Add a new command export to the CLI that allows users to export a certificate (the public parts) from, initially, just the Trusted Signing service to a file on disk. This is particularly useful for users who need a copy of the latest Trusted Signing certificate to upload to a third-party service such as NuGet.org to allow verification of the signed packages that are published there.
This pull request is organised in three commits that can be reviewed individually and are as follows:
Extract a base class from the TrustedSigningCommand to allow sharing of options for Trusted Signing account info.
Add (I)Exporter that can export a certificate to a file on disk from a certificate provider.
Add an implementation for the export certificate command for Trusted Signing.
Open questions
In this implementation, the export command is separate from the code(sign) process, meaning the actual certificate downloaded may end up being different from the one used to sign if the service has rotated certificates in the gap between. Should we consider adding a flag to the code command to allow exporting the certificate at the same time as signing? (see alternative implementations below!!)
Should we consider adding a --force flag to the export command to overwrite the file if it already exists?
Should we consider adding a --format flag to the export command to allow exporting the certificate in different formats (e.g. PEM, DER, etc)?
Does this make sense for other services that provide certificates, or is this only applicable to Trusted Signing?
Add a new command
export
to the CLI that allows users to export a certificate (the public parts) from, initially, just the Trusted Signing service to a file on disk. This is particularly useful for users who need a copy of the latest Trusted Signing certificate to upload to a third-party service such as NuGet.org to allow verification of the signed packages that are published there.This pull request is organised in three commits that can be reviewed individually and are as follows:
Extract a base class from the
TrustedSigningCommand
to allow sharing of options for Trusted Signing account info.Add
(I)Exporter
that can export a certificate to a file on disk from a certificate provider.Add an implementation for the export certificate command for Trusted Signing.
Open questions
In this implementation, the
export
command is separate from thecode(sign)
process, meaning the actual certificate downloaded may end up being different from the one used to sign if the service has rotated certificates in the gap between. Should we consider adding a flag to thecode
command to allow exporting the certificate at the same time as signing? (see alternative implementations below!!)Should we consider adding a
--force
flag to theexport
command to overwrite the file if it already exists?Should we consider adding a
--format
flag to theexport
command to allow exporting the certificate in different formats (e.g. PEM, DER, etc)?Does this make sense for other services that provide certificates, or is this only applicable to Trusted Signing?
Alternative implementations
--certificate-export-path
option rather than adding a newexport
command https://github.com/dotnet/sign/pull/734