fix: remove generate-envelope plugin support for blob signing (#546)

JeyJeyGao · web-flow · commit 626ac1d9c00c · 2025-05-09T16:27:41.000+08:00
resolves #544 --------- Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
diff --git a/signer/plugin.go b/signer/plugin.go
@@ -123,6 +123,13 @@ func (s *PluginSigner) SignBlob(ctx context.Context, descGenFunc notation.BlobDe
 	if err != nil {
 		return nil, nil, err
 	}
+	// only support blob signing with the signature generator capability because
+	// the envelope generator capability is designed for OCI signing.
+	// A new capability may be added in the future for blob signing.
+	if !metadata.HasCapability(plugin.CapabilitySignatureGenerator) {
+		return nil, nil, fmt.Errorf("the plugin %q lacks the signature generator capability required for blob signing", metadata.Name)
+	}
+
 	logger.Debug("Invoking plugin's describe-key command")
 	ks, err := s.getKeySpec(ctx, mergedConfig)
 	if err != nil {
@@ -135,12 +142,7 @@ func (s *PluginSigner) SignBlob(ctx context.Context, descGenFunc notation.BlobDe
 		return nil, nil, err
 	}
 	logger.Debugf("Using plugin %v with capabilities %v to sign blob using descriptor %+v", metadata.Name, metadata.Capabilities, desc)
-	if metadata.HasCapability(plugin.CapabilitySignatureGenerator) {
-		return s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig)
-	} else if metadata.HasCapability(plugin.CapabilityEnvelopeGenerator) {
-		return s.generateSignatureEnvelope(ctx, desc, opts)
-	}
-	return nil, nil, fmt.Errorf("plugin does not have signing capabilities")
+	return s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig)
 }
 
 func (s *PluginSigner) getKeySpec(ctx context.Context, config map[string]string) (signature.KeySpec, error) {
diff --git a/signer/plugin_test.go b/signer/plugin_test.go
@@ -363,6 +363,21 @@ func TestPluginSigner_SignBlob_Valid(t *testing.T) {
 	}
 }
 
+func TestPluginSigner_SignBlob_Invalid(t *testing.T) {
+	t.Run("blob signing with generate envelope plugin should fail", func(t *testing.T) {
+		plugin := &mockPlugin{}
+		plugin.wantEnvelope = true
+		pluginSigner := PluginSigner{
+			plugin: plugin,
+		}
+		_, _, err := pluginSigner.SignBlob(context.Background(), getDescriptorFunc(false), validSignOpts)
+		expectedErrMsg := "the plugin \"testPlugin\" lacks the signature generator capability required for blob signing"
+		if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
+			t.Fatalf("expected error %q, got %v", expectedErrMsg, err)
+		}
+	})
+}
+
 func TestPluginSigner_SignEnvelope_RunFailed(t *testing.T) {
 	for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
 		t.Run(fmt.Sprintf("envelopeType=%v", envelopeType), func(t *testing.T) {
