added more tests

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>

config/base_test.go

@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/notaryproject/notation-go/dir"
@@ -33,6 +34,9 @@ func TestLoadNonExistentFile(t *testing.T) {
 }
 
 func TestLoadSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("skipping test on Windows")
+	}
 	root := t.TempDir()
 	dir.UserConfigDir = root
 	fileName := "symlink"

example_signWithTimestmap_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/registry"
 	"github.com/notaryproject/notation-go/signer"
+	"github.com/notaryproject/tspclient-go"
 )
 
 // Example_signWithTimestamp demonstrates how to use notation.Sign to sign an
@@ -105,10 +106,14 @@ gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 	tsaRootCAs.AddCert(tsaRootCert)
 
 	// exampleSignOptions is an example of notation.SignOptions.
+	httpTimestamper, err := tspclient.NewHTTPTimestamper(nil, exampleRFC3161TSAServer)
+	if err != nil {
+		panic(err) // Handle error
+	}
 	exampleSignOptions := notation.SignOptions{
 		SignerSignOptions: notation.SignerSignOptions{
 			SignatureMediaType: exampleSignatureMediaType,
-			TSAServerURL:       exampleRFC3161TSAServer,
+			Timestamper:        httpTimestamper,
 			TSARootCAs:         tsaRootCAs,
 		},
 		ArtifactReference: exampleArtifactReference,

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/notaryproject/notation-core-go v1.0.3
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
-	github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe
+	github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/veraison/go-cose v1.1.0
@@ -25,6 +25,4 @@ require (
 	golang.org/x/sync v0.6.0 // indirect
 )
 
-replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e
-
-replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172
+replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18

go.sum

@@ -1,9 +1,7 @@
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e h1:yDGu0wnuX+3xSDLXeIPV751jaBaTjMjcpVz5NwTypm4=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e/go.mod h1:hXbhc81hiH9tQOZ4w5pI+Z83y8qhpXKbsLXHWA/74TE=
-github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 h1:ME+WMRNcucfmJ9Le8eCtdV1gR3Xc8ve6Ab/cPnN/z48=
-github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18 h1:lYX4Y5ZkbWbsAJkdMCSfg0Nc3lxsKWmOaHtnKejoIMY=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,6 +36,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
+github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc=
+github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

internal/mock/ocilayout/ocilayout_test.go

@@ -15,6 +15,7 @@ package ocilayout
 
 import (
 	"os"
+	"runtime"
 	"testing"
 )
 
@@ -26,7 +27,10 @@ func TestCopy(t *testing.T) {
 		}
 	})
 
-	t.Run("invalid target path", func(t *testing.T) {
+	t.Run("invalid target path permission", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
 		tempDir := t.TempDir()
 		// change the permission of the tempDir to make it invalid
 		if err := os.Chmod(tempDir, 0); err != nil {

notation.go

@@ -38,6 +38,7 @@ import (
 	"github.com/notaryproject/notation-go/log"
 	"github.com/notaryproject/notation-go/registry"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+	"github.com/notaryproject/tspclient-go"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -63,8 +64,8 @@ type SignerSignOptions struct {
 	// SigningAgent sets the signing agent name
 	SigningAgent string
 
-	// TSAServerURL denotes the TSA server URL
-	TSAServerURL string
+	// Timestamper denotes the timestamper for RFC 3161 timestamping
+	Timestamper tspclient.Timestamper
 
 	// TSARootCAs is the cert pool holding caller's TSA trust anchor
 	TSARootCAs *x509.CertPool

registry/repository_test.go

@@ -23,6 +23,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -607,6 +608,9 @@ func TestNewOCIRepositoryFailed(t *testing.T) {
 	})
 
 	t.Run("no permission to create new path", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
 		// create a directory in the temp dir
 		dirPath := filepath.Join(t.TempDir(), "dir")
 		err := os.Mkdir(dirPath, 0000)

signer/signer.go

@@ -122,7 +122,7 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 		SigningTime:   time.Now(),
 		SigningScheme: signature.SigningSchemeX509,
 		SigningAgent:  signingAgentId,
-		TSAServerURL:  opts.TSAServerURL,
+		Timestamper:   opts.Timestamper,
 		TSARootCAs:    opts.TSARootCAs,
 	}
 
