Skip to content

Commit

Permalink
Add digest check for Sign
Browse files Browse the repository at this point in the history 
Signed-off-by: Byron Chien <[email protected]>
  • Loading branch information
@byronchien
byronchien committed May 24, 2023
1 parent c3f8c33 commit 0bfb2ba
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 3 deletions.
8 changes: 6 additions & 2 deletions notation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,18 +90,22 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts

logger := log.GetLogger(ctx)
artifactRef := signOpts.ArtifactReference
if ref, err := orasRegistry.ParseReference(artifactRef); err == nil {
ref, err := orasRegistry.ParseReference(artifactRef)
if err == nil {
// artifactRef is a valid full reference
artifactRef = ref.Reference
}

targetDesc, err := repo.Resolve(ctx, artifactRef)
if err != nil {
return ocispec.Descriptor{}, fmt.Errorf("failed to resolve reference: %w", err)
}
if artifactRef != targetDesc.Digest.String() {
if ref.ValidateReferenceAsDigest() != nil {
// artifactRef is not a digest reference
logger.Warnf("Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed", artifactRef)
logger.Infof("Resolved artifact tag `%s` to digest `%s` before signing", artifactRef, targetDesc.Digest.String())
} else if ref.Reference != targetDesc.Digest.String() {
return ocispec.Descriptor{}, fmt.Errorf("user input digest %s does not match the resolved digest %s", ref.Reference, targetDesc.Digest.String())
}

descToSign, err := addUserMetadataToDescriptor(ctx, targetDesc, signOpts.UserMetadata)
Expand Down
18 changes: 17 additions & 1 deletion notation_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,23 @@ func TestVerifyDigestNotMatchResolve(t *testing.T) {
opts := VerifyOptions{ArtifactReference: mock.SampleArtifactUri, MaxSignatureAttempts: 50}
_, _, err := Verify(context.Background(), &verifier, repo, opts)
if err == nil || err.Error() != errorMessage {
t.Fatalf("VerifyTagReference expected: %v got: %v", expectedErr, err)
t.Fatalf("VerifyDigestNotMatch expected: %v got: %v", expectedErr, err)
}
}

func TestSignDigestNotMatchResolve(t *testing.T) {
repo := mock.NewRepository()
repo.MissMatchDigest = true
signOpts := SignOptions{
ArtifactReference: mock.SampleArtifactUri,
}

errorMessage := fmt.Sprintf("user input digest %s does not match the resolved digest %s", mock.SampleDigest, mock.ZeroDigest)
expectedErr := fmt.Errorf(errorMessage)

_, err := Sign(context.Background(), &dummySigner{}, repo, signOpts)
if err == nil || err.Error() != errorMessage {
t.Fatalf("SignDigestNotMatch expected: %v got: %v", expectedErr, err)
}
}

Expand Down

0 comments on commit 0bfb2ba

Please sign in to comment.