search

notaryproject / notation

A CLI tool to sign and verify artifacts
https://notaryproject.dev/
Apache License 2.0
342 stars 84 forks source link

Read certificate from windows certificate store #721

Open jimmychen92 opened 1 year ago

jimmychen92 commented 1 year ago

Is your feature request related to a problem?

When integrating Notation CLI with a .NET application in a Windows environment, it is necessary to use a certificate from the Windows certificate store for artifact signing and verification. Since these certificates cannot be read as files, it is necessary to rely on a Windows library, such as the C# library mentioned in this article: https://sirarsalih.com/2018/01/30/fetching-an-installed-certificate-programmatically-from-the-windows-local-machine-store.

Due to this limitation of Windows, it can be difficult to leverage Notation in a Windows environment, particularly when using trust root certificates available in the Windows OS.

What solution do you propose?

In Notation CLI, there should be a way to read a certificate from the Windows certificate store. Currently, Notation only seems to work with certificates that are available in the file system or in a key vault.

What alternatives have you considered?

No other way I've thought would work, but open for suggestions.

Any additional context?

No response

FeynmanZhou commented 1 year ago

This sounds like a common scenario for users in a Windows environment. @notaryproject/notaryproject-notation-go-maintainers Should we support reading certificate from the Windows certificate store in the notation-go library as well?

priteshbandi commented 1 year ago

I think this will need more discussion, directly trusting all certs in windows trust store is a no-go because user might not want to trust everything that's in windows trust-store but fetching individual cert might be a possibility but this begs following questions

  1. what all platforms/truststores we notation should support?
  2. Are there any go-libraries which supports this without taking dependency on system libraries (.so, .dylib, .dll) ?
  3. Should notation provide this as part of notation cert add command or sign/verify command?

cc:/ @shizhMSFT @patrickzheng200 @iamsamirzon

shizhMSFT commented 1 year ago

It seems there are only two stores available on Windows: CurrentUser and LocalMachine (doc). All certificates under a single store are organized in a flat manner, and it seems not possible to create new stores. Therefore, they are not suitable for notation trust store scenarios.

@jimmychen92 Please correct me if I have incorrect understanding in terms of Windows Certificate Management.

jimmychen92 commented 1 year ago

I think this will need more discussion, directly trusting all certs in windows trust store is a no-go because user might not want to trust everything that's in windows trust-store but fetching individual cert might be a possibility but this begs following questions

  1. what all platforms/truststores we notation should support?
  2. Are there any go-libraries which supports this without taking dependency on system libraries (.so, .dylib, .dll) ?
  3. Should notation provide this as part of notation cert add command or sign/verify command?

cc:/ @shizhMSFT @patrickzheng200 @iamsamirzon

Hi @priteshbandi , The feature request does not ask Notation to trust all certificates from the Windows machine certificate store. It only asks Notation to provide a way to add a certificate saved in the Windows machine certificate store into Notation's certificate store.

In Windows machines, all root trusted certificates are installed there and they cannot be exported as a file in the local disk. It is a standard way for administrators to place certificates in the Windows certificate store. Without this feature support, it creates extra challenges for distributing certificates in Windows machines.