Tsa

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
+	github.com/notaryproject/tspclient-go v0.0.0-20240122083733-a373599795a2
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/veraison/go-cose v1.1.0
@@ -23,3 +24,7 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 )
+
+replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f
+
+replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4

go.sum

@@ -1,5 +1,9 @@
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f h1:0qJ4YyR0q7SYv9N1VMafb5823SpxI7AGuYnSlvEcTjo=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240510081223-bf89fbfde06f/go.mod h1:KDiMLnM1MHQRMeiPM622MN0MBb9Hz6xRU4/O9qDOics=
+github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4 h1:jtwluHassbSXeXjloQ5FCJJ1hOhN/DCnAztY8Cr6if0=
+github.com/Two-Hearts/tspclient-go v0.0.0-20240510080813-e58c4f362fa4/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -32,8 +36,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo=
-github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

notation.go

@@ -59,6 +59,9 @@ type SignerSignOptions struct {
 
 	// SigningAgent sets the signing agent name
 	SigningAgent string
+
+	// TSA denotes the TSA server URL
+	TSAServerURL string
 }
 
 // Signer is a generic interface for signing an OCI artifact.

signer/signer.go

@@ -122,6 +122,7 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 		SigningTime:   time.Now(),
 		SigningScheme: signature.SigningSchemeX509,
 		SigningAgent:  signingAgentId,
+		TSAServerURL:  opts.TSAServerURL,
 	}
 
 	// Add expiry only if ExpiryDuration is not zero
@@ -135,16 +136,22 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 	logger.Debugf("  Expiry:        %v", signReq.Expiry)
 	logger.Debugf("  SigningScheme: %v", signReq.SigningScheme)
 	logger.Debugf("  SigningAgent:  %v", signReq.SigningAgent)
+	logger.Debugf("  TSAServerURL:  %v", signReq.TSAServerURL)
 
 	// perform signing
 	sigEnv, err := signature.NewEnvelope(opts.SignatureMediaType)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	var timestampErr *signature.TimestampError
 	sig, err := sigEnv.Sign(signReq)
 	if err != nil {
-		return nil, nil, err
+		if !errors.As(err, &timestampErr) {
+			return nil, nil, err
+		}
+		// warn on timestamping error, but do not fail the signing process
+		logger.Warnf("Failed to timestamp the signature. Error: %v", timestampErr)
 	}
 
 	envContent, err := sigEnv.Verify()
@@ -154,8 +161,6 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 	if err := envelope.ValidatePayloadContentType(&envContent.Payload); err != nil {
 		return nil, nil, err
 	}
-
-	// TODO: re-enable timestamping https://github.com/notaryproject/notation-go/issues/78
 	return sig, &envContent.SignerInfo, nil
 }
 

verifier/helpers.go

@@ -57,31 +57,7 @@ func loadX509TrustStores(ctx context.Context, scheme signature.SigningScheme, po
 	default:
 		return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the trust store, unrecognized signing scheme %q", scheme)}
 	}
-
-	processedStoreSet := set.New[string]()
-	var certificates []*x509.Certificate
-	for _, trustStore := range policy.TrustStores {
-		if processedStoreSet.Contains(trustStore) {
-			// we loaded this trust store already
-			continue
-		}
-
-		storeType, name, found := strings.Cut(trustStore, ":")
-		if !found {
-			return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the trust store, trust policy statement %q is missing separator in trust store value %q. The required format is <TrustStoreType>:<TrustStoreName>", policy.Name, trustStore)}
-		}
-		if typeToLoad != truststore.Type(storeType) {
-			continue
-		}
-
-		certs, err := x509TrustStore.GetCertificates(ctx, typeToLoad, name)
-		if err != nil {
-			return nil, err
-		}
-		certificates = append(certificates, certs...)
-		processedStoreSet.Add(trustStore)
-	}
-	return certificates, nil
+	return loadX509TrustStoresWithType(ctx, typeToLoad, policy, x509TrustStore)
 }
 
 // isCriticalFailure checks whether a VerificationResult fails the entire
@@ -154,3 +130,41 @@ func getVerificationPluginMinVersion(signerInfo *signature.SignerInfo) (string,
 	}
 	return version, nil
 }
+
+func loadX509TSATrustStores(ctx context.Context, scheme signature.SigningScheme, policy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore) ([]*x509.Certificate, error) {
+	var typeToLoad truststore.Type
+	switch scheme {
+	case signature.SigningSchemeX509:
+		typeToLoad = truststore.TypeTSA
+	default:
+		return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the TSA trust store, signing scheme must be notary.x509, but got %s", scheme)}
+	}
+	return loadX509TrustStoresWithType(ctx, typeToLoad, policy, x509TrustStore)
+}
+
+func loadX509TrustStoresWithType(ctx context.Context, trustStoreType truststore.Type, policy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore) ([]*x509.Certificate, error) {
+	processedStoreSet := set.New[string]()
+	var certificates []*x509.Certificate
+	for _, trustStore := range policy.TrustStores {
+		if processedStoreSet.Contains(trustStore) {
+			// we loaded this trust store already
+			continue
+		}
+
+		storeType, name, found := strings.Cut(trustStore, ":")
+		if !found {
+			return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the trust store, trust policy statement %q is missing separator in trust store value %q. The required format is <TrustStoreType>:<TrustStoreName>", policy.Name, trustStore)}
+		}
+		if trustStoreType != truststore.Type(storeType) {
+			continue
+		}
+
+		certs, err := x509TrustStore.GetCertificates(ctx, trustStoreType, name)
+		if err != nil {
+			return nil, err
+		}
+		certificates = append(certificates, certs...)
+		processedStoreSet.Add(trustStore)
+	}
+	return certificates, nil
+}

verifier/truststore/truststore.go

@@ -36,12 +36,14 @@ type Type string
 const (
 	TypeCA               Type = "ca"
 	TypeSigningAuthority Type = "signingAuthority"
+	TypeTSA              Type = "tsa"
 )
 
 var (
 	Types = []Type{
 		TypeCA,
 		TypeSigningAuthority,
+		TypeTSA,
 	}
 )