Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve error logs for notation sign #868

Closed
FeynmanZhou opened this issue Jan 17, 2024 · 1 comment · Fixed by #925
Closed

Improve error logs for notation sign #868

FeynmanZhou opened this issue Jan 17, 2024 · 1 comment · Fixed by #925
Labels
bug Something isn't working
Milestone

Comments

@FeynmanZhou
Copy link
Member

What is not working as expected?

This issue summarizes the error messages of notation sign that I suggest improving in v1.1.x.

Sign an artifact with an non-existing signing key in a key vault

Current behavior and output:

$ notation sign localhost:5000/test-repo:v1  --signature-format cose --plugin wabbitnetworks-kv --id https://feynman-kv.vault.wabbit.net/keys/feynmankv-networks-io/6670ffa5cb694c49b1e0a6bb6bdefaaa
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Error: describe-key command failed: ERROR: A certificate with (name/id) feynmankv-networks-io/versions/6670ffa5cb694c49b1e0a6bb6bdefaaa was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.wabbit.net/fwlink/?linkid=2125182
Status: 404 (Not Found)
ErrorCode: CertificateNotFound

Content:
{"error":{"code":"CertificateNotFound","message":"A certificate with (name/id) feynmankv-networks-io/versions/6670ffa5cb694c49b1e0a6bb6bdefaaa was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.wabbit.net/fwlink/?linkid=2125182"}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
x-ms-keyvault-region: eastus
x-ms-client-request-id: a2923244-ed47-461b-9dc1-d0b9f4202788
x-ms-request-id: 96103d99-c372-449f-adba-8d24b7d5da7e
x-ms-keyvault-service-version: 1.9.1116.1
x-ms-keyvault-network-info: conn_type=Ipv4;addr=20.65.162.175;act_addr_fam=InterNetwork;
X-Content-Type-Options: REDACTED
Strict-Transport-Security: REDACTED
Date: Wed, 13 Dec 2023 07:27:33 GMT
Content-Length: 376
Content-Type: application/json; charset=utf-8
Expires: -1

Suggested error message:

$ notation sign localhost:5000/test-repo:v1  --signature-format cose --plugin wabbitnetworks-kv --id https://feynman-kv.vault.wabbit.net/keys/feynmankv-networks-io/6670ffa5cb694c49b1e0a6bb6bdefaaa
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Error response from server: A certificate with (name/id) feynmankv-networks-io/versions/6670ffa5cb694c49b1e0a6bb6bdefaaa was not found in this key vault. 
Please make sure the certificate is available in the key vault. Use "--verbose" to see detailed logs.

Sign an artifact with an error signature format parameter

Current behavior and output:

$ notation sign localhost:5000/test-repo:v1  --signature-format cosee
Error: signature format "cosee" not supported

Suggested error message:

$ notation sign localhost:5000/test-repo:v1  --signature-format dsse
Error: signature format "dsse" not supported
Please use the supported signature envelope format "jws" or "cose"

What did you expect to happen?

See above

How can we reproduce it?

See above

Describe your environment

Linux Ubuntu 22.06

What is the version of your Notation CLI or Notation Library?

v1.0.1

@FeynmanZhou FeynmanZhou added bug Something isn't working triage Need to triage labels Jan 17, 2024
@yizha1 yizha1 added this to the 1.1.1 milestone Jan 23, 2024
@yizha1 yizha1 removed the triage Need to triage label Jan 23, 2024
JeyJeyGao added a commit to Azure/notation-azure-kv that referenced this issue Jan 29, 2024
Improve the error message:

Previous:
```
notation sign notationreg.azurecr.io/hello-app:v2 --plugin azure-kv --id https://acrci-test-kv.vault.azure.net/keys/self-signed-pkcs13/70747b2064c0488e936eba7a29acc4c6
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v2) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Error: describe-key command failed: failed to execute the describe-key command for plugin azure-kv: ERROR: A certificate with (name/id) self-signed-pkcs13/versions/70747b2064c0488e936eba7a29acc4c6 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182
Status: 404 (Not Found)
ErrorCode: CertificateNotFound

Content:
{"error":{"code":"CertificateNotFound","message":"A certificate with (name/id) self-signed-pkcs13/versions/70747b2064c0488e936eba7a29acc4c6 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
x-ms-keyvault-region: eastus
x-ms-client-request-id: 94abafcf-db8e-4046-be8a-573360b627eb
x-ms-request-id: b6c9de19-768c-4187-90d3-17342827af20
x-ms-keyvault-service-version: 1.9.1222.3
x-ms-keyvault-network-info: conn_type=Ipv4;addr=167.220.255.20;act_addr_fam=InterNetwork;
X-Content-Type-Options: REDACTED
Strict-Transport-Security: REDACTED
Date: Mon, 29 Jan 2024 06:52:00 GMT
Content-Length: 372
Content-Type: application/json; charset=utf-8
Expires: -1

```
Current:
```
notation sign notationreg.azurecr.io/hello-app:v2 --plugin azure-kv --id https://acrci-test-kv.vault.azure.net/keys/self-signed-pkcs13/70747b2064c0488e936eba7a29acc4c6   
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v2) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Error: describe-key command failed: failed to execute the describe-key command for plugin azure-kv: CertificateNotFound: A certificate with (name/id) self-signed-pkcs13/versions/70747b2064c0488e936eba7a29acc4c6 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182
```

Resolves part of notaryproject/notation#868
Signed-off-by: Junjie Gao <[email protected]>

Signed-off-by: Junjie Gao <[email protected]>
@JeyJeyGao
Copy link
Contributor

JeyJeyGao commented Apr 9, 2024

  1. Sign an artifact with an non-existing signing key in a key vault: this issue was resolved in notation-azure-kv plugin fix: improve RequestFailedException error message Azure/notation-azure-kv#150
  2. Sign an artifact with an error signature format parameter:this issue will be resolved in fix: improve error message for --signature-format flag #925

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

3 participants