Skip to content

Instantly share code, notes, and snippets.

@northtyphoon

northtyphoon/test-notary-v2.md

Last active January 23, 2024 16:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save northtyphoon/2c418f961bc729f6aed8274f26b1e140 to your computer and use it in GitHub Desktop.
Save northtyphoon/2c418f961bc729f6aed8274f26b1e140 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
test-notary-v2.md

Test notary v2

Start local test registry on localhost:5000

docker run --rm -d -p 5000:5000 -v "$(pwd)"/registry:/var/lib/registry --name registry ghcr.io/oras-project/registry:latest

Install oras

oras_version=0.11.22-alpha
oras_release_account=juliusl
curl -LO https://github.com/${oras_release_account}/oras/releases/download/v${oras_version}/oras_${oras_version}_linux_amd64.tar.gz
mkdir -p oras-install/
tar -zxf oras_${oras_version}_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_${oras_version}_*.tar.gz oras-install/

Install notation

notation_version=0.7.0-alpha.1
notation_release_account=notaryproject
curl -LO https://github.com/${notation_release_account}/notation/releases/download/v${notation_version}/notation_${notation_version}_linux_amd64.tar.gz
mkdir -p notation-install/
tar -zxf notation_${notation_version}_*.tar.gz -C notation-install/
sudo mv notation-install/notation /usr/local/bin/
mkdir -p ~/.docker/cli-plugins/
mv notation-install/docker-notation notation-install/docker-generate ~/.docker/cli-plugins/
rm -rf notation_${notation_version}_*.tar.gz notation-install/

Test

Push a test image

registry=localhost:5000
docker pull hello-world:latest
docker tag hello-world:latest ${registry}/hello-world:latest
docker push ${registry}/hello-world:latest

Try to find the reference of the test image, expect empty result

oras discover -o json $registry/hello-world:latest

Sign the image and push the signature

notation cert generate-test --default --trust "dev"
notation sign --plain-http --push ${registry}/hello-world:latest

Push the same signature using oras, just for testing purpose, it will generate a different manifest

image_digest=$(oras discover -o json ${registry}/hello-world:latest | jq -r .digest)
sig_file=$(find ~/.cache/notation/signature/sha256/ -name "*.sig" | grep ${image_digest#*sha256:} | head -n 1)
sig_file_folder=$(dirname $sig_file)
sig_file_name=$(basename $sig_file)
pushd ${sig_file_folder}
oras push ${registry}/hello-world --artifact-type application/vnd.cncf.notary.v2 --subject ${registry}/hello-world:latest ${sig_file_name}:application/vnd.cncf.notary.signature.v2+jws
popd

Find the signature for the test image

oras discover -o json ${registry}/hello-world:latest
curl http://${registry}/oras/artifacts/v1/hello-world/manifests/${image_digest}/referrers?artifactType=application%2Fvnd.cncf.notary.v2 | jq

Copy the test image and its signatures to another repository

oras copy -r ${registry}/hello-world:latest ${registry}/hello-world-2:latest

Find the signature for the new image

oras discover -o json ${registry}/hello-world-2:latest
curl http://${registry}/oras/artifacts/v1/hello-world-2/manifests/${image_digest}/referrers?artifactType=application%2Fvnd.cncf.notary.v2 | jq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment