Skip to content

Commit d3a06c9

Browse files
authored
fix(notation): Decouple Signature trust UI processing from scanning (#4178)
* fix(notation): Decouple Signature trust UI processing from scanning Signed-off-by: Felix Rubio <felix@kngnt.org> * fix(notation): Fixed broken unit test, fixed use of loop variable references within loop. Signed-off-by: Felix Rubio <felix@kngnt.org> * fix(notation): After review commit. Signed-off-by: Felix Rubio <felix@kngnt.org> * fix(notation): Fix lint error. Signed-off-by: Felix Rubio <felix@kngnt.org> --------- Signed-off-by: Felix Rubio <felix@kngnt.org>
1 parent 390d91c commit d3a06c9

5 files changed

Lines changed: 11 additions & 24 deletions

File tree

pkg/extensions/search/convert/convert_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,7 @@ func TestGetSignaturesInfo(t *testing.T) {
186186
signaturesSummary := convert.GetSignaturesInfo(true, signatures[digest.String()])
187187
So(signaturesSummary, ShouldNotBeEmpty)
188188
So(*signaturesSummary[0].Author, ShouldEqual, "author")
189-
So(*signaturesSummary[0].IsTrusted, ShouldEqual, false)
189+
So(*signaturesSummary[0].IsTrusted, ShouldEqual, true)
190190
So(*signaturesSummary[0].Tool, ShouldEqual, "notation")
191191
})
192192
}

pkg/extensions/search/convert/metadb.go

Lines changed: 4 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -263,26 +263,10 @@ func GetSignaturesInfo(isSigned bool, signatures mTypes.ManifestSignatures) []*g
263263
for sigType, signatures := range signatures {
264264
for _, sig := range signatures {
265265
for _, layer := range sig.LayersInfo {
266-
var (
267-
isTrusted bool
268-
author string
269-
tool string
270-
)
271-
272-
if layer.Signer != "" {
273-
author = layer.Signer
274-
275-
if !layer.Date.IsZero() && time.Now().After(layer.Date) {
276-
isTrusted = false
277-
} else {
278-
isTrusted = true
279-
}
280-
} else {
281-
isTrusted = false
282-
author = ""
283-
}
284-
285-
tool = sigType
266+
// Signer is only set by UpdateSignaturesValidity when VerifySignature succeeds, so empty Signer means untrusted.
267+
tool := sigType
268+
author := layer.Signer
269+
isTrusted := author != ""
286270

287271
signaturesInfo = append(signaturesInfo,
288272
&gql_generated.SignatureSummary{Tool: &tool, IsTrusted: &isTrusted, Author: &author})

pkg/meta/boltdb/boltdb.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1398,10 +1398,11 @@ func (bdw *BoltDB) UpdateSignaturesValidity(ctx context.Context, repo string, ma
13981398

13991399
if isTrusted {
14001400
layerInfo.Signer = author
1401+
} else {
1402+
layerInfo.Signer = ""
14011403
}
14021404

14031405
if !date.IsZero() {
1404-
layerInfo.Signer = author
14051406
layerInfo.Date = timestamppb.New(date)
14061407
}
14071408

pkg/meta/dynamodb/dynamodb.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1314,10 +1314,11 @@ func (dwr *DynamoDB) UpdateSignaturesValidity(ctx context.Context, repo string,
13141314

13151315
if isTrusted {
13161316
layerInfo.Signer = author
1317+
} else {
1318+
layerInfo.Signer = ""
13171319
}
13181320

13191321
if !date.IsZero() {
1320-
layerInfo.Signer = author
13211322
layerInfo.Date = timestamppb.New(date)
13221323
}
13231324

pkg/meta/redis/redis.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1532,10 +1532,11 @@ func (rc *RedisDB) UpdateSignaturesValidity(ctx context.Context, repo string, ma
15321532

15331533
if isTrusted {
15341534
layerInfo.Signer = author
1535+
} else {
1536+
layerInfo.Signer = ""
15351537
}
15361538

15371539
if !date.IsZero() {
1538-
layerInfo.Signer = author
15391540
layerInfo.Date = timestamppb.New(date)
15401541
}
15411542

0 commit comments

Comments
 (0)