Merge branch 'main' into dependabot/go_modules/oras.land/oras-go/v2-2…

….3.0

Signed-off-by: Junjie Gao <[email protected]>

.github/workflows/build.yml

@@ -36,9 +36,9 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Check out code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: Cache Go modules
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         id: go-mod-cache
         with:
           path: ~/go/pkg/mod

.github/workflows/codeql.yml

@@ -38,15 +38,15 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: Set up Go ${{ matrix.go-version }} environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/init@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
         with:
           languages: go
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/analyze@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0

.github/workflows/license-checker.yml

@@ -20,9 +20,11 @@ on:
     branches: main
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   check-license:
+    permissions:
+      contents: write
+      pull-requests: write
     uses: notaryproject/notation-core-go/.github/workflows/reusable-license-checker.yml@main

.github/workflows/release-github.yml

@@ -38,15 +38,15 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
       - name: Set GoReleaser Previous Tag To Be Last Non Weekly Release
         run: |
           pre_tag=`git tag --sort=-creatordate --list 'v*' | grep -v dev | head -2 | tail -1`
           echo "GORELEASER_PREVIOUS_TAG=$pre_tag" >> $GITHUB_ENV
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
           distribution: goreleaser
           version: latest

.github/workflows/scorecard.yml

@@ -39,12 +39,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=3.5.3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # tag=4.1.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # tag=v2.2.0
+        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # tag=v2.3.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -59,6 +59,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/upload-sarif@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
         with:
           sarif_file: results.sarif

cmd/notation/cert/list.go

@@ -16,12 +16,14 @@ package cert
 import (
 	"context"
 	"fmt"
+	"os"
 
 	"github.com/notaryproject/notation-go/dir"
 	"github.com/notaryproject/notation-go/log"
 	notationgoTruststore "github.com/notaryproject/notation-go/verifier/truststore"
 	"github.com/notaryproject/notation/cmd/notation/internal/truststore"
 	"github.com/notaryproject/notation/internal/cmd"
+	"github.com/notaryproject/notation/internal/ioutil"
 	"github.com/spf13/cobra"
 )
 
@@ -75,58 +77,72 @@ func listCerts(ctx context.Context, opts *certListOpts) error {
 	// List all certificates under truststore/x509, display empty if there's
 	// no certificate yet
 	if namedStore == "" && storeType == "" {
-		path, err := configFS.SysPath(dir.TrustStoreDir, "x509")
-		if err := truststore.CheckNonErrNotExistError(err); err != nil {
-			return err
-		}
-		if err := truststore.CheckNonErrNotExistError(truststore.ListCerts(path, 2)); err != nil {
-			logger.Debugln("Failed to complete list at path:", path)
-			return fmt.Errorf("failed to list all certificates stored in the trust store, with error: %s", err.Error())
+		var certPaths []string
+		for _, t := range notationgoTruststore.Types {
+			path, err := configFS.SysPath(dir.TrustStoreDir, "x509", string(t))
+			if err := truststore.CheckNonErrNotExistError(err); err != nil {
+				return err
+			}
+			certs, err := truststore.ListCerts(path, 1)
+			if err := truststore.CheckNonErrNotExistError(err); err != nil {
+				logger.Debugln("Failed to complete list at path:", path)
+				return fmt.Errorf("failed to list all certificates stored in the trust store, with error: %s", err.Error())
+			}
+			certPaths = append(certPaths, certs...)
 		}
-
-		return nil
+		return ioutil.PrintCertMap(os.Stdout, certPaths)
 	}
 
 	// List all certificates under truststore/x509/storeType/namedStore,
-	// display empty if there's no such certificate
+	// display empty if store type is invalid or there's no certificate yet
 	if namedStore != "" && storeType != "" {
+		if !truststore.IsValidStoreType(storeType) {
+			return nil
+		}
 		path, err := configFS.SysPath(dir.TrustStoreDir, "x509", storeType, namedStore)
 		if err := truststore.CheckNonErrNotExistError(err); err != nil {
 			return err
 		}
-		if err := truststore.CheckNonErrNotExistError(truststore.ListCerts(path, 0)); err != nil {
+		certPaths, err := truststore.ListCerts(path, 0)
+		if err := truststore.CheckNonErrNotExistError(err); err != nil {
 			logger.Debugln("Failed to complete list at path:", path)
 			return fmt.Errorf("failed to list all certificates stored in the named store %s of type %s, with error: %s", namedStore, storeType, err.Error())
 		}
-
-		return nil
+		return ioutil.PrintCertMap(os.Stdout, certPaths)
 	}
 
