When the COSE signature contains extra attribute keys, which are integers not strings, the code reports error:

extendedAttributes key requires string type

Those keys should be ignored if not marked as critical, or report error if marked as critical. If they are known attributes, we may convert keys into strings so that it can fill in the signature.Attribute structure.

Related code:

Currently, SignerInfo does not support differentiating SigningTime (incase of notary.x509) from AuthenticSigningTime (incase of notary.signingAuthority.x509)

Release

This would mean tagging 0c1ec3b as v1.0.0 to release.

Vote

We need at least 4 approvals from 6 maintainers to release notation-core-go v1.0.0.

• Junjie Gao (@JeyJeyGao)
• Milind Gokarn (@gokarnm)
• Patrick Zheng (@Two-Hearts)
• Pritesh Bandi (@priteshbandi)
• Rakesh Gariganti (@rgnote)
• Shiwei Zhang (@shizhMSFT)

Changes

The code changes compared to v1.0.0-rc.4 include:

• #133
• #151
• #154
• #153
• #156

Full Changelog: v1.0.0-rc.4...0c1ec3b

Action Requested

Please respond LGTM or REJECT (with reasoning).

We didn’t check the issuer of the self-signed leaf certificate. The self-signed leaf certificate should also be self-issued.

Currently, the signature/signaturetest is an exported package. It should be moved to an internal folder to avoid using by public users.

This issue is to address the implementation work per update in the spec notaryproject/specifications#199

It's time to release a first version for Notation core go

• Decide on main commit for this release
• Decide on a tag name for this release
• Cut branch named with the tag name based on agreed upon main commit
• Cut a tag

@gokarnm @iamsamirzon @dtzar @SteveLasker @FeynmanZhou @shizhMSFT

What is the areas you experience the issue in?

Notation CLI

What is not working as expected?

To increase the velocity of the development, we would like to reduce the PR approval count to 2. The justification is the following: with the current count of 3 approvals we have 4 people who need to be involved in the PR. Our initial goal was to have min 3. By reducing to 2 approvals required we still have 3 people including the original submitter.

What did you expect to happen?

Reduce PR approvals to 2

How can we reproduce it?

N/A

Describe your environment

N/A

What is the version of your Notation CLI or Notation Library?

N/A

Release v1.0.0-rc.3 for notation-core-go:

• Decide on main commit for a release: Commit id 4d6ef22
• Cut branch named v1.0.0-rc.3 based on agreed upon main commit
• Cut a tag named v1.0.0-rc.3

Looking for LGTM @iamsamirzon @vaninrao10 @priteshbandi @toddysm @FeynmanZhou @shizhMSFT @patrickzheng200 @JeyJeyGao @rgnote @gokarnm @SteveLasker @NiazFK @justincormack

Release v1.0.0-rc.1 for notation-core-go:

• Decide on main commit for a release: Commit id 3022517
• Cut branch named v1.0.0-rc.1 based on agreed upon main commit
• Cut a tag named v1.0.0-rc.1

@SteveLasker @NiazFK Please respond with +1 comment for approval.

cc: @iamsamirzon @vaninrao10 @priteshbandi @toddysm @FeynmanZhou @shizhMSFT

This issue tracks COSE verification with Tag0 or Tag1 Datetime. In our specs we only accept Tag1 Datetime CBOR object during verification. We need a way to check the tag of datetime inside the signature and fail if it's a Tag0.

The PR #135 is to shift the golang support window to [1.19, 1.20]. Although we've got sufficient approvals, we are not able to merged PR since the check for golang 1.18 is removed, which is intended.

To merge the PR, we need to temporarily uncheck the "Do not allow bypassing the above settings" for the main branch to bypass the build check.

Of course, it is also can be done by unchecking "Require branches to be up to date before merging" but I think unchecking the "Do not allow bypassing the above settings" is safer.

@notaryproject/notaryproject-notation-core-go-maintainers Please reply LGTM to proceed or comment for suggestions.

We need 4 approvals from the current 6 maintainers to vote for tagging a0cb09e as v1.0.0-rc.4. Here is the link to change log

• Junjie Gao [email protected] (@JeyJeyGao)
• Milind Gokarn [email protected] (@gokarnm)
• Patrick Zheng [email protected] (@Two-Hearts)
• Pritesh Bandi [email protected] (@priteshbandi)
• Rakesh Gariganti [email protected] (@rgnote)
• Shiwei Zhang [email protected] (@shizhMSFT)

change log for v1.0.0-rc4

• #146
• #145
• #144
• #143

Is your feature request related to a problem?

Timestamping support needs CMS package

What solution do you propose?

• BER to DER converter
  • #176
  • unit test
• CMS package
  • #181
  • unit test

What alternatives have you considered?

No

Any additional context?

No response

Go 1.20 is released with release notes!

It is time to shift the window for go support to [1.19, 1.20] by updating

• go. mod
• GitHub Actions

What is not working as expected?

Error: certificate-chain is invalid, invalid self-signed certificate. Error: certificate with subject "CN=xx.com,O=Notary,L=xx,ST=CA,C=US": key usage must not have the bit positions for ContentCommitment, KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly set

If the certificate has more key usages than DigitalSignature, the error message will display all the other key usages. However, this can be confusing if the user didn't set those key usages.

What did you expect to happen?

The error message should either state that there should be only one DigitalSignature key usage or mention the specific key usages that the certificate actually has and should not exist, instead of all of them.

How can we reproduce it?

sign with a certificate that has unnecessary key usages

Describe your environment

Linux

What is the version of your notation-core-go Library?

v1.0.0

What is the areas you would like to add the new feature to?

Notation Core Go

Is your feature request related to a problem?

The current content of the CODEOWERS file does not list the actual owners and points to a Team on GitHub. This does not provide enough visibility who the owners are.

What solution do you propose?

The proposal is to create a seed list of maintainers for each repository (aka considered sub-project) under the Notary Project organization and update the CODEOWNERS and MAINTAINERS files for each repository with that list. As per the current governance document:

Potential new maintainers should be ongoing active participants in the project

Hence, I propose that repo maintainers are proposed from the list of currently active participants in the Notary community by selecting them from the list of code contributors for the last 3-6 months or meeting participants as per the meeting notes.

I also propose to nominate individual maintainers in separate issues and put for a vote by the active participants' community.

What alternatives have you considered?

None

Any additional context?

No response

In line 67 of the code, if i == 0 which is the leaf cert, the error message still says that it is the intermediate certificate, so the error message may not right. It may need to return the CommonName of the cert to help use identify the invalid cert.

Create a bug report template for notation-core-go, so that the bug can be reported with necessary information included.

Background

In the PR, we introduced VerificationPlugin and VerificationPluginMinVersion to the SignRequest to support validate them in the notation-core-go.

Problem

1. As specified in specs: Extended attributes for Notation Plugins and Extended Protected Headers for Notation Plugins, VerificationPlugin and VerificationPluginMinVersion should be placed inside the ExtendedSignedAttrs of SignRequest.
2. For the validation, according to Verification workflow using plugin, we can see that it's reasonable to group version validation and capability validation together once we retrieve the plugin metadata. However, current implementation puts version validation in notation-core-go and capability validation in notation-go. Besides it, part of version validation is placed in notation-go which made reviewers confused on the validation workflow.

Proposed refactoring

1. Move VerificationPlugin and VerificationPluginMinVersion to ExtendedSignedAttrs of SignRequest.
2. Move all version validation logics to notation-go, specifically version validation

In the revocation package, a Hash must be specified for the OCSP request. We currently default to SHA256. However, we may consider a future improvement to specify a different algorithm that is determined by the algorithm used to sign the certificate.

The go-cose project is pending a 1.0.0 release
Before cutting the release, they (me) are asking for dependent projects to confirm confidence in the current 1.0.0-rc.1 release before cutting the 1.0.0 release.

Have we completed our testing for notary cose support? Once we have, we would add a +1 from notary on the Create 1.0.0 Release #98 issue

Go 1.22 is released with release notes!

It is time to shift the window for go support to [1.21, 1.22].

Picking a new version of notation-core-go for building v0.2.0-beta.1 release.

• Decide on main commit for a release
• Cut branch named v0.2.0-beta.1 based on agreed upon main commit
• Cut a tag named v0.2.0-beta.1

/cc: @dtzar @iamsamirzon @FeynmanZhou @shizhMSFT @vaninrao10

Apply notaryproject/notation#267 to notation-core-go

Go 1.19 is released with release notes!

It is time to shift the window for go support to [1.18, 1.19] by updating

• go. mod
• GitHub Actions

The errors returned in cert_validations.go can sometimes be very long and may not be easily understood, for example:

invalid certificates or certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\" is not issued by \"CN=Notation Test Revokable RSA Chain Cert 4,O=Notary,L=Seattle,ST=WA,C=US\". Error: x509: invalid signature: parent certificate cannot sign this kind of certificate

We should look into returning errors with messages that are more understandable and not as long, which will help with readability. Below are some suggestions for improvements:

In the above example, we should programmatically differentiate between an invalid certificate or an incorrect issuer. This will improve the understandability of the unnecessary "or" at the beginning.

Additionally, we should consider alternatives for including the entire subject (maybe only CN and O, or referencing the numerical position of the cert in the chain)

Lastly, we should not include "Error: " when wrapping errors from other functions, only the error message

Is your feature request related to a problem?

This is an issue to track the license checker version updates (in case dependabot does not detect a new release automatically).
Current workflow uses a commit hash of skywalking-eyes to fix the weak-compatible issue of notation-core-go. Related PR: #170
This issue can be resolved when skywalking-eyes releases its next version with the fix included.

What solution do you propose?

n/a

What alternatives have you considered?

n/a

Any additional context?

No response

Release

This would mean tagging c834adc as v1.0.1 to release.

Vote

We need at least 4 approvals from 6 maintainers to release notation-core-go v1.0.1.

• Junjie Gao (@JeyJeyGao)
• Milind Gokarn (@gokarnm)
• Patrick Zheng (@Two-Hearts)
• Pritesh Bandi (@priteshbandi)
• Rakesh Gariganti (@rgnote)
• Shiwei Zhang (@shizhMSFT)

Changes

The code changes compared to v1.0.0 include:

• #162
• #160
• #163
• #167
• #169

Full Changelog: v1.0.0...c834adc

Action Requested

Please respond LGTM or REJECT (with reasoning).

What is not working as expected?

Eg.https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md response 404, because of the notation spec had been moved to "specs" dir.

What did you expect to happen?

Update the spec links to the latest.

How can we reproduce it?

Update
https://github.com/notaryproject/notaryproject/blob/main/xxx.md to https://github.com/notaryproject/notaryproject/blob/main/specs/xxx.md
and
https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md to https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md

Describe your environment

N/A

What is the version of your notation-core-go Library?

N/A

Spec: https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#crls

Note: For start we can Indirect CRL and can be implemented as step 2.

The package signer is tightly coupled with JWS signature envelope. To support other signature envelopes (e.g. COSE) in the future, we need to decouple the logic in the package signer at least into the following sub packages:

• jws: Process the SignRequest and generate JWS signature envelope. Parse and verify JWS signature envelope.
• cose: Process the SignRequest and generate COSE signature envelope. Parse and verify COSE signature envelope.
• envelope: Common logic on processing all kinds of envelopes (e.g. JWS, COSE).

Proposals can be found at

• notaryproject/notation#278

This issue outlines how the core revocation functionality will be built into notation-core-go, and how it will be integrated with notation-go. This additional functionality will provide a mechanism to check the revocation status of certificates in a way that can be easily integrated into other projects, and to conduct revocation checks as part of the Verify process.

These changes will address the following issue:

• Implement OCSP Support (#124)

CRL Support will not be implemented until later.

The outlined mechanisms are based upon previously defined specifications (https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#certificate-revocation-evaluation) as well as some ideas from existing solutions (https://pkg.go.dev/github.com/cloudflare/cfssl/revoke and https://github.com/grpc/grpc-go/blob/52ca9571068d/security/advancedtls/crl.go) that don’t fully match our use case.

Implementation is planned to be completed in two PRs. The first will introduce the revocation package in notation-core-go. The second PR will follow, which will incorporate the revocation package into notation-go. These sections are separated by a horizontal line.

Notation-core-go

The following will be added as a new package within the x509 package via a new file, revocation.go:

// Internal struct
type revocation struct {
    httpClient            *http.Client
    ocspTimeoutThreshold  time.Duration
}

// Options struct
// Users can specify any options they want for constructing a revocation object
// If an option is unspecified or nil, a default value will be assigned in the NewRevocation function
type RevocationOptions struct {
    ocspTimeoutThreshold  time.Duration
}

// Constructor to return a revocation object that substitutes default values for any that are passed as nil
func NewRevocation(httpClient *http.Client, options RevocationOptions) *revocation


// Errors:
// RevokedInOCSPError is returned when the certificate's status for OCSP is ocsp.Revoked (or ocsp.Unknown?)
type RevokedInOCSPError struct{}
func (e RevokedInOCSPError) Error() string {
    return "certificate is revoked via OCSP"
}

// CheckOCSPError is returned when there is an error during the OCSP revocation check, not necessarily a revocation
type CheckOCSPError struct {
    Err error
}
func (e CheckOCSPError) Error() string {
    if e.Err != nil {
        return fmt.Sprintf("error checking revocation via OCSP: %s", e.Err.Error())
    } else {
        return "error checking revocation via OCSP"
    }
}

// NoOCSPServerError is returned when the OCSPServer is not specified or is not an HTTP URL.
type NoOCSPServerError struct{}
func (e NoOCSPServerError) Error() string {
    return "no valid OCSPServer found"
}

// OCSPTimeoutError is returned when the connection attempt to a OCSP URL exceeds the specified threshold
type OCSPTimeoutError struct{}
func (e OCSPTimeoutError) Error() string {
    return "exceeded timeout threshold for OCSP check"
}

// It may be necessary to add other errors to the ones specified as new errors/results are discovered during development

// Methods:
// Checks OCSP, then CRL status, returns nil if all certs in the chain are not revoked
// If any are revoked, it will return one of the defined errors in this file
// If there is some other error, it will return that error
// NOTE: Will only perform OCSP until CRL is implemented
func (r *revocation) Validate(certChain []*x509.Certificate) (error)

// Only checks OCSP, same returns as above
func (r *revocation) OCSPStatus(certChain []*x509.Certificate) (error)

Since testing this will require validating against OCSP server responses, a mock client needs to be created to mock these responses. This will be added to the testhelper package in a new file named httptest.go:

// Creates a mock HTTP Client (more accurately, a spy) that intercepts requests to /issuer and /ocsp endpoints
// The client's responses are dependent on the cert and desiredOCSPStatus
func MockClient(cert *x509.Certificate, key *rsa.PrivateKey, desiredOCSPStatus ocsp.ResponseStatus) *http.Client

In addition to the mocked client, we will also need a new test certificate that specifies an OCSPServer in the certificate template. This value will be necessary to confirm revocation status with the mocked client. The following will be added to the testhelper package in the existing certificatetest.go file:

var revokableRSALeaf RSACertTuple

// GetRevokableRSALeafCertificate returns leaf certificate that specifies a local OCSPServer signed using RSA algorithm
func GetRevokableRSALeafCertificate() RSACertTuple

Notation-go

The following will be added/modified in the verifier package within the existing verifier.go file:

// Since a section has already been added to Verify as a placeholder for revocation, it will be modified to incorporate the verifyRevocation function
func (v *verifier) Verify(ctx context.Context, desc ocispec.Descriptor, signature []byte, opts notation.VerifyOptions) (*notation.VerificationOutcome, error)

// The verifyRevocation function will use the revocation.Validate() function defined in notation-core-go to verify the revocation status
func verifyRevocation(outcome *notation.VerificationOutcome) *notation.ValidationResult

TypeRevocation has already been added to the ValidationTypes in the trustpolicy, so no change is needed there.

