Extend Certificate Expiry

notaryproject / notation

A CLI tool to sign and verify artifacts

https://notaryproject.dev/

Apache License 2.0

306 stars 84 forks source link

Extend Certificate Expiry #825

Open vikasprasad007 opened 8 months ago

vikasprasad007 commented 8 months ago

Is your feature request related to a problem?

Notation generated test certificate have only 1 day expiry, is there a way to set/extend expiry?

What solution do you propose?

We are demonstrating image signing and verification feature to client but due to 1 day expiry we have to create certificate every day. It would be helpful we we can extend the expiry of certificate.

What alternatives have you considered?

Azure Keyvault..

Any additional context?

No response

FeynmanZhou commented 7 months ago

Hi @vikasprasad007 ,

The testing key and certificate generated by notation cert generate-test are designed to be short-lived and expired after 1 day for security reasons.

If you are asking for testing purposes, you can re-generate a new test key and cert, or use tool like Azure Key Vault or openssl to generate a test key/cert with a longer expiration.

With Azure Key Vault:

See https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push#create-a-self-signed-certificate-in-akv-azure-cli

With openssl:

name=test
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout $name.key -out $name.crt -days 365 -subj "/C=US/ST=WA/L=Seattle/O=Notary/CN=$name" -addext "basicConstraints=CA:false" -addext "keyUsage=critical,digitalSignature" -addext "extendedKeyUsage=codeSigning"

vikasprasad007 commented 7 months ago

Hello @FeynmanZhou,

Thanks for your response.

We have a plan to implement AKV plugin for production, but we can't do it for now as this plugin is under preview and based on Microsoft it will be publish in 2024 Q1, meanwhile we wants client to review the signing feature. I have tried to proceed with openssl certificate but when we was trying to add ssl key into notation key list it not allowing us as 'notation key add' command required plugin, even if I tried to pass key_name with direct 'notation sign' command it was not able to find the key.

Request you to please help us with this, we have ssl certificate now how we can add this into notation key list or how can we use this key and cert for signing and verification. Notation version: 1.0.0

FeynmanZhou commented 7 months ago

Signing with local key is not supported yet but we have an issue #539 to track it. A workaround is to manually edit the signingkeys.json and add the signing key/cert file to signingkeys.json.

We could provide a guideline on FAQ for this case.

yizha1 commented 7 months ago

@vikasprasad007 Did this workaround solve your problem?

A workaround is to manually edit the [signingkeys.json](https://notaryproject.dev/docs/user-guides/how-to/notation-config-file/#sample-of-signingkeysjson) and add the signing key/cert file to signingkeys.json.

github-actions[bot] commented 3 months ago

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.