search

notaryproject / notation

A CLI tool to sign and verify artifacts
https://notaryproject.dev/
Apache License 2.0
306 stars 84 forks source link

Improve error logs for notation sign #868

Closed FeynmanZhou closed 2 months ago

FeynmanZhou commented 5 months ago

What is not working as expected?

This issue summarizes the error messages of notation sign that I suggest improving in v1.1.x.

Sign an artifact with an non-existing signing key in a key vault

Current behavior and output:

$ notation sign localhost:5000/test-repo:v1  --signature-format cose --plugin wabbitnetworks-kv --id https://feynman-kv.vault.wabbit.net/keys/feynmankv-networks-io/6670ffa5cb694c49b1e0a6bb6bdefaaa
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Error: describe-key command failed: ERROR: A certificate with (name/id) feynmankv-networks-io/versions/6670ffa5cb694c49b1e0a6bb6bdefaaa was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.wabbit.net/fwlink/?linkid=2125182
Status: 404 (Not Found)
ErrorCode: CertificateNotFound

Content:
{"error":{"code":"CertificateNotFound","message":"A certificate with (name/id) feynmankv-networks-io/versions/6670ffa5cb694c49b1e0a6bb6bdefaaa was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.wabbit.net/fwlink/?linkid=2125182"}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
x-ms-keyvault-region: eastus
x-ms-client-request-id: a2923244-ed47-461b-9dc1-d0b9f4202788
x-ms-request-id: 96103d99-c372-449f-adba-8d24b7d5da7e
x-ms-keyvault-service-version: 1.9.1116.1
x-ms-keyvault-network-info: conn_type=Ipv4;addr=20.65.162.175;act_addr_fam=InterNetwork;
X-Content-Type-Options: REDACTED
Strict-Transport-Security: REDACTED
Date: Wed, 13 Dec 2023 07:27:33 GMT
Content-Length: 376
Content-Type: application/json; charset=utf-8
Expires: -1

Suggested error message:

$ notation sign localhost:5000/test-repo:v1  --signature-format cose --plugin wabbitnetworks-kv --id https://feynman-kv.vault.wabbit.net/keys/feynmankv-networks-io/6670ffa5cb694c49b1e0a6bb6bdefaaa
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Error response from server: A certificate with (name/id) feynmankv-networks-io/versions/6670ffa5cb694c49b1e0a6bb6bdefaaa was not found in this key vault. 
Please make sure the certificate is available in the key vault. Use "--verbose" to see detailed logs.

Sign an artifact with an error signature format parameter

Current behavior and output:

$ notation sign localhost:5000/test-repo:v1  --signature-format cosee
Error: signature format "cosee" not supported

Suggested error message:

$ notation sign localhost:5000/test-repo:v1  --signature-format dsse
Error: signature format "dsse" not supported
Please use the supported signature envelope format "jws" or "cose"

What did you expect to happen?

See above

How can we reproduce it?

See above

Describe your environment

Linux Ubuntu 22.06

What is the version of your Notation CLI or Notation Library?

v1.0.1

JeyJeyGao commented 2 months ago
  1. Sign an artifact with an non-existing signing key in a key vault: this issue was resolved in notation-azure-kv plugin https://github.com/Azure/notation-azure-kv/pull/150
  2. Sign an artifact with an error signature format parameter:this issue will be resolved in #925