updated timestamping

Signed-off-by: Patrick Zheng <[email protected]>
notaryproject · Jul 1, 2024 · 938762e · 938762e
1 parent 13006ce
commit 938762e
Show file tree

Hide file tree

Showing 9 changed files with 109 additions and 75 deletions.
diff --git a/example_signWithTimestmap_test.go b/example_signWithTimestmap_test.go
@@ -101,13 +101,15 @@ gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 	if err != nil {
 		panic("failed to parse tsa root certificate: " + err.Error())
 	}
+	tsaRootCAs := x509.NewCertPool()
+	tsaRootCAs.AddCert(tsaRootCert)
 
 	// exampleSignOptions is an example of notation.SignOptions.
 	exampleSignOptions := notation.SignOptions{
 		SignerSignOptions: notation.SignerSignOptions{
 			SignatureMediaType: exampleSignatureMediaType,
 			TSAServerURL:       exampleRFC3161TSAServer,
-			TSARootCertificate: tsaRootCert,
+			TSARootCAs:         tsaRootCAs,
 		},
 		ArtifactReference: exampleArtifactReference,
 	}

diff --git a/go.mod b/go.mod
@@ -17,12 +17,14 @@ require (
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 )
 
-replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315
+replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e
+
+replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172
diff --git a/go.sum b/go.sum
@@ -1,14 +1,16 @@
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315 h1:8wDwsk1Rcs+7dmFFlSNzmj2tgBmD0m/vjjVh6eaozcM=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240627051425-a24facd24315/go.mod h1:4b60hxCB4gB0q1K2QRxycj0TGhLvylSSR1RWCG0ilYs=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e h1:yDGu0wnuX+3xSDLXeIPV751jaBaTjMjcpVz5NwTypm4=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e/go.mod h1:hXbhc81hiH9tQOZ4w5pI+Z83y8qhpXKbsLXHWA/74TE=
+github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 h1:ME+WMRNcucfmJ9Le8eCtdV1gR3Xc8ve6Ab/cPnN/z48=
+github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
-github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
@@ -36,8 +38,6 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
-github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe h1:1psX5fHzB0ZGshHkaGlERh0eBX4EapizcVyQwX+YydE=
-github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

diff --git a/notation.go b/notation.go
@@ -66,8 +66,8 @@ type SignerSignOptions struct {
 	// TSAServerURL denotes the TSA server URL
 	TSAServerURL string
 
-	// TSARootCertificate denotes the TSA trust anchor
-	TSARootCertificate *x509.Certificate
+	// TSARootCAs is the cert pool holding caller's TSA trust anchor
+	TSARootCAs *x509.CertPool
 }
 
 // Signer is a generic interface for signing an OCI artifact.
@@ -91,11 +91,12 @@ type SignBlobOptions struct {
 
 // BlobDescriptorGenerator creates descriptor using the digest Algorithm.
 // Below is the example of minimal descriptor, it must contain mediatype, digest and size of the artifact
-// {
-//    "mediaType": "application/octet-stream",
-//    "digest": "sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345",
-//    "size": 1024
-// }
+//
+//	{
+//	   "mediaType": "application/octet-stream",
+//	   "digest": "sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345",
+//	   "size": 1024
+//	}
 type BlobDescriptorGenerator func(digest.Algorithm) (ocispec.Descriptor, error)
 
 // BlobSigner is a generic interface for signing arbitrary data.

diff --git a/signer/signer.go b/signer/signer.go
@@ -118,12 +118,12 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 			ContentType: envelope.MediaTypePayloadV1,
 			Content:     payloadBytes,
 		},
-		Signer:             s.signer,
-		SigningTime:        time.Now(),
-		SigningScheme:      signature.SigningSchemeX509,
-		SigningAgent:       signingAgentId,
-		TSAServerURL:       opts.TSAServerURL,
-		TSARootCertificate: opts.TSARootCertificate,
+		Signer:        s.signer,
+		SigningTime:   time.Now(),
+		SigningScheme: signature.SigningSchemeX509,
+		SigningAgent:  signingAgentId,
+		TSAServerURL:  opts.TSAServerURL,
+		TSARootCAs:    opts.TSARootCAs,
 	}
 
 	// Add expiry only if ExpiryDuration is not zero