Merge pull request #10 from whywishfree/update-kms-sdk

refactor with kms3.0 sdk

Author: DahuK

README-zh_CN.md

@@ -13,13 +13,13 @@
 
 #### 插件规范兼容性
 
-| Capability       | Compatibility                                                |
-| ---------------- | ------------------------------------------------------------ |
-| keySpec          | `RSA-2048`, `RSA-3072`, `EC-256`                             |
-| hashAlgorithm    | `SHA-256`                                                    |
-| signingAlgorithm | `RSASSA-PSS-SHA-256`                                         |
+| Capability       | Compatibility                                       |
+| ---------------- | --------------------------------------------------- |
+| keySpec          | `RSA-2048`, `EC-256`                             |
+| hashAlgorithm    | `SHA-256`                                           |
+| signingAlgorithm | `RSASSA-PSS-SHA-256`                                |
 | pluginCapability | `SIGNATURE_GENERATOR.RAW`, `SIGNATURE_VERIFIER.TRUSTED_IDENTITY`, `SIGNATURE_VERIFIER.REVOCATION_CHECK` |
-| signingScheme    | `notary.x509`                                                |
+| signingScheme    | `notary.x509`                                       |
 
 
 
@@ -29,20 +29,17 @@
 
 下面总结了配置 notation-alibabacloud-secret-manager 插件以及容器镜像签名和验签的步骤。
 
-- 安装Notation [CLI](https://github.com/notaryproject/notation/releases/tag/v1.1.1)。版本 v1.1.1 已通过测试。请注意，“make install ”会根据 MacOS 环境创建插件目录结构。请根据您的操作系统更新 Makefile。然后，它会根据符号插件目录结构规范将插件复制到适当的位置。
+- 安装Notation [CLI](https://github.com/notaryproject/notation/releases/tag/v1.3.2)。版本 v1.3.2 已通过测试。请注意，“make install ”会根据 MacOS 环境创建插件目录结构。请根据您的操作系统更新 Makefile。然后，它会根据符号插件目录结构规范将插件复制到适当的位置。
 
-- 本插件使用 [KMS Instance SDK](https://www.alibabacloud.com/help/en/kms/developer-reference/kms-instance-sdk-for-go/)，您需要满足以下先决条件并自定义环境变量：
+- 使用本插件您需要自定义以下环境变量：
 
 
 
-| 环境变量                             | 描述                                                         |
-| ------------------------------------ | ------------------------------------------------------------ |
-| ALIBABA_CLOUD_ACCESS_KEY_ID          | 阿里云账户Access Key ID                                      |
-| ALIBABA_CLOUD_ACCESS_KEY_SECRET      | 阿里云账号Access Secret Key                                  |
-| ALIBABA_CLOUD_KMS_INSTANCE_ENDPOINT  | 指定KMS专属实例的VPC Endpoint，比如：kst-hzxxxxxxxxxx.cryptoservice.kms.aliyuncs.com |
-| ALIBABA_CLOUD_KMS_CLIENTKEY_FILEPATH | 访问指定KMS专属实例应用接入点（AAP）的ClientKey凭据文件对应的本地文件路径 |
-| ALIBABA_CLOUD_KMS_PASSWORD           | 指定KMS专属实例应用接入点（AAP）的密钥                       |
-| ALIBABA_CLOUD_KMS_CA_FILEPATH        | 指定KMS专属实例CA证书对应的本地文件路径                      |
+| 环境变量                            | 描述                                                         |
+| ----------------------------------- | ------------------------------------------------------------ |
+| ALIBABA_CLOUD_ACCESS_KEY_ID         | 阿里云账户Access Key ID                                      |
+| ALIBABA_CLOUD_ACCESS_KEY_SECRET     | 阿里云账号Access Secret Key                                  |
+| ALIBABA_CLOUD_KMS_INSTANCE_ENDPOINT | 支持KMS专属实例Endpoint和共享网关Endpoint<br />专属实例Endpoint实例：kst-hzxxxxxxxxxx.cryptoservice.kms.aliyuncs.com<br />共享网关Endpoint实例：kms.cn-hangzhou.aliyuncs.com<br />关于专属网关访问和共享网关访问的更多差异，请参见[共享网关和专属网关的差异](https://www.alibabacloud.com/help/zh/kms/key-management-service/developer-reference/classic-kms-sdkclassic-kms-sdk/#d61514b089my8) |
 
 *注意：notation-alibabacloud-secret-manager插件支持多种Credential配置方式。更多的配置方式请参考[credentials](https://aliyuncontainerservice.github.io/ack-ram-tool/#credentials)*
 
@@ -86,7 +83,7 @@ notation plugin add --file ./notation-alibabacloud.secretmanager.plugin
 
 2. 在密钥管理页面，单击用户主密钥页签，实例ID选择软件密钥管理实例，单击创建密钥。
 
-3. 在创建密钥面板，完成配置项设置，注意这里的密钥规格需要选择**非对称密钥**，密钥用途选择**SIGN/VERIFY**，密钥规则选择上文插件规范兼容性里支持的密钥规格（`RSA-2048`, `RSA-3072`, `EC-256`），然后单击确定。
+3. 在创建密钥面板，完成配置项设置，注意这里的密钥规格需要选择**非对称密钥**，密钥用途选择**SIGN/VERIFY**，密钥规则选择上文插件规范兼容性里支持的密钥规格（`RSA-2048`,`EC-256`），然后单击确定。
 
 
 

README.md

@@ -15,13 +15,13 @@ This document demonstrates how to sign and verify an OCI artifact with Alibaba C
 
 #### Plugin Spec Compatibility
 
-| Capability       | Compatibility                                                |
-| ---------------- | ------------------------------------------------------------ |
-| keySpec          | `RSA-2048`, `RSA-3072`, `EC-256`                             |
-| hashAlgorithm    | `SHA-256`                                                    |
-| signingAlgorithm | `RSASSA-PSS-SHA-256`                                         |
+| Capability       | Compatibility                                              |
+| ---------------- | ---------------------------------------------------------- |
+| keySpec          | `RSA-2048`, `EC-256`                             |
+| hashAlgorithm    | `SHA-256`                                                  |
+| signingAlgorithm | `RSASSA-PSS-SHA-256`                                       |
 | pluginCapability | `SIGNATURE_GENERATOR.RAW`, `SIGNATURE_VERIFIER.TRUSTED_IDENTITY`, `SIGNATURE_VERIFIER.REVOCATION_CHECK` |
-| signingScheme    | `notary.x509`                                                |
+| signingScheme    | `notary.x509`                                              |
 
 
 
@@ -31,16 +31,13 @@ The following summarizes the steps to configure the notation-alibabacloud-secret
 
 - Install notation [CLI](https://github.com/notaryproject/notation/releases/tag/v1.1.1). Version v1.1.1 has been tested. Note that `make install` creates the plugin directory structure based on a MacOS environment. Update the Makefile based on your OS. It then copies the plugin to the appropriate location based on the notation plugin directory structure spec.
 
-- This plugin leverages the [KMS Instance SDK](https://www.alibabacloud.com/help/en/kms/developer-reference/kms-instance-sdk-for-go/), which means you'll need to meet the pre-requisites and customize the environment as follows：
+- To use this plugin, you need to define the following environment variables:
 
