-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Impl] Signing plugin integration - Local on disk key/key-file signing #31
Comments
We should specify the default signing experience and how it is protected ( with a password etc). |
Part of "E2E signing workflow with local keys" in the spreadsheet. This is the implementation part |
Hi, The remaining work for this issue is to support encrypted local key, however, due to lack of go library and limited dev capacity, the proposal is to move this issue out of RC1 scope. It is also proposed to keep the support of signing with local key, which was implemented as first part of this issue. If this function is removed, user need to set up Key Vault or KMS environment in order to try notation signing function, which may not be affordable or feasible for the user. In other words, the following use cases will not be supported:
We could add some notes in the document or tips for the local sign commands to emphasis that it is for testing purpose only. Thanks, |
Since we don't have existing libraries for Go that handle the PKCS scenarios we think we need, I see we have four options:
The interesting thing to be aware of is that if we wanted something like SigStore to sign then their move to adopt COSE would still have to wait until we accept that format. If that is a future goal, then planning to build a solution that would have to change in the near term and should enable SCITT and other services to sign. |
@roywill - @gokarnm suggestion is to maintain the test certificate generation for RC-1 that allows users to test locally. https://github.com/notaryproject/notation/blob/main/docs/hello-signing.md#signing-a-container-image |
This is related on having the spec finalized in #44 |
Based on the agreement in NV2 community call on 12/5/2022, moving this out of RC-2 |
Summary
Intended Outcome
The APIs are implemented in GO programming language; Add optional password protection for keys stored on local storage
Additional context
Part of this was done as alpha-1. The remaining parts are - password protection and adding a certificate chain
We need a spec on what format(s) to support and, am implementation. For RC-1 we can use one format.
Impl context
default
name for default identity? Although this works better with INI format.The implementation details was copied from notaryproject/notation#89
The text was updated successfully, but these errors were encountered: