Notation Issues

# Notation Issues ## Notation Issues 1. Resolved - (Patrick) Quickstart: Sign and validate a container image | (notaryproject.dev) Warning： “by default, signatures are stored using OCI Artifact Manifest, which is defined in OCI Image spec v1.1.0).” This should be OCI Image Manifest. - Related PR: https://github.com/notaryproject/notaryproject.dev/pull/155 1. (Patrick) https://notaryproject.dev/docs/quickstart/#list-the-signatures-associated-with-the-container-image `IMAGE=localhost:5000/net-monitor@sha256:073b75987e95b89f187a89809f08a32033972bb63cda279db8a9ca16b7ff555a` doesn't work on Windows. quickstart needs to clarify that it targets on the Unix system. （Sylvia)+1 Feynman: there is an issue to add commands for Windows PowerShell: https://github.com/notaryproject/notaryproject.dev/issues/263 1. (Billy Zha) Notation installation doc: - showing wrong architecture in [here](https://notaryproject.dev/docs/installation/cli/#:~:text=NOTATION_VERSION%5C_checksums.txt-,For%20x86%20processors%3A,-curl%20%2DLO%20https), should be x86_64 - should add `sudo` to copy the binary [here](https://notaryproject.dev/docs/installation/cli/#:~:text=tar%20xvzf%20%3CARCHIVE_FILE%3E%20%2DC%20/usr/bin/%20notation) Feynman: we need an issue to track this updates and fix it 1. Resolved - (Billy Zha) Notation quick start doc: when [setting up `$IMAGE`](https://notaryproject.dev/docs/quickstart/#list-the-signatures-associated-with-the-container-image), user may failed to find the digest. Can we suggest user to use `notation ls -v` or `oras discover` to get the digest first? Feynman: there is `docker inspect` step to tell users to get the digest in this [section](https://notaryproject.dev/docs/quickstart/#add-an-image-to-the-oci-compatible-registry). Is it enough? 1. (Patrick) https://notaryproject.dev/docs/quickstart/#verify-the-container-image `notation verify $IMAGE` suggest to add `-v` flag in quickstart, i.e., `notation verify $IMAGE -v`. This is very useful on verification failure. I've already seen ESRP verifiers don't know the existence of `-v` flag so that they failed to debug on verification failures. （Sylvia)+1 Feynman: we need an issue to track this updates and fix it 1. (Xiaoxuan) The words "notary" and "notation" are both used in the landing page, without explaining the relation between them. It looks confusing. ![](https://i.imgur.com/nOSgaqF.png) Feynman: we need to add a section in the introduction doc to explain "notary" and "notation" 1. Resolved - (Binbin) `notation inspect` would display an empty notation signature for an image without any signatures. ![](https://i.imgur.com/nJH1c7O.png) - https://github.com/notaryproject/notation/issues/624 1. Resolved - (Binbin) `notation inspect` result may not display expiry time correctly. In my example, there is no expiry time set for this signature, but it shows `Mon Jan 1 00:00:00 0001`. ![](https://i.imgur.com/zTzRyfe.png) - https://github.com/notaryproject/notation/issues/611 1. （Sylvia）`notation sign` does not output the digest of the generated signature artifact. Users are not able to correlate the result of `notation sign` and `notation ls`. ![](https://i.imgur.com/nKhxSc8.png) ![](https://i.imgur.com/MxKGEdq.png) Feynman: we need an issue to track this this change 10. (Patrick) https://notaryproject.dev/docs/concepts/definitions-terms/#trust-store and https://notaryproject.dev/docs/concepts/definitions-terms/#trust-policy need link to our spec. Feynman: the original Spec docs have been removed from the website since it is duplicated with notaryproject repo. So this issue is no longer existing. We will create a separate chapter `Glossary` 12. (Patrick) https://notaryproject.dev/docs/concepts/signature-envelope-jws/ We have a doc for JWS, how about COSE? Feynman: we will create a separate chapter `Glossary` on documentation and explan technical term definitions 14. (Xiaoxuan) I really think we should remove the checksum part, or use a separate checksum txt file for each architecture. The extra error messages caused me to doubt if I made the wrong download and I went back downloading again. ![](https://i.imgur.com/s6iJUWu.png) Feynman: we need an issue to track this update 1. (Sylvia) The error message of `notation verify` is too genric and can be misleading. For example, I didn't configure trust policy for $IMAGE and `notation verify` failed, but the error message doesn't reveal that. ![](https://i.imgur.com/hBywfWi.png) - https://github.com/notaryproject/notation/issues/625 Feynman: there is an [issue](https://github.com/notaryproject/notation/issues/625) to track and will be fixed after v1.0.0