Support offline usage

[ecordell]

$ notary init quay-root -d .                                                                                                                                                                
Root key found, using: abcd
Enter passphrase for root key with ID abcd:
Enter passphrase for new targets key with ID fghi (quay-root):
Repeat passphrase for new targets key with ID fghi (quay-root):

* fatal: client is offline

I don't see much reason why notary shouldn't work in an offline mode. Setting up a repo manually and then transferring it somewhere else can be a nice way to airgap if needed - but more importantly, IMO, generating TUF metadata without requiring the server to be in place is an excellent way to let interested users learn about Notary/TUF.

Any thoughts? Is there some reason that I'm missing that notary should require the server to be reachable?

[endophage]

Agree on all points. There should be a way to just dump the signed data out to local disk. As a precursor, we should make it possible to sign timestamps locally.

[endophage]

Also, we should make it possible to configure expiry periods of roles in the config.json. I feel like that becomes more necessary/desirable if somebody is signing timestamps locally.

[ecordell]

What about splitting a tuf command back out?

It could be useful to split "notary operations" from "tuf operations" in this way. notary for high-level commands (also indicates that your changes should be replicated to a server) and tuf for low-level, similar to the python tuf lib.

[endophage]

Lets see how it would look if we just fit the operations into the existing notary CLI. It feels like bringing a timestamp key locally is already a natural addition to notary key rotate given what it already does. If you have a valid timestamp key locally we would just sign with it.

Publishing seems like we could make the -s flag (and the associated config.json field) accept file paths with the standard file:// scheme, and that would then use local file storage. Configuring expiries is a slightly odd one and I don't know whether we'd want users to set it globally, per repo, or just have it as a one off per publish, let the bike shedding commence :-)

[lavahot]

Did this improvement ever get made? I have a need for an airgapped deployment.

[konstest]

@ecordell @endophage We wait this feature because we think that it allow us to use DCT without deploy Notary server into offline network.