notation cert generate-test should not add to verification certs

[SteveLasker]

Current behavior:

notation cert generate-test "wabbit-networks.io"
adds the key to signingKeys and verificationCerts

{
  "enabled": false,
  "verificationCerts": {
    "certs": [
      {
        "name": "wabbit-networks.io",
        "path": "/home/stevelas/.config/notation/certificate/wabbit-networks.io.crt"
      }
    ]
  },
  "signingKeys": {
    "default": "",
    "keys": [
      {
        "name": "wabbit-networks.io",
        "path": "/home/stevelas/.config/notation/key/wabbit-networks.io.key"
      }
    ]
  },
  "insecureRegistries": []
}

Expected behavior:

Just thinking we shouldn't assume adding a signing key should imply it should immediately be verifiable. Seems the user should opt-into what they verify.

notation cert generate-test "wabbit-networks.io"
would add:

"signingKeys": {
    "default": "",
    "keys": [
      {
        "name": "wabbit-networks.io",
        "path": "/home/stevelas/.config/notation/key/wabbit-networks.io.key"
      }
    ]

Then, the user adds the key:
notation cert add "wabbit-networks.io" ~/.config/notation/certificate/wabbit-networks.io.crt
would add:

"verificationCerts": {
    "certs": [
      {
        "name": "wabbit-networks.io",
        "path": "/home/stevelas/.config/notation/certificate/wabbit-networks.io.crt"
      }
    ]

@shizhMSFT

[shizhMSFT]

Agreed. Will be included in the next iteration.

[shizhMSFT]

Resolved by 9c5c749.

If the user does want to add the generated cert to the verification list when generated, the option --trust should be toggled. Otherwise, the test cert is generated and needs to be added to the verification list manually.