Add a new command export to the CLI that allows users to export a certificate (the public parts) from, initially, just the Trusted Signing service to a file on disk. This is particularly useful for users who need a copy of the latest Trusted Signing certificate to upload to a third-party service such as NuGet.org to allow verification of the signed packages that are published there.
This pull request is organised in three commits that can be reviewed individually and are as follows:
Extract a base class from the TrustedSigningCommand to allow sharing of options for Trusted Signing account info.
Add (I)Exporter that can export a certificate to a file on disk from a certificate provider.
Add an implementation for the export certificate command for Trusted Signing.
Open questions
In this implementation, the export command is separate from the code(sign) process, meaning the actual certificate downloaded may end up being different from the one used to sign if the service has rotated certificates in the gap between. Should we consider adding a flag to the code command to allow exporting the certificate at the same time as signing? (see alternative implementations below!!)
Should we consider adding a --force flag to the export command to overwrite the file if it already exists?
Should we consider adding a --format flag to the export command to allow exporting the certificate in different formats (e.g. PEM, DER, etc)?
Does this make sense for other services that provide certificates, or is this only applicable to Trusted Signing?
Add a new command
exportto the CLI that allows users to export a certificate (the public parts) from, initially, just the Trusted Signing service to a file on disk. This is particularly useful for users who need a copy of the latest Trusted Signing certificate to upload to a third-party service such as NuGet.org to allow verification of the signed packages that are published there.This pull request is organised in three commits that can be reviewed individually and are as follows:
Extract a base class from the
TrustedSigningCommandto allow sharing of options for Trusted Signing account info.Add
(I)Exporterthat can export a certificate to a file on disk from a certificate provider.Add an implementation for the export certificate command for Trusted Signing.
Open questions
In this implementation, the
exportcommand is separate from thecode(sign)process, meaning the actual certificate downloaded may end up being different from the one used to sign if the service has rotated certificates in the gap between. Should we consider adding a flag to thecodecommand to allow exporting the certificate at the same time as signing? (see alternative implementations below!!)Should we consider adding a
--forceflag to theexportcommand to overwrite the file if it already exists?Should we consider adding a
--formatflag to theexportcommand to allow exporting the certificate in different formats (e.g. PEM, DER, etc)?Does this make sense for other services that provide certificates, or is this only applicable to Trusted Signing?
Alternative implementations
--certificate-export-pathoption rather than adding a newexportcommand https://github.com/dotnet/sign/pull/734