-	// List all certificates under x509/storeType, display empty if
-	// there's no certificate yet
+	// List all certificates under x509/storeType, display empty if store type
+	// is invalid or there's no certificate yet
 	if storeType != "" {
+		if !truststore.IsValidStoreType(storeType) {
+			return nil
+		}
 		path, err := configFS.SysPath(dir.TrustStoreDir, "x509", storeType)
 		if err := truststore.CheckNonErrNotExistError(err); err != nil {
 			return err
 		}
-		if err := truststore.CheckNonErrNotExistError(truststore.ListCerts(path, 1)); err != nil {
+		certPaths, err := truststore.ListCerts(path, 1)
+		if err := truststore.CheckNonErrNotExistError(err); err != nil {
 			logger.Debugln("Failed to complete list at path:", path)
 			return fmt.Errorf("failed to list all certificates stored of type %s, with error: %s", storeType, err.Error())
 		}
-	} else {
-		// List all certificates under named store namedStore, display empty if
-		// there's no such certificate
-		for _, t := range notationgoTruststore.Types {
-			path, err := configFS.SysPath(dir.TrustStoreDir, "x509", string(t), namedStore)
-			if err := truststore.CheckNonErrNotExistError(err); err != nil {
-				return err
-			}
-			if err := truststore.CheckNonErrNotExistError(truststore.ListCerts(path, 0)); err != nil {
-				logger.Debugln("Failed to complete list at path:", path)
-				return fmt.Errorf("failed to list all certificates stored in the named store %s, with error: %s", namedStore, err.Error())
-			}
-		}
+		return ioutil.PrintCertMap(os.Stdout, certPaths)
 	}
 
-	return nil
+	// List all certificates under named store namedStore, display empty if
+	// there's no certificate yet
+	var certPaths []string
+	for _, t := range notationgoTruststore.Types {
+		path, err := configFS.SysPath(dir.TrustStoreDir, "x509", string(t), namedStore)
+		if err := truststore.CheckNonErrNotExistError(err); err != nil {
+			return err
+		}
+		certs, err := truststore.ListCerts(path, 0)
+		if err := truststore.CheckNonErrNotExistError(err); err != nil {
+			logger.Debugln("Failed to complete list at path:", path)
+			return fmt.Errorf("failed to list all certificates stored in the named store %s, with error: %s", namedStore, err.Error())
+		}
+		certPaths = append(certPaths, certs...)
+	}
+	return ioutil.PrintCertMap(os.Stdout, certPaths)
 }

cmd/notation/internal/truststore/truststore.go

@@ -85,12 +85,12 @@ func AddCert(path, storeType, namedStore string, display bool) error {
 	return nil
 }
 
-// ListCerts walks through root and lists all x509 certificates in it,
+// ListCerts walks through root and returns all x509 certificates in it,
 // sub-dirs are ignored.
-func ListCerts(root string, depth int) error {
+func ListCerts(root string, depth int) ([]string, error) {
 	maxDepth := strings.Count(root, string(os.PathSeparator)) + depth
-
-	return filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
+	var certPaths []string
+	if err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
@@ -107,11 +107,15 @@ func ListCerts(root string, depth int) error {
 				return err
 			}
 			if len(certs) != 0 {
-				fmt.Println(path)
+				certPaths = append(certPaths, path)
 			}
 		}
 		return nil
-	})
+	}); err != nil {
+		return nil, err
+	}
+
+	return certPaths, nil
 }
 
 // ShowCerts writes out details of certificates

cmd/notation/policy/import.go

@@ -53,21 +53,6 @@ Example - Import trust policy configuration from a file:
 }
 
 func runImport(command *cobra.Command, opts importOpts) error {
-	// optional confirmation
-	if !opts.force {
-		if _, err := trustpolicy.LoadDocument(); err == nil {
-			confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "Existing trust policy configuration found, do you want to overwrite it?", opts.force)
-			if err != nil {
-				return err
-			}
-			if !confirmed {
-				return nil
-			}
-		}
-	} else {
-		fmt.Fprintln(os.Stderr, "Warning: existing trust policy configuration file will be overwritten")
-	}
-
 	// read configuration
 	policyJSON, err := os.ReadFile(opts.filePath)
 	if err != nil {
@@ -83,6 +68,21 @@ func runImport(command *cobra.Command, opts importOpts) error {
 		return fmt.Errorf("failed to validate trust policy: %w", err)
 	}
 
+	// optional confirmation
+	if !opts.force {
+		if _, err := trustpolicy.LoadDocument(); err == nil {
+			confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "Existing trust policy configuration found, do you want to overwrite it?", opts.force)
+			if err != nil {
+				return err
+			}
+			if !confirmed {
+				return nil
+			}
+		}
+	} else {
+		fmt.Fprintln(os.Stderr, "Warning: existing trust policy configuration file will be overwritten")
+	}
+
 	// write
 	policyPath, err := dir.ConfigFS().SysPath(dir.PathTrustPolicy)
 	if err != nil {

go.mod

@@ -6,12 +6,12 @@ require (
 	github.com/notaryproject/notation-core-go v1.0.0
 	github.com/notaryproject/notation-go v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc4
+	github.com/opencontainers/image-spec v1.1.0-rc5
 	github.com/oras-project/oras-credentials-go v0.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/term v0.12.0
+	golang.org/x/term v0.13.0
 	oras.land/oras-go/v2 v2.3.0
 )
 
@@ -27,5 +27,5 @@ require (
 	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
 )