Open jimmychen92 opened 1 year ago
This sounds like a common scenario for users in a Windows environment. @notaryproject/notaryproject-notation-go-maintainers Should we support reading certificate from the Windows certificate store in the notation-go library as well?
I think this will need more discussion, directly trusting all certs in windows trust store is a no-go because user might not want to trust everything that's in windows trust-store but fetching individual cert might be a possibility but this begs following questions
cc:/ @shizhMSFT @patrickzheng200 @iamsamirzon
It seems there are only two stores available on Windows: CurrentUser
and LocalMachine
(doc). All certificates under a single store are organized in a flat manner, and it seems not possible to create new stores. Therefore, they are not suitable for notation trust store scenarios.
@jimmychen92 Please correct me if I have incorrect understanding in terms of Windows Certificate Management.
I think this will need more discussion, directly trusting all certs in windows trust store is a no-go because user might not want to trust everything that's in windows trust-store but fetching individual cert might be a possibility but this begs following questions
- what all platforms/truststores we notation should support?
- Are there any go-libraries which supports this without taking dependency on system libraries (.so, .dylib, .dll) ?
- Should notation provide this as part of notation cert add command or sign/verify command?
cc:/ @shizhMSFT @patrickzheng200 @iamsamirzon
Hi @priteshbandi , The feature request does not ask Notation to trust all certificates from the Windows machine certificate store. It only asks Notation to provide a way to add a certificate saved in the Windows machine certificate store into Notation's certificate store.
In Windows machines, all root trusted certificates are installed there and they cannot be exported as a file in the local disk. It is a standard way for administrators to place certificates in the Windows certificate store. Without this feature support, it creates extra challenges for distributing certificates in Windows machines.
Is your feature request related to a problem?
When integrating Notation CLI with a .NET application in a Windows environment, it is necessary to use a certificate from the Windows certificate store for artifact signing and verification. Since these certificates cannot be read as files, it is necessary to rely on a Windows library, such as the C# library mentioned in this article: https://sirarsalih.com/2018/01/30/fetching-an-installed-certificate-programmatically-from-the-windows-local-machine-store.
Due to this limitation of Windows, it can be difficult to leverage Notation in a Windows environment, particularly when using trust root certificates available in the Windows OS.
What solution do you propose?
In Notation CLI, there should be a way to read a certificate from the Windows certificate store. Currently, Notation only seems to work with certificates that are available in the file system or in a key vault.
What alternatives have you considered?
No other way I've thought would work, but open for suggestions.
Any additional context?
No response