From 9f2dc88faab4ae7e46843eeccb966c04a6fc060e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 26 Jun 2024 14:47:02 +0800 Subject: [PATCH 1/2] chore on log Signed-off-by: Patrick Zheng --- verifier/verifier.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/verifier/verifier.go b/verifier/verifier.go index e6436050..59e1ee40 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -171,7 +171,7 @@ func (v *verifier) Verify(ctx context.Context, desc ocispec.Descriptor, signatur } if !content.Equal(payload.TargetArtifact, desc) { - logger.Infof("payload.TargetArtifact in signature: %+v", payload.TargetArtifact) + logger.Infof("Target artifact in signature payload: %+v", payload.TargetArtifact) logger.Infof("Target artifact that want to be verified: %+v", desc) outcome.Error = errors.New("content descriptor mismatch") } @@ -576,12 +576,15 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() if err != nil { - logger.Debugf("not using authentic signing time due to error retrieving AuthenticSigningTime, err: %v", err) + // TODO: this error occurs only when signing scheme is notary.x509, + // because RFC 3161 timestamping is not supported yet. Once it's + // supported, this log would become valid. + logger.Debugf("Not using authentic signing time due to error retrieving AuthenticSigningTime, err: %v", err) authenticSigningTime = time.Time{} } certResults, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) if err != nil { - logger.Debug("error while checking revocation status, err: %s", err.Error()) + logger.Debug("Error while checking revocation status, err: %s", err.Error()) return ¬ation.ValidationResult{ Type: trustpolicy.TypeRevocation, Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], @@ -600,7 +603,7 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca var revokedCertSubject string for i := len(certResults) - 1; i >= 0; i-- { if len(certResults[i].ServerResults) > 0 && certResults[i].ServerResults[0].Error != nil { - logger.Debugf("error for certificate #%d in chain with subject %v for server %q: %v", (i + 1), outcome.EnvelopeContent.SignerInfo.CertificateChain[i].Subject.String(), certResults[i].ServerResults[0].Server, certResults[i].ServerResults[0].Error) + logger.Debugf("Error for certificate #%d in chain with subject %v for server %q: %v", (i + 1), outcome.EnvelopeContent.SignerInfo.CertificateChain[i].Subject.String(), certResults[i].ServerResults[0].Server, certResults[i].ServerResults[0].Error) } if certResults[i].Result == revocationresult.ResultOK || certResults[i].Result == revocationresult.ResultNonRevokable { @@ -624,7 +627,7 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca switch finalResult { case revocationresult.ResultOK: - logger.Debug("no verification impacting errors encountered while checking revocation, status is OK") + logger.Debug("No verification impacting errors encountered while checking revocation, status is OK") case revocationresult.ResultRevoked: result.Error = fmt.Errorf("signing certificate with subject %q is revoked", problematicCertSubject) default: From b55116f30c9e74230376f6f5d629ad0ca86a67da Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 17 Jul 2024 11:13:19 +0800 Subject: [PATCH 2/2] fix log Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- verifier/verifier.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 61e27ab5..af1edd8f 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/go-ldap/ldap/v3 v3.4.8 github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 github.com/notaryproject/notation-plugin-framework-go v1.0.0 - github.com/notaryproject/tspclient-go v0.1.0 + github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/veraison/go-cose v1.1.0 diff --git a/go.sum b/go.sum index de10e43d..eab4a3af 100644 --- a/go.sum +++ b/go.sum @@ -36,8 +36,8 @@ github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= -github.com/notaryproject/tspclient-go v0.1.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= +github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= diff --git a/verifier/verifier.go b/verifier/verifier.go index 95779bfa..eea10eb2 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -1007,7 +1007,7 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin // 4. Check the timestamp against the signing certificate chain logger.Debug("Checking the timestamp against the signing certificate chain...") - logger.Debugf("Timestamp range: [%v, %v]", timestamp.Value.Add(-timestamp.Accuracy), timestamp.Value.Add(timestamp.Accuracy)) + logger.Debugf("Timestamp range: %s", timestamp.Format(time.RFC3339)) for _, cert := range signerInfo.CertificateChain { if !timestamp.BoundedAfter(cert.NotBefore) { return fmt.Errorf("timestamp can be before certificate %q validity period, it will be valid from %q", cert.Subject, cert.NotBefore.Format(time.RFC1123Z))