search

open-component-model / ocm

Open Component Model (Software Bill of Delivery Toolset)
https://ocm.software
Apache License 2.0
32 stars 23 forks source link

Unexpectedly added `version` property to `extraIdentity` #842

Closed 8R0WNI3 closed 1 month ago

8R0WNI3 commented 1 month ago

What happened: When executing ocm sign componentversions on a component descriptor which contains multiple resources which share the same name and have extraIdentity explicitly set to {}, all resources have the version property added to the extraIdentity field except the last resource of that name (which is reasonable since the last resource is unique without extraIdentity being set as soon as all other resources have their version property added to it).

What you expected to happen: Don't silently add properties to the extraIdentity field during ocm sign command (and certainly not inconsistently). Instead, rather fail verification.

How to reproduce it (as minimally and precisely as possible): Example component descriptor which has to be signed using ocm sign componentversions command:

component:
  componentReferences: []
  name: example.org/my-component
  provider: ACME Inc.
  repositoryContexts: []
  resources:
  - access:
      imageReference: hello-world
      type: ociArtifact
    extraIdentity: {} # must not be omitted to reproduce behaviour
    name: my-resource # must be part of the component multiple times
    relation: external
    type: ociImage
    version: 0.1.1 # must be different for the resources sharing the same name
  - access:
      imageReference: hello-world
      type: ociArtifact
    extraIdentity: {} # must not be omitted to reproduce behaviour
    name: my-resource # must be part of the component multiple times
    relation: external
    type: ociImage
    version: 0.1.2 # must be different for the resources sharing the same name
  sources: []
  version: 1.0.0
meta:
  schemaVersion: v2
signatures: []

Anything else we need to know:

Environment:

ccwienk commented 1 month ago

Instead, rather fail verification

generally +1. However, I would personally prefer the sign command to at most emit a warning (which may be escalated to an error) upon validation error. At least, please offer a flag to ignore validation errors (motivation being identical to https://github.com/open-component-model/ocm/issues/755 (there should always be an override option for emergencies)