Play with Trust Policies

# Play with Trust Policies ## Signature Verification Level The following table shows the resultant validation action, either enforced (verification fails), or logged for each of the checks, based on signature verification level. See [Trust Policy](https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#signature-verification-details) ![](https://i.imgur.com/CklPlWb.png) There are four levels: `strict`, `permissive`, `audit` and `skip`. An exmaple to configure verifcation level to `strict`: ```json "signatureVerification": { "level" : "strict" } ``` ### case-1: Verification passes strict level ``` # delete registry and create a new one IMAGE=localhost:5000/net-monitor:v1 docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v1.0.0-rc.3 docker push $IMAGE # generate local testing key and certificate notation cert generate-test case-1 --default # Sign notation sign $IMAGE # set verification level to `strict` # set "trustStores": [ "ca:case-1"] # use `-v` or `-d` to show more logs # verification should succeed notation verify $IMAGE -v # set verification level to `permissive` # verification should succeed notation verify $IMAGE -v # set verification level to `audit` # verification should succeed notation verify $IMAGE -v # set verification level to `skip` # verification should be skipped notation verify $IMAGE -v ``` ### case-2: Verification passes Permissive Level ``` # delete registry and create a new one IMAGE=localhost:5000/net-monitor:v1 docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v1.0.0-rc.3 docker push $IMAGE # generate local testing key and certificate notation cert generate-test case-2 --default # sign with expiry duration set to 30 seconds notation sign $IMAGE --expiry 30s # set verification level to `strict` # set "trustStores": [ "ca:case-2"] # use `-v` or `-d` to show more logs # verification should fail after 30s notation verify $IMAGE -v # set verification level to `permissive` # Verification should succeed with a WARN message. notation verify $IMAGE -v ``` ### case-3: Verification passes Audit Level ``` # delete registry and create a new one IMAGE=localhost:5000/net-monitor:v1 docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v1.0.0-rc.3 docker push $IMAGE # generate local testing key and certificate notation cert generate-test case-3 --default # Sign use key of case-3 notation sign $IMAGE # set verification level to `strict` # set "trustStores": [ "ca:case-3"] # use `-v` or `-d` to show more logs # verification should succeed notation verify $IMAGE -v # generate a new local testing key and certificate notation cert generate-test case-3-2 # set "trustStores": [ "ca:case-3-2"] # verification should fail notation verify $IMAGE -v # set verification level to `permissive` # verification should fail notation verify $IMAGE -v # set verification level to `audit` # verification should Suceed with a WARN message notation verify $IMAGE -v ``` ### case-4: Verification fails all level except you skip it ``` # delete registry and create a new one IMAGE=localhost:5000/net-monitor:v1 docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v1.0.0-rc.3 docker push $IMAGE # install oras 0.16.0 # simulate a cose signature with wrong format, use arbitrary file, key.md as example # oras attach $IMAGE --artifact-type application/vnd.cncf.notary.signature ./key.md:application/cose # list signature, simulate should succeed notation list $IMAGE # set verification level to `strict` # use `-v` or `-d` to show more logs # verification should fail with error related to integrity notation verify $IMAGE -v # set verification level to `permissive` # verification should fail with error related to integrity notation verify $IMAGE -v # set verification level to `audit` # verification should fail with error related to integrity notation verify $IMAGE -v # set verification level to `skip` # verification should be skipped notation verify $IMAGE -v ```