[Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 (#7650)

* Bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6

Signed-off-by: webstradev <e.s.westra.95@gmail.com>

* fixed tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added tests for repository

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: webstradev <e.s.westra.95@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: webstradev <e.s.westra.95@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>

.nancy-ignore

@@ -12,10 +12,6 @@ CVE-2022-29946 until=2023-07-31
 CVE-2022-42709 until=2023-07-31
 CVE-2022-42708 until=2023-07-31
 CVE-2021-32026 until=2023-07-31
-# golang/github.com/notaryproject/notation-go@v1.0.0-rc.3
-CVE-2023-33959 until=2023-07-31
-CVE-2023-33958 until=2023-07-31
-CVE-2023-33957 until=2023-07-31
 # golang/github.com/sigstore/rekor@v1.0.1
 CVE-2023-30551 until=2023-07-31
 CVE-2023-33199 until=2023-07-31

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23
 	github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7
 	github.com/notaryproject/notation-core-go v1.0.0-rc.4
-	github.com/notaryproject/notation-go v1.0.0-rc.3
+	github.com/notaryproject/notation-go v1.0.0-rc.6
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.8
 	github.com/opencontainers/go-digest v1.0.0
@@ -329,7 +329,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	k8s.io/component-base v0.27.3 // indirect
 	k8s.io/kubectl v0.26.3 // indirect
-	oras.land/oras-go/v2 v2.1.0 // indirect
+	oras.land/oras-go/v2 v2.2.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/release-utils v0.7.3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect

go.sum

@@ -1038,8 +1038,8 @@ github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62
 github.com/nishanths/predeclared v0.2.1/go.mod h1:HvkGJcA3naj4lOwnFXFDkFxVtSqQMB9sbB1usJ+xjQE=
 github.com/notaryproject/notation-core-go v1.0.0-rc.4 h1:gzo4JzKRMLGoOeOhPXxoudjL79Mi9X6flS8qJbRtZ+k=
 github.com/notaryproject/notation-core-go v1.0.0-rc.4/go.mod h1:PEHrnhW0mEIVpyYdXqAJoJAaUgfz757tqxB3LG4qcag=
-github.com/notaryproject/notation-go v1.0.0-rc.3 h1:J93pnI42xw6UzeeCn8a5r3j1n8n5nHjnM3GwrsHzjkQ=
-github.com/notaryproject/notation-go v1.0.0-rc.3/go.mod h1:IlP9GVzPUavxljgJIWoHY0GY1unlqfee7tIiCbSem1w=
+github.com/notaryproject/notation-go v1.0.0-rc.6 h1:Wu9PiCzf2v75iBsKanJTgd91jgvpTzMX5kvnKjximi4=
+github.com/notaryproject/notation-go v1.0.0-rc.6/go.mod h1:SV0kfsy8O9RfH8xW1hhDN1Ly3nvQTFNi5X1f7rDX7/U=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
@@ -2175,8 +2175,8 @@ mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
 mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7/go.mod h1:hBpJkZE8H/sb+VRFvw2+rBpHNsTBcvSpk61hr8mzXZE=
-oras.land/oras-go/v2 v2.1.0 h1:1nS8BIeEP6CBVQifwxrsth2bkuD+cYfjp7Hf7smUcS8=
-oras.land/oras-go/v2 v2.1.0/go.mod h1:v5ZSAPIMEJYnZjZ6rTGPAyaonH+rCFmbE95IAzCTeGU=
+oras.land/oras-go/v2 v2.2.0 h1:E1fqITD56Eg5neZbxBtAdZVgDHD6wBabJo6xESTcQyo=
+oras.land/oras-go/v2 v2.2.0/go.mod h1:pXjn0+KfarspMHHNR3A56j3tgvr+mxArHuI8qVn59v8=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

pkg/notary/notary.go

@@ -59,7 +59,7 @@ func (v *notaryVerifier) VerifySignature(ctx context.Context, opts images.Option
 	v.log.V(4).Info("created parsedRef", "reference", opts.ImageRef)
 
 	ref := parsedRef.Ref.Name()
-	remoteVerifyOptions := notation.RemoteVerifyOptions{
+	remoteVerifyOptions := notation.VerifyOptions{
 		ArtifactReference:    ref,
 		MaxSignatureAttempts: 10,
 	}
@@ -243,7 +243,7 @@ func verifyAttestators(ctx context.Context, v *notaryVerifier, ref name.Referenc
 	}
 	v.log.V(4).Info("created notation repo", "reference", opts.ImageRef)
 
