Proposal: Add `SignatureMediaTypes` array to `RemoteVerifyOptions` in `notation.Verify()`

Question

Proposal: Add `SignatureMediaTypes` array to `RemoteVerifyOptions` in `notation.Verify()`

patrickzheng200 opened this issue 2 years ago · comments

Created this issue to track adding SignatureMediaTypes array to RemoteVerifyOptions.
Proposed behavior:

When SignatureMediaTypes is empty, i.e. left by user as default, all signature media types will be processed by notation.Verify().
When set by user, only process signature media type(s) contained in the array.

One reason to do so is that a certain signature media type with version v1 might have security issue and needs to release a v2 version. All signatures signed in v1 shall be skipped in notation.Verify(). In this case, we can set SignatureMediaTypes as [example v2] to filter out signatures already signed in v1.

Pritesh Bandi · Answer 1 · Fri Feb 03 2023 16:15:30 GMT+0800 (China Standard Time)

The origination of this issue lies in #208 (comment) and I think we still need to figure out few things

One reason to do so is that a certain signature media type with version v1 might have security issue and needs to release a v2 version. All signatures signed in v1 shall be skipped in notation.Verify(). In this case, we can set SignatureMediaTypes as [example v2] to filter out signatures already signed in v1.

If an implementation starts filtering out a signature formt that then its not abiding by Notary V2 spec and is implementing only subset of specifications because notary v2 says it supports multiple signature formats.
Also, if there is security issue with v1 signature it will take more than filtering because user will need to re-sign the artifacts so just filtering won't help. Also, if there is security issue with v1 format then notary should drop support for it.

Patrick Zheng · Answer 2 · Fri Feb 03 2023 17:07:42 GMT+0800 (China Standard Time)

Also, if there is security issue with v1 signature it will take more than filtering because user will need to re-sign the artifacts so just filtering won't help. Also, if there is security issue with v1 format then notary should drop support for it.

Yes, the user needs to re-Sign. Besides re-sign, we still need this change in the Verification process to filter out the old v1 signatures. (These v1 signatures have already been pushed into the remote registry and Notation does not have a delete method to remove them.) If we do not do the filtering, v1 and v2 signatures will be mixed in the Verification process. So the user won't be able to tell if a successful verification is triggered by a v1 signature or a re-signed v2 signature.