-| Env                                  | Description                                                  |
-| ------------------------------------ | ------------------------------------------------------------ |
-| ALIBABA_CLOUD_ACCESS_KEY_ID          | Alibaba Cloud Account Access Key ID                          |
-| ALIBABA_CLOUD_ACCESS_KEY_SECRET      | Alibaba Cloud Account Secret Access Key                      |
-| ALIBABA_CLOUD_KMS_INSTANCE_ENDPOINT  | VPC Endpoint of the Dedicated KMS Instance, for example, kst-hzxxxxxxxxxx.cryptoservice.kms.aliyuncs.com |
-| ALIBABA_CLOUD_KMS_CLIENTKEY_FILEPATH | Local File Path of the ClientKey Credential for the Dedicated KMS Instance Application Access Point (AAP) |
-| ALIBABA_CLOUD_KMS_PASSWORD           | Password for the Dedicated KMS Instance Application Access Point (AAP) |
-| ALIBABA_CLOUD_KMS_CA_FILEPATH        | Local Path of the CA Certificate for the Dedicated KMS Instance |
+| Env                                 | Description                                                  |
+| ----------------------------------- | ------------------------------------------------------------ |
+| ALIBABA_CLOUD_ACCESS_KEY_ID         | Alibaba Cloud Account Access Key ID                          |
+| ALIBABA_CLOUD_ACCESS_KEY_SECRET     | Alibaba Cloud Account Secret Access Key                      |
+| ALIBABA_CLOUD_KMS_INSTANCE_ENDPOINT | Supports both KMS dedicated instance Endpoint and shared gateway Endpoint.  <br />**Dedicated instance Endpoint example**: kst-hzxxxxxxxxxx.cryptoservice.kms.aliyuncs.com<br />   **Shared gateway Endpoint example**: kms.cn-hangzhou.aliyuncs.com   <br />For more information about the differences between accessing via a dedicated gateway and a shared gateway, please refer to [**Differences between shared and dedicated gateways for accessing KMS**](https://www.alibabacloud.com/help/en/kms/key-management-service/developer-reference/classic-kms-sdkclassic-kms-sdk/#26484656d84ey) |
 
 *Note: the notation-alibabacloud-secret-manager plugin supports various Credential configuration methods. For more details, please refer to [credentials](https://aliyuncontainerservice.github.io/ack-ram-tool/#credentials)*
 
@@ -79,7 +76,7 @@ Users can [create a key](https://help.aliyun.com/en/kms/key-management-service/u
 
 2. On the **Keys** page, click the **Default Key** tab.
 
-3. In the Create Keys panel, complete the configuration settings, noting that you need to select **Asymmetric Keys** for Key Type, **SIGN/VERIFY** for Key Usage,  and select the key specifications supported by Plugin Spec Compatibility above (`RSA-2048`, `RSA-3072`, `EC-256`), and then click OK.
+3. In the Create Keys panel, complete the configuration settings, noting that you need to select **Asymmetric Keys** for Key Type, **SIGN/VERIFY** for Key Usage,  and select the key specifications supported by Plugin Spec Compatibility above (`RSA-2048`, `EC-256`), and then click OK.
 
 
 

ci/ossutil/go.mod

@@ -1,6 +1,8 @@
 module github.com/AliyunContainerService/ack-ram-tool/ci/ossutil
 
-go 1.19
+go 1.23.0
+
+toolchain go1.24.0
 
 require (
 	github.com/alibabacloud-go/tea v1.2.0
@@ -13,7 +15,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.9.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	gopkg.in/ini.v1 v1.56.0 // indirect
 )

ci/ossutil/go.sum

@@ -50,8 +50,9 @@ golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

cmd/notation-alibabacloud-secret-manager/main.go

@@ -19,12 +19,14 @@ import (
 	"os"
 
 	"github.com/notaryproject/notation-plugin-framework-go/cli"
+
+	notationplugin "github.com/AliyunContainerService/notation-alibabacloud-secret-manager/plugin"
 )
 
 func main() {
 	ctx := context.Background()
 	// Initialize plugin
-	plugin, err := NewAlibabaCloudSecretManagerPlugin()
+	plugin, err := notationplugin.NewAlibabaCloudSecretManagerPlugin()
 	if err != nil {
 		_, _ = fmt.Fprintf(os.Stderr, "failed to initialize plugin: %v\n", err)
 		os.Exit(2)

go.mod

@@ -1,6 +1,8 @@
 module github.com/AliyunContainerService/notation-alibabacloud-secret-manager
 
-go 1.21
+go 1.23.0
+
+toolchain go1.24.0
 
 require (
 	github.com/AliyunContainerService/ack-ram-tool v0.18.1
@@ -65,14 +67,13 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
-	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect