Error with aws signer plugin

notaryproject / notation-action

GitHub Actions for signing and verifying artifacts with Notation

https://notaryproject.dev/

Apache License 2.0

15 stars 7 forks source link

Error with aws signer plugin #58

Open saintmalik opened 1 month ago

saintmalik commented 1 month ago

Hello, i have been unable to use this notation github action with the AWS Signer plugin, just keep gettig errors Error: Error: downloaded plugin does not match user input plugin_name, expected "notation-aws-signer-plugin" not found

here is my config

      - name: setup Notation CLI
        if: steps.changed-files-specific.outputs.any_changed == 'true'
        uses: notaryproject/notation-action/setup@v1
        with:
          version: 1.0.0

      - name: sign releasd artifact with signing plugin
        uses: notaryproject/notation-action/sign@v1
        with:
          plugin_name: aws-signer-plugin
          plugin_url: https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip
          plugin_checksum: cccfe8fdcdf853d83fd57ffc80524eddda75ad7ae9d9a257b087007230ec02f9
          key_id: arn:aws:signer:region:xxxxxxxxx:/signing-profiles/ecr_signing_profile
          target_artifact_reference: 111122223333.dkr.ecr.Region.amazonaws.com/curl@sha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE
          signature_format: cose
          plugin_config: |-
            self_signed=true

dorozuker commented 1 month ago

had the same issue, after some brute force i simply downloaded the plugin zip and checked the filename. its: notation-com.amazonaws.signer.notation.plugin be advised, that the action code adds "notation-" as prefix so the value for plugin name shoudl be "com.amazonaws.signer.notation.plugin"

FeynmanZhou commented 1 month ago

Hi @priteshbandi @vaninrao10 ,

Would you mind following up this issue and help resolve it?

priteshbandi commented 1 month ago

If the plugin binary already includes the notation- prefix in its name, there is no need to add an additional notation- prefix. The code needs to be updated.

Ref: https://github.com/notaryproject/notation-action/blob/570add314ee2874c3a8aaac2027548c6f14c0756/src/sign.ts#L37C7-L37C27

dorozuker commented 1 month ago

ideally, it would be great to simply have all this info in the readme examples. a note there about the prefix and an example with the actual plugin name and references to all relevant naming convention and limitations (for example, cose is not supported for aws plugin)

priteshbandi commented 4 weeks ago

      - name: setup Notation CLI
        uses: notaryproject/notation-action/setup@v1
        with:
          version: 1.0.0
      - name: Sign artifact using notation plugin
        uses: notaryproject/notation-action/sign@v1
        with:
          plugin_name: com.amazonaws.signer.notation.plugin
          plugin_url: https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip
          plugin_checksum: cccfe8fdcdf853d83fd57ffc80524eddda75ad7ae9d9a257b087007230ec02f9
          key_id: 'arn:aws:signer:us-west-2:xxxxxxxxx:/signing-profiles/account'
          target_artifact_reference: xxxxxxx.dkr.starport.us-west-2.amazonaws.com/go-http-server:latest

@saintmalik @dorozuker Can you please test with plugin_name: com.amazonaws.signer.notation.plugin ?

saintmalik commented 2 weeks ago

it works now, thank you

saintmalik commented 1 week ago

@priteshbandi what will be the image verification look like with github action