@@ -137,7 +137,9 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 	logger.Debugf("  Expiry:        %v", signReq.Expiry)
 	logger.Debugf("  SigningScheme: %v", signReq.SigningScheme)
 	logger.Debugf("  SigningAgent:  %v", signReq.SigningAgent)
-	logger.Debugf("  TSAServerURL:  %v", signReq.TSAServerURL)
+
+	// Add ctx to the SignRequest
+	signReq = signReq.WithContext(ctx)
 
 	// perform signing
 	sigEnv, err := signature.NewEnvelope(opts.SignatureMediaType)

signer/signer_test.go

@@ -34,13 +34,17 @@ import (
 	_ "github.com/notaryproject/notation-core-go/signature/cose"
 	_ "github.com/notaryproject/notation-core-go/signature/jws"
 	"github.com/notaryproject/notation-core-go/testhelper"
+	nx509 "github.com/notaryproject/notation-core-go/x509"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/internal/envelope"
 	"github.com/notaryproject/notation-go/plugin/proto"
+	"github.com/notaryproject/tspclient-go"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
+const rfc3161URL = "http://timestamp.digicert.com"
+
 type keyCertPair struct {
 	keySpecName string
 	key         crypto.PrivateKey
@@ -208,7 +212,18 @@ func TestSignWithCertChain(t *testing.T) {
 	for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
 		for _, keyCert := range keyCertPairCollections {
 			t.Run(fmt.Sprintf("envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) {
-				validateSignWithCerts(t, envelopeType, keyCert.key, keyCert.certs)
+				validateSignWithCerts(t, envelopeType, keyCert.key, keyCert.certs, false)
+			})
+		}
+	}
+}
+
+func TestSignWithTimestamping(t *testing.T) {
+	// sign with key
+	for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
+		for _, keyCert := range keyCertPairCollections {
+			t.Run(fmt.Sprintf("envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) {
+				validateSignWithCerts(t, envelopeType, keyCert.key, keyCert.certs, true)
 			})
 		}
 	}
@@ -354,7 +369,7 @@ func verifySigningAgent(t *testing.T, signingAgentId string, metadata *proto.Get
 	}
 }
 
-func validateSignWithCerts(t *testing.T, envelopeType string, key crypto.PrivateKey, certs []*x509.Certificate) {
+func validateSignWithCerts(t *testing.T, envelopeType string, key crypto.PrivateKey, certs []*x509.Certificate, timestamp bool) {
 	s, err := New(key, certs)
 	if err != nil {
 		t.Fatalf("NewSigner() error = %v", err)
@@ -363,6 +378,19 @@ func validateSignWithCerts(t *testing.T, envelopeType string, key crypto.Private
 	ctx := context.Background()
 	desc, sOpts := generateSigningContent()
 	sOpts.SignatureMediaType = envelopeType
+	if timestamp {
+		sOpts.Timestamper, err = tspclient.NewHTTPTimestamper(nil, rfc3161URL)
+		if err != nil {
+			t.Fatal(err)
+		}
+		rootCerts, err := nx509.ReadCertificateFile("./testdata/DigiCertTSARootSHA384.cer")
+		if err != nil {
+			t.Fatal(err)
+		}
+		rootCAs := x509.NewCertPool()
+		rootCAs.AddCert(rootCerts[0])
+		sOpts.TSARootCAs = rootCAs
+	}
 	sig, _, err := s.Sign(ctx, desc, sOpts)
 	if err != nil {
 		t.Fatalf("Sign() error = %v", err)

verifier/verifier.go

@@ -809,7 +809,7 @@ func verifyAuthenticTimestamp(ctx context.Context, policyName string, trustStore
 		}
 		// 3. Validate timestamping certificate chain
 		logger.Info("Validating timestamping certificate chain...")
-		if err := nx509.ValidateTimestampingCertChain(tsaCertChain, nil); err != nil {
+		if err := nx509.ValidateTimestampingCertChain(tsaCertChain); err != nil {
 			return &notation.ValidationResult{
 				Error:  fmt.Errorf("failed to validate the timestamping certificate chain with error: %w", err),
 				Type:   trustpolicy.TypeAuthenticTimestamp,