notation sign doesn't work on main branch

[yizha1]

Summary
notation sign doesn't work on main branch

Steps to reproduce issue

• Build notation binary from main branch
• Follow the flow in https://github.com/notaryproject/notation/blob/main/docs/hello-signing.md
• Execute notation cert generate-test to create local keys and certs
• Execute notation sign --plain-http $IMAGE
• Execute notation sign $IMAGE

Logs

notation sign --plain-http $IMAGE
Incorrect Usage: flag provided but not defined: -plain-http

notation cert generate-test --default "yizha-test-certs"
notation sign $IMAGE
2022/07/22 17:05:20 certificate-chain is invalid, certificate chain must contain at least two certificates: a root and a leaf certificate

Additional info
Recommend verifying the notation sign command behavior with cobra cli implemented
#255

[FeynmanZhou]

I have the same issue as @yizha1 mentioned.

Run notation sign with build of the main branch:

./notation --version
notation version v0.7.1-alpha.1+bb5b49728798376a518b522f1693cf29b0376fa6.unreleased

$ ./notation sign --plain-http $IMAGE
Incorrect Usage: flag provided but not defined: -plain-http

Note: I assume the version number should be v1.0.0-alpha.2 instead of v0.7.1-alpha.1.

But it works with notation 0.9.0-alpha.1:

$ notation sign --plain-http $IMAGE
sha256:792dxxxxx

[patrickzheng200]

@yizha1 This error
2022/07/22 17:05:20 certificate-chain is invalid, certificate chain must contain at least two certificates: a root and a leaf certificate
occurred because of this check. Self-signed certificate from 'notation cert generate-test' no longer works. For hello-signing to work, user needs to utilize tools like generate-tls-cert to generate leaf and root certificates manually.

[patrickzheng200]

Taking a look

[chloeyin]

notation --plain-http sign $IMAGE will work(But still got an error).
For the plain-http flag, it is because this PR #218 change the cli interface, which makes --plain-http a global flag. So for now, adding --plain-http just after notation will work.
This PR #223 changes the spec, which makes the flag global.

[yizha1]

@rgnote could you share your insights here?

[patrickzheng200]

@yizha1 While we are waiting for Rakesh, you could try my updated branch which solves your blocking on hello-signing. Thanks.

[yizha1]

Sure. I will try it today.

[yizha1]

notation --plain-http sign $IMAGE will work(But still got an error). For the plain-http flag, it is because this PR #218 change the cli interface, which makes --plain-http a global flag. So for now, adding --plain-http just after notation will work. This PR #223 changes the spec, which makes the flag global.

Thanks @chloeyin , I tried just now, the flag works when I put it before the list command, which is notation --plain-text list $IMAGE. I think the root cause is as you mentioned, we can follow it on another PR for the fixing

[yizha1]

@patrickzheng200 I just tried notation built from your branch. It works.

[rgnote]

With the latest signing and verification implementation, we are expecting a signing certificate with a chain. Since generate-test is only generating a self-signed certificate without a chain, sign command is failing. We need to support self-signed certificates.

[iamsamirzon]

@rgnote - Any comments on the proposed fix for this issue via this PR - #264

[FeynmanZhou]

Hi team,

I tried it based on the build from the main branch today. But I got the following error:

# Generate a self-signed test certificate for testing purposes
$ notation cert generate-test --default "wabbit-networks.io"
generating RSA Key with 2048 bits
generated certificates expiring on 2022-08-09T06:43:14Z
wrote key: /root/.config/notation/localkeys/wabbit-networks.io.key
wrote certificate: /root/.config/notation/localkeys/wabbit-networks.io.crt
wabbit-networks.io: added to the key list
wabbit-networks.io: marked as default

# Sign the image
$ notation sign --plain-http $IMAGE
Error: failed to load config file, error: credentials store config is not set up
2022/08/08 06:43:44 failed to load config file, error: credentials store config is not set up

Using notation --plain-http sign $IMAGE is also not worked for me.

Any suggestions on this issue?