Release plugin binary in a compressed package

[yizha1]

BUSINESS PROBLEM

Currently, the notation venafi plugin was released in a single binary format, for example, notation-venafi-csp-linux-amd64 in release page. There are several issues with this format:

• The name of the binary is not the plugin name (venafi-csp). According to Notation plugin spec, there is a contract between plugin name and binary/executable name. So, users need to rename the binary after it is downloaded to make it work, for example, the binary name is notation-venafi-csp on Linux OS
• Notation plugin spec requires the plugin as an executable, for Windows OS, it requires .exe as file extension, for Linux OS, the binary should have execute permission. The current notation-venafi plugin requires users to chmod +x after plugin was downloaded.
• Normally the size of the binary file is megabytes, which many impact the downloading time
• Plugin vendor may need to include other files like a license file in a release

PROPOSED SOLUTION

The solution is to release plugin binary in a compressed package, for example, notation-venafi-csp_0.2.0-beta_linux_amd64.tar.gz for Linux/amd64. An example structure of this package file

On Linux, notation-venafi-csp_0.2.0-beta_linux_amd64.tar.gz |- notation-venafi-csp (with execute permission) |- LICENSE (optional)

On Windows, notation-venafi-csp_0.2.0-beta_windows_amd64.zip |- notation-venafi-csp.exe |- LICENSE (optional)

With this package,

• Plugin vendor can use the right name for plugin executable, for example notation-venafi-csp for Linux OS.
• The plugin executable can be set with execute permission for different OS
• The size of file that users download can be smaller
• Plugin vendor can include other files in the package as part of the release

Additionally, Notation v1.1.0 will release a new set of commands for plugin management. User can install the plugin easily without the need to remember the right name for directory and file name and other manual work, for example:

notation plugin install --url "https://github.com/Venafi/notation-venafi-csp/releases/download/v0.2.0-beta/notation-venafi-csp_v0.2.0-beta_linux_amd64.tar.gz --sha256sum <SHA256>

Users can download the plugin package file first, and then run

notation plugin install --file "notation-venafi-csp_v0.2.0-beta_linux_amd64.tar.gz"

See an example release page for Notation AKV plugin.

CURRENT ALTERNATIVES

VENAFI EXPERIENCE

/cc: @zosocanuck

[FeynmanZhou]

Hi @zosocanuck ,

I tested the v0.3.0 release (notation-venafi-csp_linux_amd64.tar.gz) with notation CLI v1.1.0 (main branch). The installation still fails due to a dependency GLIBC_2.32 is not found from the plugin. Would you mind looking into this problem and make sure all required dependencies are included in the plugin file?

$ notation plugin install --file notation-venafi-csp-linux-amd64.tar.gz
Error: plugin installation failed: failed to execute the get-plugin-metadata command for plugin venafi-csp: /tmp/notation-plugin731594793/notation-venafi-csp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /tmp/notation-plugin731594793/notation-venafi-csp)
/tmp/notation-plugin731594793/notation-venafi-csp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by /tmp/notation-plugin731594793/notation-venafi-csp).
Please ensure that the plugin executable file is intact and compatible with linux/amd64. Contact the plugin publisher for further assistance.

In addition, the checksum file is not published yet. I would suggest @zosocanuck publish a checksum (SHA256SUM ) file on the GitHub release page. Users will be able to install the Venafi plugin from an URL.

You can reproduce this installation problem and test the new release using the latest build of Notation CLI by following this guide.

Let me know if you updated the release assets. Thanks.

[FeynmanZhou]

The venafi plugin v0.3.0 installation works with Notation v1.1.0. I just tested it on my Ubuntu machine. Now we can close this issue.

$ notation plugin install --url https://github.com/Venafi/notation-venafi-csp/releases/download/v0.3.0/notation-venafi-csp-linux-amd64.tar.gz --sha256sum 03771794643f18c286b6db3a25a4d0b8e7c401e685b1e95a19f03c9356344f5a

Successfully installed plugin venafi-csp, version 0.3.0-release

$ notation plugin ls
NAME                                   DESCRIPTION                                           VERSION         CAPABILITIES                                                                                             ERROR
azure-kv                               Notation Azure Key Vault plugin                       1.0.1           [SIGNATURE_GENERATOR.RAW]                                                                                <nil>
com.amazonaws.signer.notation.plugin   AWS Signer plugin for Notation                        1.0.298         [SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK]   <nil>
venafi-csp                             Sign artifacts with keys in Venafi CodeSign Protect   0.3.0-release   [SIGNATURE_GENERATOR.ENVELOPE SIGNATURE_VERIFIER.TRUSTED_IDENTITY SIGNATURE_VERIFIER.REVOCATION_CHECK]   <nil>

[zosocanuck]

@FeynmanZhou Thank you for validating this. I will close this issue.