Skip to content

Support publishing externally generated signatures #475

New issue
New issue
Open
Open
Support publishing externally generated signatures#475
Labels
enhancementNew feature or request
Milestone
Future
@jeremyrickard

Description

@jeremyrickard
jeremyrickard
opened on Dec 8, 2022

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

Suppose I have an external/thirdparty signing service that allows me to produce a signature compatible with the Notary spec. Currently, If I want to then "publish" or "attach" that to the container/artifact I am signing, I need to do a few things that currently are handled by the notation client:

  1. I need to produce the proper manifest including: artifacts type, referrers/subject, and io.cncf.notary.x509chain.thumbprint#S256 annotation.
  2. I then need to use something like oras to attach that to the image and ensure that I am using a proper version (i.e. 0.16.0 or later) and keep the tools in sync

What solution do you propose?

I propose either a plugin or an "attach" command that would allow an externally generated notary compliant signature to be attached to an image.

What alternatives have you considered?

I have built a proof of concept stand alone tool but would like to make something more generally available for anyone that might need to generate notary v2 compliant signuares using some other third-party service.

Any additional context?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    Notary Project Planning Board

    Status

    Todo

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions