fix: fixed sign with multiple plugin_config (#24)

notaryproject · Aug 4, 2023 · 9b1ca53 · 9b1ca53
1 parent 6b88aa6
commit 9b1ca53
Show file tree

Hide file tree

Showing 10 changed files with 117 additions and 34 deletions.
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ For example,
     key_id: <key_identifier_to_sign>
     target_artifact_reference: <target_artifact_reference_in_remote_registry>
     signature_format: <signature_envelope_format>
-    plugin_config: <plugin_defined_config>
+    plugin_config: <list_of_plugin_defined_configs>
 ```
 For example,
 ```yaml
@@ -45,7 +45,9 @@ For example,
     key_id: https://testnotationakv.vault.azure.net/keys/notationLeafCert/c585b8ad8fc542b28e41e555d9b3a1fd
     target_artifact_reference: myRegistry.azurecr.io/myRepo@sha256:aaabbb
     signature_format: cose
-    plugin_config: ca_certs=.github/cert-bundle/cert-bundle.crt
+    plugin_config: |-
+      ca_certs=.github/cert-bundle/cert-bundle.crt
+      self_signed=false
 ```
 ### Notation: Verify
 ```yaml

diff --git a/dist/lib/checksum.js b/dist/lib/checksum.js
diff --git a/dist/lib/install.js b/dist/lib/install.js
diff --git a/dist/setup.js b/dist/setup.js
diff --git a/dist/sign.js b/dist/sign.js
diff --git a/dist/sign.js.map b/dist/sign.js.map
diff --git a/dist/verify.js b/dist/verify.js
diff --git a/sign/action.yml b/sign/action.yml
@@ -27,18 +27,18 @@ inputs:
     description: SHA256 of the signing plugin
     required: true
   key_id:
-    description: Key identifier for the signing key pair from the plugin
+    description: key identifier for the signing key pair from the plugin
     required: true
   target_artifact_reference:
-     description: 'Reference of the target artifact to be signed. <registry>/<repo>@<digest>'
-     required: true
+    description: reference of the target artifact to be signed. <registry>/<repo>@<digest>
+    required: true
   signature_format:
-     description: 'signature envelope format, options: jws, cose'
-     required: false
-     default: jws
+    description: 'signature envelope format, options: jws, cose'
+    required: false
+    default: jws
   plugin_config:
-     description: 'plugin config for signing with the plugin'
-     required: false
+    description: list of {key}={value} pairs that are passed as it is to the signing plugin
+    required: false
 runs:
   using: node16
   main: ../dist/sign.js
diff --git a/src/sign.ts b/src/sign.ts
@@ -32,22 +32,15 @@ async function sign(): Promise<void> {
         // inputs from user
         const key_id = core.getInput('key_id');
         const plugin_config = core.getInput('plugin_config');
+        const pluginConfigList = getPluginConfigList(plugin_config);
         const target_artifact_ref = core.getInput('target_artifact_reference');
         const signature_format = core.getInput('signature_format');
 
         // sign core process
         if (process.env.NOTATION_EXPERIMENTAL) {
-            if (plugin_config) {
-                await exec.getExecOutput('notation', ['sign', '--allow-referrers-api', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, `--plugin-config=${plugin_config}`, target_artifact_ref]);
-            } else {
-                await exec.getExecOutput('notation', ['sign', '--allow-referrers-api', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, target_artifact_ref]);
-            }
+            await exec.getExecOutput('notation', ['sign', '--allow-referrers-api', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, ...pluginConfigList, target_artifact_ref]);
         } else {
-            if (plugin_config) {
-                await exec.getExecOutput('notation', ['sign', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, `--plugin-config=${plugin_config}`, target_artifact_ref]);
-            } else {
-                await exec.getExecOutput('notation', ['sign', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, target_artifact_ref]);
-            }
+            await exec.getExecOutput('notation', ['sign', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, ...pluginConfigList, target_artifact_ref]);
         }
     } catch (e: unknown) {
         if (e instanceof Error) {
@@ -89,6 +82,20 @@ async function setupPlugin() {
     }
 }
 
+function getPluginConfigList(pluginConfig: string): string[] {
+    if (!pluginConfig) {
+        return [];
+    }
+    let pluginConfigList: string[] = [];
+    for (let config of pluginConfig.split(/\r|\n/)) {
+        config = config.trim();
+        if (config) {
+            pluginConfigList.push("--plugin-config=" + config); 
+        }
+    }
+    return pluginConfigList;
+}
+
 export = sign;
 
 if (require.main === module) {

diff --git a/tsconfig.json b/tsconfig.json
@@ -4,7 +4,7 @@
       "module": "commonjs",                        /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
       "strict": true,                              /* Enable all strict type-checking options. */
       "sourceMap": true,                           /* Generates corresponding '.map' file. */
-      "outDir": "./dist",                           /* Redirect output structure to the directory. */
+      "outDir": "./dist",                          /* Redirect output structure to the directory. */
       "rootDir": "./src",                          /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
       "forceConsistentCasingInFileNames": true,    /* Ensure that casing is correct in imports. */
       "skipLibCheck": true,                        /* Skip type checking all .d.ts files. */