Giters

notaryproject / notation-go

A collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Implement Semantic Versioning

rgnote opened this issue · comments

commented

Notary V2 uses SemVer for plugin versioning. See spec here
At the time of writing this issue, Golang has no standard library support for parsing or comparing SemVer strings. This issue is to track implementing SemVer in Notation if no alternative is available. This issue is blocking using verification plugin minimum version critical attribute in signature verification workflow.

code:

notation-go/verifier/verifier.go

Lines 127 to 128 in 7e391f7

// TODO verify the plugin's version is equal to or greater than `outcome.SignerInfo.SignedAttributes.HeaderVerificationPluginMinVersion`
// https://github.com/notaryproject/notation-go/issues/102

commented

@rgnote Golang has standard library support for parsing and comparing SemVer strings. Those libraries are live in the go mod repo (see github.com/golang/mod) where the semver package is available here.

commented

@shizhMSFT Couple of issues with x/mod

  1. It requires versions to be prefixed with v
  2. Allows partial strings such as 1, 1.0, etc.

We may need to write a wrapper around it to make it work with Notation.