-	remoteVerifyOptions := notation.RemoteVerifyOptions{
+	remoteVerifyOptions := notation.VerifyOptions{
 		ArtifactReference:    reference,
 		MaxSignatureAttempts: 10,
 	}

pkg/notary/repository.go

@@ -30,7 +30,7 @@ func NewRepository(craneOpts crane.Option, remoteOpts []remote.Option, ref name.
 }
 
 func (c *repositoryClient) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) {
-	head, err := crane.Head(reference)
+	head, err := crane.Head(c.getReferenceFromDigest(reference))
 	if err != nil {
 		return ocispec.Descriptor{}, nil
 	}
@@ -122,6 +122,10 @@ func (c *repositoryClient) getReferenceFromDescriptor(desc ocispec.Descriptor) s
 	return GetReferenceFromDescriptor(desc, c.ref)
 }
 
+func (c *repositoryClient) getReferenceFromDigest(digest string) string {
+	return c.ref.Context().RegistryStr() + "/" + c.ref.Context().RepositoryStr() + "@" + digest
+}
+
 func GetReferenceFromDescriptor(desc ocispec.Descriptor, ref name.Reference) string {
 	return ref.Context().RegistryStr() + "/" + ref.Context().RepositoryStr() + "@" + desc.Digest.String()
 }

pkg/notary/repository_test.go

@@ -0,0 +1,79 @@
+package notary
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/crane"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	notationregistry "github.com/notaryproject/notation-go/registry"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"gotest.tools/assert"
+)
+
+var (
+	imageRef = "jimnotarytest.azurecr.io/jim/net-monitor:v1"
+	ctx      = context.Background()
+)
+
+func TestResolve(t *testing.T) {
+	repoDesc, err := crane.Head(imageRef)
+	assert.NilError(t, err)
+
+	ref, err := name.ParseReference(imageRef)
+	assert.NilError(t, err)
+
+	repositoryClient := NewRepository(nil, nil, ref)
+
+	desc, err := repositoryClient.Resolve(ctx, repoDesc.Digest.String())
+	assert.NilError(t, err)
+	assert.Equal(t, desc.Digest.String(), "sha256:ba7000206594c2d72c3ab550453004c0dc50961157e5ebd2fb8ea1890099d02d")
+	assert.Equal(t, desc.MediaType, "application/vnd.docker.distribution.manifest.v2+json")
+}
+
+func TestListSignatures(t *testing.T) {
+	repoDesc, err := crane.Head(imageRef)
+	assert.NilError(t, err)
+
+	ociDesc := v1ToOciSpecDescriptor(*repoDesc)
+	assert.Equal(t, ociDesc.Digest.String(), repoDesc.Digest.String())
+
+	ref, err := name.ParseReference(imageRef)
+	assert.NilError(t, err)
+
+	repositoryClient := NewRepository(nil, nil, ref)
+	fn := func(_ []ocispec.Descriptor) error {
+		return nil
+	}
+
+	err = repositoryClient.ListSignatures(ctx, ociDesc, fn)
+	assert.NilError(t, err)
+}
+
+func TestFetchSignatureBlob(t *testing.T) {
+	repoDesc, err := crane.Head(imageRef)
+	assert.NilError(t, err)
+
+	ociDesc := v1ToOciSpecDescriptor(*repoDesc)
+	assert.Equal(t, ociDesc.Digest.String(), repoDesc.Digest.String())
+
+	ref, err := name.ParseReference(imageRef)
+	assert.NilError(t, err)
+
+	repositoryClient := NewRepository(nil, nil, ref)
+
+	referrers, err := remote.Referrers(ref.Context().Digest(ociDesc.Digest.String()))
+	assert.NilError(t, err)
+	referrersDescs, err := referrers.IndexManifest()
+	assert.NilError(t, err)
+
+	for _, d := range referrersDescs.Manifests {
+		if d.ArtifactType == notationregistry.ArtifactTypeNotation {
+			_, desc, err := repositoryClient.FetchSignatureBlob(ctx, v1ToOciSpecDescriptor(d))
+			assert.NilError(t, err)
+			assert.Equal(t, desc.MediaType, "application/jose+json")
+			assert.Equal(t, desc.Digest.String(), "sha256:746134b09f89451497668c598857d87ca660bb3d0b888832235c460d8d2697f3")
+		}
+	}
+}