feat: use new verify workflow

[binbin-li]

What?

Use the new verification workflow for the verify command. Therefore, we have to make some updates to support it.

1. Remove all local verification related flags and arguments, including signatures, certs, certFiles, pull, local and mediaType.
2. Add config flag so that users can set up verification plugin configs.
3. Use the new verification workflow.
4. Support both tag and digest reference.
5. Format the result.

Signed-off-by: Binbin Li libinbin@microsoft.com

[shizhMSFT]

Suggested change

	config string
	pluginConfig []string

[binbin-li]

The reason for using string instead of slice is to be consistent with sign and key commands, https://github.com/notaryproject/notation/blob/main/cmd/notation/sign.go#L27 so that I can utilize https://github.com/notaryproject/notation/blob/main/internal/cmd/flags.go#L91 to parse the configs.

[shizhMSFT]

We need to refine this after #371

[priteshbandi]

Suggested change

	fmt.Fprintf(tw, "%s\n", digest)
	fmt.Fprintf(tw, "Signature verification succeeded for %s\n", digest)

[priteshbandi]

Depending upon the enforcement level in the trust policy configuration, the signature verification might succeed but some validations might have failed(where the enforcement level is logged). In such cases, we want to display the failed validations as warnings.

The signature that passed signature verification would be last signature in SignatureVerificationOutcome array.

https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#signature-verification-details

[binbin-li]

right, I was thinking to print out the digest for failed signatures with the error for user experience. But seems the returned outcome doesn't contain it. Please correct me if I miss something.

[priteshbandi]

Tracking it in #304

[priteshbandi]

IMO this error message is not really helpful and should only be printed in debug level.

In non-debug mode, we should display some generic message like:
Signature verification failed for all the xx signatures associated with ${reference}.

In debug mode

Signature verification failed for all the xx signatures associated with ${reference}. ` The failure reasons for each signature are as follows:
1. ${signature-reference}: ${error message}
2.  ${signature-reference}: ${error message}

[binbin-li]

@yizha1 Could you help check if you need to update the spec?

[yizha1]

I can update verify CLI spec for this accordingly

[priteshbandi]

Tracking UX improvements in #304

[codecov-commenter]

Codecov Report

Merging #373 (8329127) into main (b9f1fb5) will increase coverage by 0.24%.
The diff coverage is 12.82%.

@@            Coverage Diff             @@
##             main     #373      +/-   ##
==========================================
+ Coverage   32.03%   32.28%   +0.24%     
==========================================
  Files          26       26              
  Lines        1670     1623      -47     
==========================================
- Hits          535      524      -11     
+ Misses       1122     1086      -36     
  Partials       13       13              

Impacted Files	Coverage Δ
cmd/notation/verify.go	29.16% <12.82%> (+2.27%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[priteshbandi]

LGTM

[priteshbandi]

Tracking UX improvements in #304

[JeyJeyGao]

Do we need to delete it?

[binbin-li]

I'll keep the Prerequisite comment.

[rgnote]

Suggested change

	notation verify [--config <key>=<value>,...] [--username <username>] [--password <password>] <reference>`,
	notation verify [--pluginConfig <key>=<value>,...] [--username <username>] [--password <password>] <reference>`,

[rgnote]

Suggested change

	command.Flags().StringVarP(&opts.pluginConfig, "config", "c", "", "list of comma-separated {key}={value} pairs that are passed as is to the plugin")
	command.Flags().StringVarP(&opts.pluginConfig, "pluginConfig", "pc", "", "list of comma-separated {key}={value} pairs that are passed as is to the plugin")

[binbin-li]

Actually Cobra doesn't support shorthand with more than one character.

[rgnote]

I understand that we are working on a spec to describe the CLI inputs and outputs, but we should print the error messages associated with the individual outcomes in the short-term to make this command more useful. Can you print the outcomes like below in the interim?

Signature verification failed for all the 3 signatures associated with digest: asdf....asdfasdf

Signature #1 : <Error>
Signature #2 : <Error>
Signature #3 : <Error>

[binbin-li]

Good call, I'll add error messages.

[rgnote]

We should return the error from verifier.Verify() here so that CLI can throw a non-zero error code when signature verification fails.

[patrickzheng200]

LGTM

[priteshbandi]

Suggested change

	"--pluginConfig", expected.pluginConfig}); err != nil {
	"--plugin-config", expected.pluginConfig}); err != nil {

Can we use kebab-case everywhere for command input?

[priteshbandi]

Can you please also add issue with TODO: #304
Would allow easier tracking.