search

notaryproject / notation

A CLI tool to sign and verify artifacts
https://notaryproject.dev/
Apache License 2.0
342 stars 84 forks source link

Print manifests as part of the `--debug` option #599

Open toddysm opened 1 year ago

toddysm commented 1 year ago

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

Pushing Notary signatures to Docker Hub is failing at the moment with a non-descriptive error:

ERRO[2023-03-24T07:34:17-07:00] Failed to push the signature                 
Error: failed to push signature to registry with error: failed to push manifest: PUT "https://registry-1.docker.io/v2/toddysm/kubeconeu23-python/manifests/sha256:ec62b6eafefe1514bd5c67889ede1fdb6094aa2e0759f110dd575a7c2701fedd": response status code 404: notfound: not found

This is the command I am using:

notation sign --signature-format cose --key $KEY_NAME --debug docker.io/toddysm/kubeconeu23-python:3.11.2-slim

What solution do you propose?

With the changes in OCI spec it will be good to be able to troubleshoot the manifests that are sent to the registries. having the ability to print the manifests and their digests as part of the --debug output would be helpful with troubleshooting if pushing the signature fails to a particular registry.

It will be good if after each HTTP request, we print the payload and the payload digest for troubleshooting purposes.

DEBU[2023-03-23T16:37:04-07:00] > Request: "PUT" "https://registry-1.docker.io/v2/toddysm/kubeconeu23-python/blobs/uploads/218dcc86-d3b2-4cde-aed3-c4507c78345a?_state=Xzu3aK7hNWFEeFLiBpYyE4XKJENIzfDWFmIz99iYZN97Ik5hbWUiOiJ0b2RkeXNtL2t1YmVjb25ldTIzLXB5dGhvbiIsIlVVSUQiOiIyMThkY2M4Ni1kM2IyLTRjZGUtYWVkMy1jNDUwN2M3ODM0NWEiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjMtMDMtMjNUMjM6Mzc6MDQuNzY1MjI4OTFaIn0%3D&digest=sha256%3A44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" 

Digest: <digest goes here>
Payload: <payload goes here>

What alternatives have you considered?

With the changes in OCI spec it will be good to be able to troubleshoot the manifests that are sent to the registries. having the ability to print the manifests and their digests as part of the --debug output would be helpful with troubleshooting if pushing the signature fails to a particular registry.

It will be good if after each HTTP request, we print the payload and the paylod digest

Any additional context?

Right now I need to install and configure MITM proxy to track those requests.

yizha1 commented 6 months ago

Per discussion in community meeting on Mar 19, 2024, we would like to print out the digest of signature manifest and signature manifest during pushing signatures if --verbose flag is used. --verbose flag is recommended for all the diagnostic logs. @toddysm do you have any comments? /cc @priteshbandi @shizhMSFT @sajayantony

yizha1 commented 3 months ago

duplicated with https://github.com/notaryproject/notation/issues/695