Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Impl] Signing plugin integration - Local on disk key/key-file signing #31

Open
iamsamirzon opened this issue Oct 11, 2021 · 8 comments
Assignees
Milestone

Comments

@iamsamirzon
Copy link
Contributor

iamsamirzon commented Oct 11, 2021

Summary
Intended Outcome
The APIs are implemented in GO programming language; Add optional password protection for keys stored on local storage
Additional context
Part of this was done as alpha-1. The remaining parts are - password protection and adding a certificate chain
We need a spec on what format(s) to support and, am implementation. For RC-1 we can use one format.


Impl context

  • Along with signingKey(private key) we will need signing certificate and certificate chain as signing certificate and certchain will be embedded in signature envelope.
  • Also, how about using default name for default identity? Although this works better with INI format.
"signing-identites": [
  {
      "name": "default",
      "signing-certificate": "~/./notary/keys/wabbit-networks.crt",
      "signing-certificate-chain": ""~/./notary/keys/wabbit-networks-chain.crt",
      "private-key": "~/./notary/keys/wabbit-networks.key"
  },
  {
      "name": "import-acme-rockets",
      "signing-certificate": "~/./notary/keys/import-acme-rockets.crt",
      "signing-certificate-chain": ""~/./notary/keys/import-acme-rockets-chain.crt",
      "private-key": "~/./notary/keys/import-acme-rockets.key"
  }
]

The implementation details was copied from notaryproject/notation#89

@iamsamirzon iamsamirzon added this to the alpha-2 milestone Oct 11, 2021
@iamsamirzon iamsamirzon changed the title Signing provider integration - local host key store signing API Implementation Signing plugin integration - Local on disk key/key-file signing Oct 11, 2021
@iamsamirzon
Copy link
Contributor Author

We should specify the default signing experience and how it is protected ( with a password etc).

@iamsamirzon iamsamirzon modified the milestones: alpha-2, alpha-3 Feb 22, 2022
@iamsamirzon
Copy link
Contributor Author

Part of "E2E signing workflow with local keys" in the spreadsheet. This is the implementation part

@yizha1
Copy link
Contributor

yizha1 commented Jun 23, 2022

Hi,

The remaining work for this issue is to support encrypted local key, however, due to lack of go library and limited dev capacity, the proposal is to move this issue out of RC1 scope.

It is also proposed to keep the support of signing with local key, which was implemented as first part of this issue. If this function is removed, user need to set up Key Vault or KMS environment in order to try notation signing function, which may not be affordable or feasible for the user. In other words, the following use cases will not be supported:

  • As a user, I want to experience notation signing using a self-signed local key
  • As a user, I want to sign using a local key where remote signing is not enabled

We could add some notes in the document or tips for the local sign commands to emphasis that it is for testing purpose only.

cc @FeynmanZhou @shizhMSFT

Thanks,
Yi

@roywill
Copy link

roywill commented Jun 23, 2022

Since we don't have existing libraries for Go that handle the PKCS scenarios we think we need, I see we have four options:

  1. delay\punt this feature to next release,
  2. invest in the time to implement the go library features,
  3. Offer it as a standalone signing tool leveraging another language where the libraries exist, or
  4. Allow third party tools to do this.

The interesting thing to be aware of is that if we wanted something like SigStore to sign then their move to adopt COSE would still have to wait until we accept that format.

If that is a future goal, then planning to build a solution that would have to change in the near term and should enable SCITT and other services to sign.

@iamsamirzon
Copy link
Contributor Author

@gokarnm - Could you look at this proposal from @roywill above? If this functionality is removed from RC-1, then doing automated testing will require some other approach.

@iamsamirzon
Copy link
Contributor Author

@roywill - @gokarnm suggestion is to maintain the test certificate generation for RC-1 that allows users to test locally. https://github.com/notaryproject/notation/blob/main/docs/hello-signing.md#signing-a-container-image

@iamsamirzon
Copy link
Contributor Author

iamsamirzon commented Jul 13, 2022

This is related on having the spec finalized in #44

@iamsamirzon iamsamirzon assigned iamsamirzon and unassigned gokarnm Jul 13, 2022
@dtzar dtzar modified the milestones: alpha-3, Discuss Jul 28, 2022
@vaninrao10 vaninrao10 changed the title Signing plugin integration - Local on disk key/key-file signing [Impl] Signing plugin integration - Local on disk key/key-file signing Nov 23, 2022
@vaninrao10 vaninrao10 modified the milestones: Discuss, RC-2 Nov 23, 2022
@iamsamirzon
Copy link
Contributor Author

Based on the agreement in NV2 community call on 12/5/2022, moving this out of RC-2

@iamsamirzon iamsamirzon removed this from the RC-2 milestone Dec 6, 2022
@iamsamirzon iamsamirzon added this to the future milestone Dec 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Todo
Development

No branches or pull requests

6 participants