update

Signed-off-by: Patrick Zheng <[email protected]>

cmd/notation/blob/sign.go

@@ -27,6 +27,7 @@ import (
 	"github.com/notaryproject/notation-go/log"
 	"github.com/notaryproject/notation/cmd/notation/internal/cmdutil"
 	"github.com/notaryproject/notation/internal/cmd"
+	"github.com/notaryproject/notation/internal/cmd/signer"
 	"github.com/notaryproject/notation/internal/envelope"
 	"github.com/notaryproject/notation/internal/httputil"
 	"github.com/notaryproject/notation/internal/osutil"
@@ -138,7 +139,7 @@ func runBlobSign(command *cobra.Command, cmdOpts *blobSignOpts) error {
 	ctx := cmdOpts.LoggingFlagOpts.InitializeLogger(command.Context())
 	logger := log.GetLogger(ctx)
 
-	blobSigner, err := cmd.GetSigner(ctx, &cmdOpts.SignerFlagOpts)
+	blobSigner, err := signer.GetSigner(ctx, &cmdOpts.SignerFlagOpts)
 	if err != nil {
 		return err
 	}

cmd/notation/blob/verify.go

@@ -24,6 +24,7 @@ import (
 	"github.com/notaryproject/notation/cmd/notation/internal/display"
 	"github.com/notaryproject/notation/cmd/notation/internal/option"
 	"github.com/notaryproject/notation/internal/cmd"
+	"github.com/notaryproject/notation/internal/cmd/verifier"
 	"github.com/notaryproject/notation/internal/envelope"
 	"github.com/notaryproject/notation/internal/ioutil"
 	"github.com/spf13/cobra"
@@ -111,7 +112,7 @@ func runVerify(command *cobra.Command, cmdOpts *blobVerifyOpts) error {
 	if err != nil {
 		return err
 	}
-	blobVerifier, err := cmd.GetVerifier(ctx, true)
+	blobVerifier, err := verifier.GetBlobVerifier(ctx)
 	if err != nil {
 		return err
 	}
@@ -142,7 +143,7 @@ func runVerify(command *cobra.Command, cmdOpts *blobVerifyOpts) error {
 	}
 	_, outcome, err := notation.VerifyBlob(ctx, blobVerifier, blobFile, signatureBytes, verifyBlobOpts)
 	outcomes := []*notation.VerificationOutcome{outcome}
-	err = ioutil.PrintVerificationFailure(outcomes, cmdOpts.blobPath, err, true)
+	err = ioutil.ComposeBlobVerificationFailurePrintout(outcomes, cmdOpts.blobPath, err)
 	if err != nil {
 		return err
 	}
@@ -154,7 +155,7 @@ func runVerify(command *cobra.Command, cmdOpts *blobVerifyOpts) error {
 // `application/jose+json` and `application/cose` are supported.
 func parseSignatureMediaType(signaturePath string) (string, error) {
 	signatureFileName := filepath.Base(signaturePath)
-	if filepath.Ext(signatureFileName) != ".sig" {
+	if strings.ToLower(filepath.Ext(signatureFileName)) != ".sig" {
 		return "", fmt.Errorf("invalid signature filename %s. The file extension must be .sig", signatureFileName)
 	}
 	sigFilenameArr := strings.Split(signatureFileName, ".")
@@ -165,5 +166,5 @@ func parseSignatureMediaType(signaturePath string) (string, error) {
 		return "", fmt.Errorf("invalid signature filename %s. A valid signature file name must contain signature format and .sig file extension", signatureFileName)
 	}
 	sigFormat := sigFilenameArr[len(sigFilenameArr)-2]
-	return envelope.GetEnvelopeMediaType(sigFormat)
+	return envelope.GetEnvelopeMediaType(strings.ToLower(sigFormat))
 }

cmd/notation/internal/display/metadata/text/helper.go

@@ -26,7 +26,7 @@ import (
 )
 
