search

notaryproject / notation-action

GitHub Actions for signing and verifying artifacts with Notation
https://notaryproject.dev/
Apache License 2.0
17 stars 7 forks source link

Error with aws signer plugin #58

Open saintmalik opened 6 months ago

saintmalik commented 6 months ago

Hello, i have been unable to use this notation github action with the AWS Signer plugin, just keep gettig errors Error: Error: downloaded plugin does not match user input plugin_name, expected "notation-aws-signer-plugin" not found

here is my config

      - name: setup Notation CLI
        if: steps.changed-files-specific.outputs.any_changed == 'true'
        uses: notaryproject/notation-action/setup@v1
        with:
          version: 1.0.0

      - name: sign releasd artifact with signing plugin
        uses: notaryproject/notation-action/sign@v1
        with:
          plugin_name: aws-signer-plugin
          plugin_url: https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip
          plugin_checksum: cccfe8fdcdf853d83fd57ffc80524eddda75ad7ae9d9a257b087007230ec02f9
          key_id: arn:aws:signer:region:xxxxxxxxx:/signing-profiles/ecr_signing_profile
          target_artifact_reference: 111122223333.dkr.ecr.Region.amazonaws.com/curl@sha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE
          signature_format: cose
          plugin_config: |-
            self_signed=true
dorozuker commented 5 months ago

had the same issue, after some brute force i simply downloaded the plugin zip and checked the filename. its: notation-com.amazonaws.signer.notation.plugin be advised, that the action code adds "notation-" as prefix so the value for plugin name shoudl be "com.amazonaws.signer.notation.plugin"

FeynmanZhou commented 5 months ago

Hi @priteshbandi @vaninrao10 ,

Would you mind following up this issue and help resolve it?

priteshbandi commented 5 months ago

If the plugin binary already includes the notation- prefix in its name, there is no need to add an additional notation- prefix. The code needs to be updated.

Ref: https://github.com/notaryproject/notation-action/blob/570add314ee2874c3a8aaac2027548c6f14c0756/src/sign.ts#L37C7-L37C27

dorozuker commented 5 months ago

ideally, it would be great to simply have all this info in the readme examples. a note there about the prefix and an example with the actual plugin name and references to all relevant naming convention and limitations (for example, cose is not supported for aws plugin)

priteshbandi commented 5 months ago 
      - name: setup Notation CLI
        uses: notaryproject/notation-action/setup@v1
        with:
          version: 1.0.0
      - name: Sign artifact using notation plugin
        uses: notaryproject/notation-action/sign@v1
        with:
          plugin_name: com.amazonaws.signer.notation.plugin
          plugin_url: https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip
          plugin_checksum: cccfe8fdcdf853d83fd57ffc80524eddda75ad7ae9d9a257b087007230ec02f9
          key_id: 'arn:aws:signer:us-west-2:xxxxxxxxx:/signing-profiles/account'
          target_artifact_reference: xxxxxxx.dkr.starport.us-west-2.amazonaws.com/go-http-server:latest

@saintmalik @dorozuker Can you please test with plugin_name: com.amazonaws.signer.notation.plugin ?

saintmalik commented 4 months ago

it works now, thank you

saintmalik commented 4 months ago

@priteshbandi what will be the image verification look like with github action