Configuration file spec#76
Conversation
Signed-off-by: Steve Lasker <stevelasker@hotmail.com>
Signed-off-by: Steve Lasker <stevelasker@hotmail.com>
Signed-off-by: Steve Lasker <stevelasker@hotmail.com>
Signed-off-by: Steve Lasker <stevelasker@hotmail.com>
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
| "verificationCerts": { | ||
| "certs": [ | ||
| { | ||
| "name": "wabbit-networks.io", | ||
| "path": "~/./notary/keys/wabbit-networks.crt" | ||
| }, | ||
| { | ||
| "name": "import.acme-rockets.io", | ||
| "path": "~/./notary/keys/import-acme-rockets.crt" | ||
| } | ||
| ] | ||
| }, |
There was a problem hiding this comment.
Why do we need certs inside of verificationCerts? It is redundant.
There was a problem hiding this comment.
I was trying to align with keys which has default nested, so it needed keys.
Suggestions?
There was a problem hiding this comment.
Leaving for this PR, and lets address how we want to handle verificationCerts and signingKeys
Do we want to pull default out to a root node?
There was a problem hiding this comment.
@SteveLasker - Moving this into the notary location exposes the notation CLI to need ACLs and policise that are present with notaryV1. My recommendatiaon is to have this under .notation for now and open an issue to unify the config location with notaryv1 if that is the requirement.
/cc @gokarnm
There was a problem hiding this comment.
- How about naming it verification-identities and changing structure to something like this?
"verification-identities": [
{
"name": "wabbit-networks.io",
"certificate-path": "~/./notary/keys/wabbit-networks.crt"
},
{
"name": "import.acme-rockets.io",
"certificate-path": "~/./notary/keys/import-acme-rockets.crt"
}
]
If we are planning to support only referencing(using path) not inlining of certificate then we can rename certificate-path to certificate.
- Also, are we thinking of supporting truststore and trustpolicy evaluation using this cli or its just that signature leads to a trusted certificate? If its former then we might not need
verificationCertsinstead we can refer trusstore+trustpolicy.
There was a problem hiding this comment.
@SteveLasker - Moving this into the notary location exposes the notation CLI to need ACLs and policise that are present with notaryV1. My recommendatiaon is to have this under .notation for now and open an issue to unify the config location with notaryv1 if that is the requirement.
/cc @gokarnm
@sajayantony @SteveLasker would like to understand better if there is a requirement, and the motivation for unifying config with notary V1.
There was a problem hiding this comment.
is a requirement, and the motivation for unifying config with notary V1.
It was more about reducing folder sprawl. I'm trying to avoid end users having to "feel the pain" of multiple folders being created as a result of using v1 and v2.
We don't have much usage of notary v1, so it's a minimal issue.
It's not the most pressing issue, so you could also argue, if most users don't have notary v1, is it really folder sprawl as they'll only have a single folder, "./notation".
I'll update to use notation and not be something to take more time for us to think about
There was a problem hiding this comment.
are we thinking of supporting truststore and trustpolicy evaluation
Yes, we should incorporate truststore policy. However, suggesting we add that as we iterate the details of the trust store policy. This will document the current state, so we can release a notation cli that we can iterate with.
As we complete the truststore policy design and implementation, we can update this config spec.
specs/notation-config.md
Outdated
| - `enabled` - bool, which acts as an on/off switch for default notation behavior. --enabled false would disable all automatic validations | ||
| - `verificationCerts` - collection of name/value pairs for a collection of public certs that are used for verification. These may be replaced with a future policy configuration. | ||
| - `name` - a named reference to the certificate | ||
| - `path` - a location by which the certificate can be found by the notation cli or notation libraries |
There was a problem hiding this comment.
We need to define whether it is an absolute path or it can be a relative path or both.
There was a problem hiding this comment.
Good question. What do you think from a security perspective?
There was a problem hiding this comment.
It is better if it is an absolute path.
specs/notation-config.md
Outdated
| - `path` - a location by which the certificate can be found by the notation cli or notation libraries | ||
| - `signing-keys` - a collection of name/value pairs of signing keys. | ||
| - `name` - a named reference to the key | ||
| - `path` - a location by which the key can be found by the notation cli or notation libraries |
There was a problem hiding this comment.
Same here for absolute or / and relative path.
There was a problem hiding this comment.
Good question. What do you think from a security perspective?
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
specs/notation-config.md
Outdated
|
|
||
| Property | Type | Value | ||
| ------ | ------ | --- | ||
| `enabled`|_bool_|on/off switch for default notation behavior. --enabled false would disable all automatic validations |
There was a problem hiding this comment.
enabled is used for docker-notation. This field is not meaningful for the notation CLI.
There was a problem hiding this comment.
Whats the purpose of enabled field? When will customer actually use it?
There was a problem hiding this comment.
@shizhMSFT, this is in the current config file. Are we having separate configs for docker-notation and notation?
| "signingKeys": { | ||
| "default": "wabbit-networks.io", | ||
| "keys": [ | ||
| { | ||
| "name": "wabbit-networks.io", | ||
| "path": "~/./notary/keys/wabbit-networks.key" | ||
| }, | ||
| { | ||
| "name": "import.acme-rockets.io", | ||
| "path": "~/./notary/keys/import-acme-rockets.key" | ||
| } | ||
| ] | ||
| }, |
There was a problem hiding this comment.
- Along with signingKey(private key) we will need signing certificate and certificate chain as signing certificate and certchain will be embedded in signature envelope.
- Also, how about using
defaultname for default identity? Although this works better with INI format.
"signing-identites": [
{
"name": "default",
"signing-certificate": "~/./notary/keys/wabbit-networks.crt",
"signing-certificate-chain": ""~/./notary/keys/wabbit-networks-chain.crt",
"private-key": "~/./notary/keys/wabbit-networks.key"
},
{
"name": "import-acme-rockets",
"signing-certificate": "~/./notary/keys/import-acme-rockets.crt",
"signing-certificate-chain": ""~/./notary/keys/import-acme-rockets-chain.crt",
"private-key": "~/./notary/keys/import-acme-rockets.key"
}
]
There was a problem hiding this comment.
+1 on requiring signing certificate in addition to private key.
| "verificationCerts": { | ||
| "certs": [ | ||
| { | ||
| "name": "wabbit-networks.io", | ||
| "path": "~/./notary/keys/wabbit-networks.crt" | ||
| }, | ||
| { | ||
| "name": "import.acme-rockets.io", | ||
| "path": "~/./notary/keys/import-acme-rockets.crt" | ||
| } | ||
| ] | ||
| }, |
There was a problem hiding this comment.
- How about naming it verification-identities and changing structure to something like this?
"verification-identities": [
{
"name": "wabbit-networks.io",
"certificate-path": "~/./notary/keys/wabbit-networks.crt"
},
{
"name": "import.acme-rockets.io",
"certificate-path": "~/./notary/keys/import-acme-rockets.crt"
}
]
If we are planning to support only referencing(using path) not inlining of certificate then we can rename certificate-path to certificate.
- Also, are we thinking of supporting truststore and trustpolicy evaluation using this cli or its just that signature leads to a trusted certificate? If its former then we might not need
verificationCertsinstead we can refer trusstore+trustpolicy.
specs/notation-config.md
Outdated
|
|
||
| Property | Type | Value | ||
| ------ | ------ | --- | ||
| `enabled`|_bool_|on/off switch for default notation behavior. --enabled false would disable all automatic validations |
There was a problem hiding this comment.
Whats the purpose of enabled field? When will customer actually use it?
| `key.name`|_string_|a named reference to the key | ||
| `key.path`|_string_|a location by which the key can be found by the notation cli or notation libraries | ||
| `signing-keys.default`|_string_|the signing key to be used when `notation sign` is called without `--name` | ||
| `insecureRegistries`|_array_|a list of registries that may be used without https |
There was a problem hiding this comment.
How is insecureRegistries related to notary?
There was a problem hiding this comment.
notation pushes and pulls content to a registry using the oras-go libraries. insecureRegistires is a list of registries enables the flow, as an exception to the normal HTTPS required flag.
It's not just for local instances of distribution. Many IoT scenarios run non https scenarios.
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
iamsamirzon
added
cli
* Configuration file spec * move under the specs folder * Incorporate feedback on table layout and naming Signed-off-by: Steve Lasker <stevelasker@hotmail.com>
9 participants
Capturing the configuration file, at its current state