 // printVerificationSuccess prints out messages when verification succeeds
-func printVerificationSuccess(printer *output.Printer, outcome *notation.VerificationOutcome, printout string, hasWarning bool) error {
+func printVerificationSuccess(printer *output.Printer, outcome *notation.VerificationOutcome, artifact string, hasWarning bool) error {
 	// write out on success
 	// print out warning for any failed result with logged verification action
 	for _, result := range outcome.VerificationResults {
@@ -42,9 +42,9 @@ func printVerificationSuccess(printer *output.Printer, outcome *notation.Verific
 		printer.Println()
 	}
 	if reflect.DeepEqual(outcome.VerificationLevel, trustpolicy.LevelSkip) {
-		printer.Println("Trust policy is configured to skip signature verification for", printout)
+		printer.Println("Trust policy is configured to skip signature verification for", artifact)
 	} else {
-		printer.Println("Successfully verified signature for", printout)
+		printer.Println("Successfully verified signature for", artifact)
 		printUserMetadataIfPresent(printer, outcome)
 	}
 	return nil

cmd/notation/sign.go

@@ -27,6 +27,7 @@ import (
 	"github.com/notaryproject/notation-go/log"
 	"github.com/notaryproject/notation/cmd/notation/internal/experimental"
 	"github.com/notaryproject/notation/internal/cmd"
+	"github.com/notaryproject/notation/internal/cmd/signer"
 	"github.com/notaryproject/notation/internal/envelope"
 	"github.com/notaryproject/notation/internal/httputil"
 	clirev "github.com/notaryproject/notation/internal/revocation"
@@ -162,7 +163,7 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error {
 	ctx := cmdOpts.LoggingFlagOpts.InitializeLogger(command.Context())
 
 	// initialize
-	signer, err := cmd.GetSigner(ctx, &cmdOpts.SignerFlagOpts)
+	signer, err := signer.GetSigner(ctx, &cmdOpts.SignerFlagOpts)
 	if err != nil {
 		return err
 	}

cmd/notation/verify.go

@@ -23,6 +23,7 @@ import (
 	"github.com/notaryproject/notation/cmd/notation/internal/experimental"
 	"github.com/notaryproject/notation/cmd/notation/internal/option"
 	"github.com/notaryproject/notation/internal/cmd"
+	"github.com/notaryproject/notation/internal/cmd/verifier"
 	"github.com/notaryproject/notation/internal/ioutil"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
@@ -112,7 +113,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error {
 
 	// initialize
 	displayHandler := display.NewVerifyHandler(opts.Printer)
-	sigVerifier, err := cmd.GetVerifier(ctx, false)
+	sigVerifier, err := verifier.GetVerifier(ctx)
 	if err != nil {
 		return err
 	}
@@ -151,7 +152,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error {
 		UserMetadata:         userMetadata,
 	}
 	_, outcomes, err := notation.Verify(ctx, sigVerifier, sigRepo, verifyOpts)
-	err = ioutil.PrintVerificationFailure(outcomes, resolvedRef, err, false)
+	err = ioutil.ComposeVerificationFailurePrintout(outcomes, resolvedRef, err)
 	if err != nil {
 		return err
 	}

go.mod

@@ -4,7 +4,7 @@ go 1.23
 
 require (
 	github.com/notaryproject/notation-core-go v1.2.0
-	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250115061529-96b71337184c
+	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250122072255-6eb53a50d69e
 	github.com/notaryproject/tspclient-go v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0

go.sum

@@ -38,8 +38,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-core-go v1.2.0 h1:WElMG9X0YXJhBd0A4VOxLNalTLrTjvqtIAj7JHr5X08=
 github.com/notaryproject/notation-core-go v1.2.0/go.mod h1:+y3L1dOs2/ZwJIU5Imo7BBvZ/M3CFjXkydGGdK09EtA=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250115061529-96b71337184c h1:P9GOhlDUtUXEWGikUDDIrnES2YtlYa15tTfg1U/E96Y=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250115061529-96b71337184c/go.mod h1:ig6lhOPvLW4jrp6ZfaW+B3uNGKbcNW9pgIByvz/s31w=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250122072255-6eb53a50d69e h1:1CyFPpzmL0PCRyj9UZLtvDKlGmTKBe9Q/Tx13lfoBVU=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250122072255-6eb53a50d69e/go.mod h1:ig6lhOPvLW4jrp6ZfaW+B3uNGKbcNW9pgIByvz/s31w=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v1.0.0 h1:AwQ4x0gX8IHnyiZB1tggpn5NFqHpTEm1SDX8YNv4Dg4=

internal/cmd/signer.go → internal/cmd/signer/signer.go

@@ -11,7 +11,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package cmd
+package signer
 
 import (
 	"context"
@@ -21,6 +21,7 @@ import (
 	"github.com/notaryproject/notation-go/dir"
 	"github.com/notaryproject/notation-go/plugin"
 	"github.com/notaryproject/notation-go/signer"
+	"github.com/notaryproject/notation/internal/cmd"
 	"github.com/notaryproject/notation/pkg/configutil"
 )
 
@@ -31,7 +32,7 @@ type Signer interface {
 }
 
 // GetSigner returns a Signer based on user opts.
-func GetSigner(ctx context.Context, opts *SignerFlagOpts) (Signer, error) {
+func GetSigner(ctx context.Context, opts *cmd.SignerFlagOpts) (Signer, error) {
 	// Check if using on-demand key
 	if opts.KeyID != "" && opts.PluginName != "" && opts.Key == "" {
 		// Construct a signer from on-demand key

internal/cmd/signer_test.go → internal/cmd/signer/signer_test.go

@@ -11,7 +11,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package cmd
+package signer
 
 import (
 	"context"
@@ -21,6 +21,7 @@ import (
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/dir"
 	"github.com/notaryproject/notation-go/signer"
+	"github.com/notaryproject/notation/internal/cmd"
 )
 
 func TestGenericSignerImpl(t *testing.T) {
@@ -56,7 +57,7 @@ func TestGetSignerFromOpts(t *testing.T) {
 
 	dir.UserLibexecDir = "./testdata/plugins"
 	ctx := context.Background()
-	opts := &SignerFlagOpts{
+	opts := &cmd.SignerFlagOpts{
 		KeyID:      "testKeyId",
 		PluginName: "testPlugin",
 	}
@@ -85,7 +86,7 @@ func TestGetSignerFromConfig(t *testing.T) {
 	dir.UserLibexecDir = "./testdata/plugins"
 	dir.UserConfigDir = "./testdata/valid_signingkeys"
 	ctx := context.Background()
-	opts := &SignerFlagOpts{
+	opts := &cmd.SignerFlagOpts{
 		Key: "test",
 	}
 
@@ -102,7 +103,7 @@ func TestGetSignerFromConfig(t *testing.T) {
 
 func TestGetFailed(t *testing.T) {
 	ctx := context.Background()
-	opts := &SignerFlagOpts{}
+	opts := &cmd.SignerFlagOpts{}
 
 	defer func(oldLibexeDir, oldConfigDir string) {
 		dir.UserLibexecDir = oldLibexeDir
@@ -126,7 +127,7 @@ func TestGetSignerFailed(t *testing.T) {
 	}(dir.UserLibexecDir, dir.UserConfigDir)
 
 	t.Run("get failed", func(t *testing.T) {
-		opts := &SignerFlagOpts{}
+		opts := &cmd.SignerFlagOpts{}
 		dir.UserLibexecDir = "./testdata/plugins"
 		dir.UserConfigDir = "./testdata/invalid_signingkeys"
 		_, err := GetSigner(ctx, opts)
@@ -142,7 +143,7 @@ func TestGetSignerFailed(t *testing.T) {
 
 		dir.UserLibexecDir = "./testdata/plugins"
 		dir.UserConfigDir = "./testdata/invalid_signingkeys"
-		opts := &SignerFlagOpts{
+		opts := &cmd.SignerFlagOpts{
 			KeyID:      "test",
 			PluginName: "invalid",
 		}
@@ -156,7 +157,7 @@ func TestGetSignerFailed(t *testing.T) {
 	t.Run("failed to resolve key", func(t *testing.T) {
 		dir.UserConfigDir = "./testdata/valid_signingkeys"
 		expectedErrMsg := `default signing key not set. Please set default signing key or specify a key name`
-		_, err := GetSigner(ctx, &SignerFlagOpts{})
+		_, err := GetSigner(ctx, &cmd.SignerFlagOpts{})
 		if err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
 		}
@@ -165,7 +166,7 @@ func TestGetSignerFailed(t *testing.T) {
 	t.Run("keypath not specified", func(t *testing.T) {
 		dir.UserConfigDir = "./testdata/invalid_signingkeys"
 		expectedErrMsg := `key path not specified`
-		opts := &SignerFlagOpts{
+		opts := &cmd.SignerFlagOpts{
 			Key: "invalid",
 		}
 		_, err := GetSigner(ctx, opts)
@@ -177,7 +178,7 @@ func TestGetSignerFailed(t *testing.T) {
 	t.Run("key not found", func(t *testing.T) {
 		dir.UserConfigDir = "./testdata/valid_signingkeys"
 		expectedErrMsg := `signing key not found`
-		opts := &SignerFlagOpts{
+		opts := &cmd.SignerFlagOpts{
 			Key: "test2",
 		}
 		_, err := GetSigner(ctx, opts)
@@ -194,7 +195,7 @@ func TestGetSignerFailed(t *testing.T) {
 		dir.UserLibexecDir = "./testdata/plugins"
 		dir.UserConfigDir = "./testdata/invalid_signingkeys"
 		expectedErrMsg := `plugin executable file is either not found or inaccessible: stat testdata/plugins/plugins/invalid/notation-invalid: no such file or directory`
-		opts := &SignerFlagOpts{
+		opts := &cmd.SignerFlagOpts{
 			Key: "invalidExternal",
 		}
 		_, err := GetSigner(ctx, opts)
@@ -206,7 +207,7 @@ func TestGetSignerFailed(t *testing.T) {
 	t.Run("empty key", func(t *testing.T) {
 		dir.UserConfigDir = "./testdata/invalid_signingkeys"
 		expectedErrMsg := `unsupported key, either provide a local key and certificate file paths, or a key name in config.json, check https://notaryproject.dev/docs/user-guides/how-to/notation-config-file/ for details`
-		opts := &SignerFlagOpts{
+		opts := &cmd.SignerFlagOpts{
 			Key: "empty",
 		}
 		_, err := GetSigner(ctx, opts)