This repo is Notation library, we should update references from Notary v2 to Notation.
Here is a search Notary v2 in this repo https://github.com/notaryproject/notation-core-go/search?q=%22Notary+v2%22&type=code

Fix the references in code only

Summary

During code review, some dead codes were identified, which need to be removed.

Is your feature request related to a problem?

Consider if notation-core-go needs dependency license checking and reporting

What solution do you propose?

Consider adding dependency license checking and reporting similar to notaryproject/notation#706

What alternatives have you considered?

If notation-core-go does not require/need this, clearly document in README or other public location

Any additional context?

No response

The error message for validate certificate is not returned. Here is code.

The subject.CheckSignatureFrom may return an error and the error message is not returned, which will finally cause an inaccurate error.

After reviewing the branch policies for the repository, it seems that the main and release branches can benefit with more strict push and PR review policies. I would like to propose updating those as follows:
Note: @SteveLasker updated to checkboxes to indicate the current status as some rules were already in place.

• Follow naming convention release/<release-number> for release branches. Example release/rc.1
• Use the following rules for main and release/* branches:
  • Require PR before merging
  • Require 3 approvals
  • Dismiss stale PR approvals when new commits are pushed
  • Require review from Code Owners
  • Require status checks to pass before merging
  • Require conversation resolution before merging
  • Require signed commits
  • Do not allow bypass the above settings

Please add your comments and proposals for additional changes to this issue.

Spec: https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#ocsp

Release

This would mean tagging 2bc927b as v1.0.2 to release.

Vote

We need at least 4 approvals from 6 maintainers to release notation-core-go v1.0.2.

• Junjie Gao (@JeyJeyGao)
• Milind Gokarn (@gokarnm)
• Patrick Zheng (@Two-Hearts)
• Pritesh Bandi (@priteshbandi)
• Rakesh Gariganti (@rgnote)
• Shiwei Zhang (@shizhMSFT)

Changes

The code changes compared to v1.0.1 include:

• fix: fix license dependency check workflow by @Two-Hearts in #170
• build(deps): bump golang.org/x/crypto from 0.14.0 to 0.15.0 by @dependabot in #172
• doc: update README to align with the new project brand by @FeynmanZhou in #158
• chore: invalid signing time prompt improvement by @fanndu in #173
• build(deps): bump golang.org/x/crypto from 0.15.0 to 0.16.0 by @dependabot in #175
• build(deps): bump actions/setup-go from 4 to 5 by @dependabot in #177
• build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #180
• build(deps): bump github/codeql-action from 2 to 3 by @dependabot in #179
• Updated the maintainers and codeowners files by @toddysm in #183
• build(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0 by @dependabot in #184

Full Changelog: v1.0.1...2bc927b

Action Requested

Please respond LGTM or REJECT (with reasoning).

go-cose will cut a v1.0.0-rc.2 release after resolving veraison/go-cose#110.

We need to make sure that the implementation to veraison/go-cose#110 works with notation-core-go before the release cut.

Make sure every PR has passed unit tests present in the repository. It's ok to copy the existing template from notation-go.

Can we avoid the caller having to calculate and set Signature alg, instead derive it from a key spec provided through SignatureProvider interface?

Originally posted by @gokarnm in #15 (comment)

Is your feature request related to a problem?

I propose to update the README.md file for the repository with the following information:

• link to the overview of the organization
• purpose of the repository
• is it in active development or not, is it archived or not, any reasons for that
• links to relevant documentation (security audits, web site, design documents, etc.)

What solution do you propose?

N/A

What alternatives have you considered?

N/A

Any additional context?

No response

Picking a new version of notation-core-go for building Alpha-4 release.

• Decide on main commit for a release
• Cut branch named v0.1.0-alpha.4 based on agreed upon main commit
• Cut a tag named v0.1.0-alpha.4

@SteveLasker @gokarnm @iamsamirzon @FeynmanZh @vaninrao10