Try   HackMD

[OLD] Signature Filtering for Verification

This is outdated and content has been moved to https://github.com/notaryproject/notaryproject/pull/131

Why we need this change

As per signing-verfication-workflow step 3.2, if an OCI artifact contains multiple signatures, we need a mechanism to filter out the signatures based on the given trust criteria. Otherwise, we will have to download and evaluate all the associated signatures. Since there is no upper bound on the number of signatures that can be associated with an artifact, this poses an availability risk.

=== PR BEGINS ===

Supported trust criteria

  • Filter based on signing identity(certificate) identifier.
    * Filter based on arbitrary signed attributes.

Mechanism/Design

To filter out signatures based on the aforementioned trust criteria, we need to surface this trust criteria information in the signature artifact manifest. The only entry in the subject manifest that allows for arbitrary data is annotations, so we will be using annotations to surface certificate(s) identifier and signed attributes.

  • org.opencontainers.notary.x509certs.fingerprint.sha256: This REQUIRED annotation and its value contain a list of sha-256 fingureprint of certificate and certificate chain used for signature generation.
  • org.opencontainers.notary.signature.signedattributes: This OPTIONAL annotation and its value contains the list of signed attributes.

Keys using the org.opencontainers.notary namespace are reserved for use in the Notary signature artifact manifest and MUST NOT be used by other specifications and extensions, including other OCI specifications.





















{
 "artifactType": "application/vnd.cncf.notary.v2.signature",
 "blobs": [
   {
     "mediaType": "application/jose+json",
     "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0",
     "size": 32654
   }
 ],
 "subject": {
   "mediaType": "application/vnd.oci.image.manifest.v1+json",
   "digest": "sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333",
   "size": 16724
 },
 "annotations": {
    "org.opencontainers.notary.signature": "",
    "org.opencontainers.notary.x509certs.fingerprint.sha256": "[\"B7A69A70992AE4F9FF103EBE04A2C3BA6C777E439253CE36562E6E98375068C3\", \"932EB6F5598435D4EF23F97B0B5ACB515FAE2B8D8FAC046AB813DDC419DD5E89\"]",
  ~~"org.opencontainers.notary.signature.signedattributes": "{ \"signed-key1\": \"value1\", \"signed-key2\": \"value2\"}"~~
 }
}

Signature generation

Steps

  1. Generate signature:
  2. Push the signature envelope:
  3. Generate signature artifact manifest: As decribed in signature specification create the Notary v2 signature artifact manifest for the signature envelope generated in step 1.
    1. Create a JSON array by calculating the SHA-256 fingerprint of signing certificates and the certificate chain. Add an annotation with org.opencontainers.notary.x509certs.fingerprint.sha256 as key and this JSON array as value.
    2. If there are any user-defined signed attributes then create a JSON object of the signed attribute and add an annotation with org.opencontainers.notary.signature.signed-attributes as key and this JSON object as the value.
  4. Push signature artifact manifest:

Signature verification

Steps

  1. Get signature artifact descriptors:
  2. Get signature artifact manifests:
    1. Get signature artifact manifests:
    2. Filter signature artifact manifests:
      1. Based on the value of blobs->mediaType attribute and supported signature envelope format, filter out signature manifests.
      2. Depending upon the trust-store configuration, further filter out signature manifests.
        1. Using the scope configured in trust policies, get the applicable trust policy and trust stores.
        2. From the trust policy, get the list of trusted certificates. Calculate the SHA-256 fingerprint of all the applicable trusted certificates and compare it against the value present in artifact manifest's org.opencontainers.notary.x509certs.fingerprint.sha256 annotation. If there is at least one match then continue to the next step. Otherwise, move to the next signature artifact descriptor(step 2.1). If all signature artifact manifests have already been processed, fail the OCI artifact pull request and exit.
    3. Get and validate signatures:

=== PR ENDS ===

tags: notary
Last changed by 
Pritesh Bandi
2
252

Read more

Untitled

// Verifier is a generic interface for verifying an artifact.type Verifier interface {// Verify verifies the signature blob signature against the target OCI// artifact with manifest descriptor desc, and returns the outcome upon// successful verification.// If nil signature is present and the verification level is not 'skip',// an error will be returned.Verify(ctx context.Context, desc ocispec.Descriptor, signature []byte, opts VerifierVerifyOptions) (*VerificationOutcome, error)}

Mar 18, 2024
Sign arbitrary data

To support signing of

Oct 28, 2023
Notation Debug Logs

➜ ./notation verify $IMAGE -d Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing INFO[2022-12-02T13:14:39+08:00] passing a nil signature to check 'skip' level DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]} ERRO[2022-12-02T13:14:39+08:00] integrity validation failed. Failure reason: unable to parse the digital signature, error : signature envelope format with media type "" is not supported INFO[2022-12-02T13:14:39+08:00] check over. not 'skip' level DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:14:39+08:00] Request method: "HEAD"

Mar 14, 2023
[Draft] Verification extensibility

This is a continuation of [Draft] Notation Extensibility for Signing and Verification doc. Requirements The plugin's verification API MUST be signature envelope format agnostic and MUST work seamlessly with different signature envelope formats. If signature needs plugin for verification then the signature MUST convey plugin name and version required for verification. During signature verification, if the required plugin is unavailable then Notary v2 MUST fails the signature verification. :::info PR Begins - This is in early brainstorming stage

Feb 5, 2022
Read more from Pritesh Bandi
Published on HackMD