internal/cmd/verifier.go → internal/cmd/verifier/verifier.go

@@ -11,7 +11,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package cmd
+package verifier
 
 import (
 	"context"
@@ -33,38 +33,53 @@ type Verifier interface {
 	notation.Verifier
 }
 
-// GetVerifier returns a Verifier.
-// isBlob is set to true when verifying an arbitrary blob.
-func GetVerifier(ctx context.Context, isBlob bool) (Verifier, error) {
-	// revocation check
-	revocationCodeSigningValidator, err := clirev.NewRevocationValidator(ctx, purpose.CodeSigning)
+// GetVerifier creates a Verifier.
+func GetVerifier(ctx context.Context) (Verifier, error) {
+	verifierOptions, err := newVerifierOptions(ctx)
 	if err != nil {
 		return nil, err
 	}
-	revocationTimestampingValidator, err := clirev.NewRevocationValidator(ctx, purpose.Timestamping)
+
+	// trust policy and trust store
+	x509TrustStore := truststore.NewX509TrustStore(dir.ConfigFS())
+	policyDocument, err := trustpolicy.LoadOCIDocument()
+	if err != nil {
+		return nil, err
+	}
+	verifierOptions.OCITrustPolicy = policyDocument
+	return verifier.NewVerifierWithOptions(x509TrustStore, verifierOptions)
+}
+
+// GetBlobVerifier creates a BlobVerifier.
+func GetBlobVerifier(ctx context.Context) (Verifier, error) {
+	verifierOptions, err := newVerifierOptions(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	// trust policy and trust store
 	x509TrustStore := truststore.NewX509TrustStore(dir.ConfigFS())
-	if isBlob {
-		blobPolicyDocument, err := trustpolicy.LoadBlobDocument()
-		if err != nil {
-			return nil, err
-		}
-		return verifier.NewVerifierWithOptions(nil, blobPolicyDocument, x509TrustStore, plugin.NewCLIManager(dir.PluginFS()), verifier.VerifierOptions{
-			RevocationCodeSigningValidator:  revocationCodeSigningValidator,
-			RevocationTimestampingValidator: revocationTimestampingValidator,
-		})
+	blobPolicyDocument, err := trustpolicy.LoadBlobDocument()
+	if err != nil {
+		return nil, err
 	}
+	verifierOptions.BlobTrustPolicy = blobPolicyDocument
+	return verifier.NewVerifierWithOptions(x509TrustStore, verifierOptions)
+}
 
-	policyDocument, err := trustpolicy.LoadOCIDocument()
+// newVerifierOptions creates a verifier.VerifierOptions.
+func newVerifierOptions(ctx context.Context) (verifier.VerifierOptions, error) {
+	revocationCodeSigningValidator, err := clirev.NewRevocationValidator(ctx, purpose.CodeSigning)
 	if err != nil {
-		return nil, err
+		return verifier.VerifierOptions{}, err
+	}
+	revocationTimestampingValidator, err := clirev.NewRevocationValidator(ctx, purpose.Timestamping)
+	if err != nil {
+		return verifier.VerifierOptions{}, err
 	}
-	return verifier.NewVerifierWithOptions(policyDocument, nil, x509TrustStore, plugin.NewCLIManager(dir.PluginFS()), verifier.VerifierOptions{
+	return verifier.VerifierOptions{
 		RevocationCodeSigningValidator:  revocationCodeSigningValidator,
 		RevocationTimestampingValidator: revocationTimestampingValidator,
-	})
+		PluginManager:                   plugin.NewCLIManager(dir.PluginFS()),
+	}, nil
 }