Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove notation validation to avoid panics #4962

Closed
wants to merge 1 commit into from

Conversation

stefanprodan
Copy link
Member

Fix: #4961

name: "invalid trust policy json",
args: fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of removing all these, how about vendoring the notation-go code temporarily until the upstream fix is available for us to use?
I gave it a try to see if we can vendor minimal code and got it working with the attached diff. It's a lot to be pasted in a comment. It has references to the upstream code from where they are taken and reference to the PR that will make them not required. It is based on the flux2 latest main branch and can be applied with git apply notation-trustpolicy-validate.diff.txt.

notation-trustpolicy-validate.diff.txt

I think it's simpler to replace the vendored code with upstream than to introduce removed validation and test cases at some time in the future.

@stefanprodan
Copy link
Member Author

stefanprodan commented Sep 3, 2024

Thanks to @JasonTheDeveloper we'll have a fix upstream. We can close this PR once the notation-go is released.

notaryproject/notation-go#449

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

flux commands panic when $HOME $XDG_CONFIG_HOME unset
2 participants