search

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.22k stars 507 forks source link

`notary verify` not responding. #1541

Open waveywaves opened 4 years ago

waveywaves commented 4 years ago

I have created a collection, added a target to the collection and am able to list it or look it up successfully with the commands below.

$ notary init example.com/collection
$ notary add example.com/collection chart1 wordpress-8.0.1.tgz
$ notary list example.com/collection
$ notary lookup example.com/collection chart1

Aprat from that the verify subcommand doesn't seem to be responding properly.

$ notary verify example.com/collection chart1

Upon trying to debug, the command seems to get stuck and not exit. This seems like a bug to me. 

$ notary verify example.com/collection chart1  -D
DEBU[0000] Using the following trust directory: /root/.notary

I am guessing this might be because I haven't provided anything to the command to verify the target against but if that is the case the command should exit and I should be getting an error back. From the looks of it, the server is not being called after running this command.

chaospuppy commented 3 years ago

Yeah, one year on and the notary verify subcommand does nothing.

iamasmith commented 1 year ago

This is really lacking in explanation but it does actually work.

The help from the verify command states..

skopeo-test:/# notary verify --help Verifies if the data passed in STDIN is included in the remote trusted collection identified by the Globally Unique Name. ...

So it's expecting input.. but what? It actually wants the raw manifest for the image to be passed so that it can checksum the image and verify it against the repo.

One can also pass a -i parameter to load that from a file but here's an example showing how to verify the latest Alpine image from docker hub using the skopeo command to retrieve the raw image manifest and pass that to skopeo (I added the debug flag so you can see that it IS actually doing something).

skopeo-test:/# skopeo inspect docker://alpine:latest --raw | notary verify -s https://notary.docker.io docker.io/library/alpine latest -D && echo -e "\nPassed" DEBU[0000] Configuration file not found, using defaults DEBU[0000] Using the following trust directory: /root/.notary DEBU[0001] No yubikey found, using alternative key storage: no library found DEBU[0001] Making dir path: /root/.notary/tuf/docker.io/library/alpine/changelist DEBU[0001] entered ValidateRoot with dns: docker.io/library/alpine DEBU[0001] found the following root keys: [a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce] DEBU[0001] found 1 valid leaf certificates for docker.io/library/alpine: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] found 1 leaf certs, of which 1 are valid leaf certs for docker.io/library/alpine DEBU[0001] checking root against trust_pinning config for docker.io/library/alpine DEBU[0001] checking trust-pinning for cert: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] role has key IDs: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] verifying signature for key ID: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] root validation succeeded for docker.io/library/alpine DEBU[0001] entered ValidateRoot with dns: docker.io/library/alpine DEBU[0001] found the following root keys: [a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce] DEBU[0001] found 1 valid leaf certificates for docker.io/library/alpine: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] found 1 leaf certs, of which 1 are valid leaf certs for docker.io/library/alpine DEBU[0001] checking root against trust_pinning config for docker.io/library/alpine DEBU[0001] checking trust-pinning for cert: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] role has key IDs: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] verifying signature for key ID: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce DEBU[0001] root validation succeeded for docker.io/library/alpine DEBU[0001] updating TUF client
DEBU[0001] Loading timestamp...
DEBU[0001] 200 when retrieving metadata for timestamp
DEBU[0001] timestamp role has key IDs: 628b0c4ec148075104e8ba30625aba7461754bd4f08ace05746b75f8c04395e8 DEBU[0001] verifying signature for key ID: 628b0c4ec148075104e8ba30625aba7461754bd4f08ace05746b75f8c04395e8 DEBU[0001] timestamp role has key IDs: 628b0c4ec148075104e8ba30625aba7461754bd4f08ace05746b75f8c04395e8 DEBU[0001] verifying signature for key ID: 628b0c4ec148075104e8ba30625aba7461754bd4f08ace05746b75f8c04395e8 DEBU[0001] successfully verified downloaded timestamp
DEBU[0001] Loading snapshot...
DEBU[0001] snapshot role has key IDs: 0c14a4976e6762dca610cbe3e5ff8e72bafa62853bc1212f71236dccab6b33c7 DEBU[0001] verifying signature for key ID: 0c14a4976e6762dca610cbe3e5ff8e72bafa62853bc1212f71236dccab6b33c7 DEBU[0001] successfully verified cached snapshot
DEBU[0001] Loading targets...
DEBU[0001] targets role has key IDs: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd DEBU[0001] verifying signature for key ID: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd DEBU[0001] successfully verified cached targets
{"manifests":[{"digest":"sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"amd64","os":"linux"},"size":528},{"digest":"sha256:e8748b26b68a624c7d2622ff045ce32b76ea31b50bba8e74989cd9ec84e33bb0","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v6"},"size":528},{"digest":"sha256:68a5b7d32422e42b98bedfe2aef4d0b3445f69f0efe390ba2204427d80179a92","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v7"},"size":528},{"digest":"sha256:c41ab5c992deb4fe7e5da09f67a8804a46bd0592bfdf0b1847dde0e0889d2bff","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm64","os":"linux","variant":"v8"},"size":528},{"digest":"sha256:4aa08ef415aecc80814cb42fa41b658480779d80c77ab151812e0d657580f0ae","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"386","os":"linux"},"size":528},{"digest":"sha256:95f55647488fbe0195d340089acfa6a094a9ee0aa6540d98dde8f8af5092d40c","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"ppc64le","os":"linux"},"size":528},{"digest":"sha256:fe2da55ca9a717feb2da5d65171cee518cc157c5fcfe35c02972d9c4aa48aa1d","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"s390x","os":"linux"},"size":528}],"mediaType":"application\/vnd.docker.distribution.manifest.list.v2+json","schemaVersion":2} Passed skopeo-test:/#