> [...]
>> I've backported the necessary code changes and have uploaded it to
>> experimental as golang-github-notaryproject-notation-core-go_1.1.0-7, to
>> allow (more) convenient testing and review of the code. Once that has
>> been built, we can upload the patch from upstream commit
>> e7005a6d13e5ba472d4e166fbb085152f909e102 to experimental as well, so
>> that we can then actually rebuild src:golang-github-notaryproject-notation
>
> [...]
>
>> CC'ed debian-release: Please let me know if you prefer to go with newer
>> upstream release, otherwise I'll proceed as outlined above: Minimal code
>> changes, and rebuild dependencies in experimental so that they can be
>> tested safely.
>
> I just happened to see this bug report. Individual messages to -release often
> get lost in the volume, which is why we prefer unblock requests bugs, so that
> they can be tracked properly.
Thanks for getting back to me.
So here is the thing, I've managed to run the e2e tests with the change
in experimental (which took me to set up a qemu VM and manually install packages
from experimental), and as it turns out, exactly one of the tests appear to
fail:
>> should pass: /usr/bin/notation verify
>> localhost:5000/e2e-1275110522315878098@sha256:b8479de3f88fb259a0a9ea82a5b2a052a1ef3c4ebbcfc61482d5ae4c831f8af9
>> -v >>
level=info msg="Allowed to access the referrers API, fallback if not supported"
level=info msg="Reference
sha256:b8479de3f88fb259a0a9ea82a5b2a052a1ef3c4ebbcfc61482d5ae4c831f8af9
resolved to manifest descriptor:
{MediaType:application/vnd.oci.image.manifest.v1+json
Digest:sha256:b8479de3f88fb259a0a9ea82a5b2a052a1ef3c4ebbcfc61482d5ae4c831f8af9
Size:517 URLs:[] Annotations:map[] Data:[] Platform:<nil> ArtifactType:}"
level=info msg="Checking whether signature verification should be skipped or
not"
level=info msg="Trust policy configuration: &{Name:e2e RegistryScopes:[*]
SignatureVerification:{VerificationLevel:strict Override:map[]
VerifyTimestamp:always} TrustStores:[ca:e2e tsa:e2e] TrustedIdentities:[*]}"
level=info msg="Check over. Trust policy is not configured to skip signature
verification"
level=info msg="Processing signature with manifest mediaType:
application/vnd.oci.image.manifest.v1+json and digest:
sha256:360633c4b9d4639e69b07b176e18fa2c6574f71fd8de3f03f87466d955c9ccb0"
level=info msg="Trust policy configuration: &{Name:e2e RegistryScopes:[*]
SignatureVerification:{VerificationLevel:strict Override:map[]
VerifyTimestamp:always} TrustStores:[ca:e2e tsa:e2e] TrustedIdentities:[*]}"
level=info msg="Performing timestamp verification..."
level=info msg="TSA identity is: CN=DigiCert SHA256 RSA4096 Timestamp Responder
2025 1,O=DigiCert\\, Inc.,C=US"
level=error msg="authenticTimestamp validation failed. Failure reason:
timestamping certificate with subject \"CN=DigiCert SHA256 RSA4096 Timestamp
Responder 2025 1,O=DigiCert\\\\, Inc.,C=US\" revocation status is unknown"
level=warning msg="Signature
sha256:360633c4b9d4639e69b07b176e18fa2c6574f71fd8de3f03f87466d955c9ccb0 failed
verification with error: timestamping certificate with subject \"CN=DigiCert
SHA256 RSA4096 Timestamp Responder 2025 1,O=DigiCert\\\\, Inc.,C=US\"
revocation status is unknown"
Error: signature verification failed for all the signatures associated with
localhost:5000/e2e-1275110522315878098@sha256:b8479de3f88fb259a0a9ea82a5b2a052a1ef3c4ebbcfc61482d5ae4c831f8af9
------------------------------
• [FAILED] [0.319 seconds]
notation verify [It] with timestamp verification
/tmp/autopkgtest.xKBg3z/build.2pt/real-tree/_build/src/github.com/notaryproject/notation/test/e2e/suite/command/verify.go:227
Timeline >>
STEP:
>> should pass: /usr/bin/notation cert add --type ca --store e2e
/tmp/autopkgtest.xKBg3z/build.2pt/real-tree/test/e2e/testdata/config/localkeys/e2e.crt
>> @ 06/14/25 23:20:36.405
STEP:
>> should pass: /usr/bin/notation cert add --type tsa --store e2e
/tmp/autopkgtest.xKBg3z/build.2pt/real-tree/test/e2e/testdata/config/timestamp/globalsignTSARoot.cer
>> @ 06/14/25 23:20:36.416
STEP:
>> should pass: /usr/bin/notation cert add --type tsa --store e2e
/tmp/autopkgtest.xKBg3z/build.2pt/real-tree/test/e2e/testdata/config/timestamp/DigiCertTSARootSHA384.cer
>> @ 06/14/25 23:20:36.426
STEP:
>> should pass: /usr/bin/notation sign --timestamp-url
http://timestamp.digicert.com --timestamp-root-cert
/tmp/autopkgtest.xKBg3z/build.2pt/real-tree/test/e2e/testdata/config/timestamp/DigiCertTSARootSHA384.cer
localhost:5000/e2e-1275110522315878098@sha256:b8479de3f88fb259a0a9ea82a5b2a052a1ef3c4ebbcfc61482d5ae4c831f8af9
>> @ 06/14/25 23:20:36.463
STEP:
>> should pass: /usr/bin/notation verify
localhost:5000/e2e-1275110522315878098@sha256:b8479de3f88fb259a0a9ea82a5b2a052a1ef3c4ebbcfc61482d5ae4c831f8af9
-v >> @ 06/14/25 23:20:36.638
[FAILED] in [It] -
/tmp/autopkgtest.xKBg3z/build.2pt/real-tree/_build/src/github.com/notaryproject/notation/test/e2e/internal/utils/exec.go:173
@ 06/14/25 23:20:36.722
<< Timeline
[FAILED] Expected
<bool>: true
to equal
<bool>: false
In [It] at:
/tmp/autopkgtest.xKBg3z/build.2pt/real-tree/_build/src/github.com/notaryproject/notation/test/e2e/internal/utils/exec.go:173
@ 06/14/25 23:20:36.722
------------------------------
I could verify that this is coming from code that is part of the patch,
and deals with certificate revocation status. Apparently one of the test
certificates cannot be verified, but it remains very unclear to me why.
As such, I am not comfortable uploading this patch to experimental. A
more producent approach is probably to update to notation 1.3.2, which
comes with a number of additional code changes. If the release team was
okay with going to a newer upstream release, then I can work on
that. Note that this covers updating multiple source packages:
- golang-github-notaryproject-notation
- golang-github-notaryproject-notation-go
- golang-github-notaryproject-notation-core-go
Notation is a CLI tool to sign and verify artifacts, and commonly used
to sign OCI images (read: docker images). Not including it would mean
users will have to download this software elsewhere. AFAIUI, no other
packages use this code.
Ivo, let me know how best to proceed here.
Best,
-rt
