c2d9ac8fe93d47979aaf7ce47a34f68\""
DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47
DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]}
DEBU[2022-12-02T13:14:39+08:00] verify cert chain
DEBU[2022-12-02T13:14:39+08:00] verify trust identity
DEBU[2022-12-02T13:14:39+08:00] verify expiry
ERRO[2022-12-02T13:14:39+08:00] expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:09:58 +0800"
INFO[2022-12-02T13:14:39+08:00] processing signature with digest: sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:74bd7d7fb3a0a9a26e542a0849c5c6f803b5a8f53c7d02a1d2471b8f4ec808e0\""
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "628"
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/sha256:b804160dff6d263d918c4ec4088876a325f4b59f003c0eaba55fd71419f73557"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "Range": "bytes=0-2220"
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "206 Partial Content"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Accept-Ranges": "bytes"
DEBU[2022-12-02T13:14:39+08:00] "Cache-Control": "max-age=31536000"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "2221"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:b804160dff6d263d918c4ec4088876a325f4b59f003c0eaba55fd71419f73557"
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:b804160dff6d263d918c4ec4088876a325f4b59f003c0eaba55fd71419f73557\""
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Content-Range": "bytes 0-2220/2221"
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/octet-stream"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47
DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]}
DEBU[2022-12-02T13:14:39+08:00] verify cert chain
DEBU[2022-12-02T13:14:39+08:00] verify trust identity
DEBU[2022-12-02T13:14:39+08:00] verify expiry
ERRO[2022-12-02T13:14:39+08:00] expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:10:04 +0800"
INFO[2022-12-02T13:14:39+08:00] processing signature with digest: sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "Accept": "application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "200 OK"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e\""
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "628"
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/vnd.oci.artifact.manifest.v1+json"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:117f4c3c03f228776cdf9727f7ce77c75f95a98d9fa7a22455f30c8639f4ed4e"
DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/blobs/sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38"
DEBU[2022-12-02T13:14:39+08:00] Request method: "GET"
DEBU[2022-12-02T13:14:39+08:00] Request headers:
DEBU[2022-12-02T13:14:39+08:00] "Range": "bytes=0-2220"
DEBU[2022-12-02T13:14:39+08:00] "User-Agent": "notation/v0.12.0-beta.1+unreleased"
DEBU[2022-12-02T13:14:39+08:00] Response Status: "206 Partial Content"
DEBU[2022-12-02T13:14:39+08:00] Response headers:
DEBU[2022-12-02T13:14:39+08:00] "Content-Range": "bytes 0-2220/2221"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Content-Digest": "sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38"
DEBU[2022-12-02T13:14:39+08:00] "Docker-Distribution-Api-Version": "registry/2.0"
DEBU[2022-12-02T13:14:39+08:00] "X-Content-Type-Options": "nosniff"
DEBU[2022-12-02T13:14:39+08:00] "Date": "Fri, 02 Dec 2022 05:14:39 GMT"
DEBU[2022-12-02T13:14:39+08:00] "Accept-Ranges": "bytes"
DEBU[2022-12-02T13:14:39+08:00] "Content-Length": "2221"
DEBU[2022-12-02T13:14:39+08:00] "Etag": "\"sha256:472efea7f2acae601d8f052ff89fdd9cbe66a172cb0f8ddf2f1396b99d07fd38\""
DEBU[2022-12-02T13:14:39+08:00] "Cache-Control": "max-age=31536000"
DEBU[2022-12-02T13:14:39+08:00] "Content-Type": "application/octet-stream"
DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47
DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]}
DEBU[2022-12-02T13:14:39+08:00] verify cert chain
DEBU[2022-12-02T13:14:39+08:00] verify trust identity
DEBU[2022-12-02T13:14:39+08:00] verify expiry
ERRO[2022-12-02T13:14:39+08:00] expiry validation failed. Failure reason: digital signature has expired on "Fri, 02 Dec 2022 13:10:26 +0800"
DEBU[2022-12-02T13:14:39+08:00] Signature verification failed for all the signatures associated with digest sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47
Error: signature verification failed
// Verifier is a generic interface for verifying an artifact.type Verifier interface {// Verify verifies the signature blob signature against the target OCI// artifact with manifest descriptor desc, and returns the outcome upon// successful verification.// If nil signature is present and the verification level is not 'skip',// an error will be returned.Verify(ctx context.Context, desc ocispec.Descriptor, signature []byte, opts VerifierVerifyOptions) (*VerificationOutcome, error)}
Mar 18, 2024To support signing of
Oct 28, 2023This is a continuation of [Draft] Notation Extensibility for Signing and Verification doc. Requirements The plugin's verification API MUST be signature envelope format agnostic and MUST work seamlessly with different signature envelope formats. If signature needs plugin for verification then the signature MUST convey plugin name and version required for verification. During signature verification, if the required plugin is unavailable then Notary v2 MUST fails the signature verification. :::info PR Begins - This is in early brainstorming stage
Feb 5, 2022:::danger This is outdated and content has been moved to https://github.com/notaryproject/notaryproject/pull/132 ::: Update trust policy to support verification of OCI artifact signed using publicly trusted codesigning certificates. The certificates issued by CAs that are publicly trusted(abides by CAB forum guidelines and trusted by many operating systems) are referred to as publicly trusted certificates. Why do we need this change The user MUST be able to use a codesigning certificate issued from publicly trusted CAs e.g. Digicert, Entrust, Verisign, etc to sign and verify OCI artifacts. Publicly trusted CAs issue codesigning certificates to various entities from the same CA, the only way for a consumer to verify that the artifact came from a specific publisher is to pin(in trust-policy) on the publisher's signing certificate. Signing certificates have limited validity and it's recommended to rotate keys periodically. If consumer pins on the publisher's signing certificate, the rotation of the publisher's singing certificate will require all consumers to update the trust policy to pin on the new certificate.
Feb 4, 2022or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up