diff --git a/cmd/notation/cert/add.go b/cmd/notation/cert/add.go index 820212c67..adb448781 100644 --- a/cmd/notation/cert/add.go +++ b/cmd/notation/cert/add.go @@ -56,7 +56,7 @@ Example - Add a certificate to the "tsa" type of a named store "timestamp": return addCerts(opts) }, } - command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority") + command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority, tsa") command.Flags().StringVarP(&opts.namedStore, "store", "s", "", "specify named store") command.MarkFlagRequired("type") command.MarkFlagRequired("store") diff --git a/cmd/notation/cert/delete.go b/cmd/notation/cert/delete.go index 68a745a52..071741618 100644 --- a/cmd/notation/cert/delete.go +++ b/cmd/notation/cert/delete.go @@ -67,7 +67,7 @@ Example - Delete certificate "wabbit-networks-timestamp.pem" with "tsa" type fro return deleteCerts(opts) }, } - command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority") + command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority, tsa") command.Flags().StringVarP(&opts.namedStore, "store", "s", "", "specify named store") command.Flags().BoolVarP(&opts.all, "all", "a", false, "delete all certificates in the named store") command.Flags().BoolVarP(&opts.confirmed, "yes", "y", false, "do not prompt for confirmation") diff --git a/cmd/notation/cert/list.go b/cmd/notation/cert/list.go index 409b9da83..73578a6c4 100644 --- a/cmd/notation/cert/list.go +++ b/cmd/notation/cert/list.go @@ -65,7 +65,7 @@ Example - List all certificate files from trust store of type "tsa" }, } opts.LoggingFlagOpts.ApplyFlags(command.Flags()) - command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority") + command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority, tsa") command.Flags().StringVarP(&opts.namedStore, "store", "s", "", "specify named store") return command } diff --git a/cmd/notation/cert/show.go b/cmd/notation/cert/show.go index df1537ff5..701f02cba 100644 --- a/cmd/notation/cert/show.go +++ b/cmd/notation/cert/show.go @@ -66,7 +66,7 @@ Example - Show details of certificate "wabbit-networks-timestamp.pem" with type }, } opts.LoggingFlagOpts.ApplyFlags(command.Flags()) - command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority") + command.Flags().StringVarP(&opts.storeType, "type", "t", "", "specify trust store type, options: ca, signingAuthority, tsa") command.Flags().StringVarP(&opts.namedStore, "store", "s", "", "specify named store") command.MarkFlagRequired("type") command.MarkFlagRequired("store") diff --git a/specs/cmd/certificate.md b/specs/cmd/certificate.md index 54b3e318b..5fa5ec0b0 100644 --- a/specs/cmd/certificate.md +++ b/specs/cmd/certificate.md @@ -4,10 +4,11 @@ Use ```notation certificate``` command to add/list/delete certificates in notation's trust store. Updating an existing certificate is not allowed since the thumbprint will be inconsistent, which results in a new certificate. -The trust store is in the format of a directory in the filesystem as`x509///*.crt|*.cer|*.pem`. Currently two types of trust store are supported: +The trust store is in the format of a directory in the filesystem as`x509///*.crt|*.cer|*.pem`. Currently three types of trust store are supported: -* `Certificate Authority`: The directory name is `ca`. +* `Certificate Authority`: The directory name is `ca` * `Signing Authority`: The directory name is `signingAuthority` +* `Timestamping Authority`: The directory name is `tsa` There could be more trust store types introduced in the future. @@ -26,9 +27,13 @@ $XDG_CONFIG_HOME/notation/truststore /signingAuthority /wabbit-networks cert3.crt + + /tsa + /trusted-tsa + tsa.crt ``` -In this example, there are two certificates stored in trust store named `acme-rockets` of type `ca`. There is one certificate stored in trust store named `wabbit-networks` of type `signingAuthority`. +In this example, there are two certificates stored in trust store named `acme-rockets` of type `ca`. There is one certificate stored in trust store named `wabbit-networks` of type `signingAuthority`. And there is one certificate stored in trust store named `trusted-tsa` of type `tsa`. ## Outline @@ -66,7 +71,7 @@ Usage: Flags: -h, --help help for add -s, --store string specify named store - -t, --type string specify trust store type, options: ca, signingAuthority + -t, --type string specify trust store type, options: ca, signingAuthority, tsa ``` ### notation certificate list @@ -84,7 +89,7 @@ Flags: -d, --debug debug mode -h, --help help for list -s, --store string specify named store - -t, --type string specify trust store type, options: ca, signingAuthority + -t, --type string specify trust store type, options: ca, signingAuthority, tsa -v, --verbose verbose mode ``` @@ -100,7 +105,7 @@ Flags: -d, --debug debug mode -h, --help help for show -s, --store string specify named store - -t, --type string specify trust store type, options: ca, signingAuthority + -t, --type string specify trust store type, options: ca, signingAuthority, tsa -v, --verbose verbose mode ``` @@ -116,7 +121,7 @@ Flags: -a, --all delete all certificates in the named store -h, --help help for delete -s, --store string specify named store - -t, --type string specify trust store type, options: ca, signingAuthority + -t, --type string specify trust store type, options: ca, signingAuthority, tsa -y, --yes do not prompt for confirmation ``` @@ -169,11 +174,12 @@ Upon successful listing, all the certificate files in the trust store are printe An example of the output: ``` -STORE TYPE STORE NAME CERTIFICATE -ca myStore1 cert1.pem -ca myStore2 cert2.crt -signingAuthority myStore1 cert3.crt +STORE TYPE STORE NAME CERTIFICATE +ca myStore1 cert1.pem +ca myStore2 cert2.crt +signingAuthority myStore1 cert3.crt signingAuthority myStore2 cert4.pem +tsa myTSA tsa.crt ``` ### List all certificate files of a certain named store @@ -233,7 +239,7 @@ notation certificate delete --type --store A prompt is displayed, asking the user to confirm the deletion. Upon successful deletion, the specific certificate is deleted from the trust store named `` of type ``. The output message is printed out as following: ```text -Successfully deleted from the trust store. +Successfully deleted from the trust store. ``` If users execute the deletion without specifying required flags using `notation cert delete `, the deletion fails and the error output message is printed out as follows: @@ -258,13 +264,13 @@ Use the following command to clean up a test RSA key and its corresponding certi notation certificate cleanup-test "wabbit-networks.io" ``` -A prompt will be displayed, asking the user to confirm the cleanup. +A prompt will be displayed, asking the user to confirm the cleanup. ```text -The test key and its corresponding certificate will be cleaned up with the following changes: -- Delete certificate .crt from store (type ca). -- Remove key from the key list. -- Delete key file: {NOTATION_CONFIG}/localkeys/.key. +The test key and its corresponding certificate will be cleaned up with the following changes: +- Delete certificate .crt from store (type ca). +- Remove key from the key list. +- Delete key file: {NOTATION_CONFIG}/localkeys/.key. - Delete certificate file: {NOTATION_CONFIG}/localkeys/.crt. Are you sure you want to continue? [y/N]