search

notaryproject / notation

A CLI tool to sign and verify artifacts
https://notaryproject.dev/
Apache License 2.0
340 stars 84 forks source link

docs: invalid signing time fail to sign prompt improvement #829

Closed fanndu closed 10 months ago

fanndu commented 10 months ago

Is your feature request related to a problem?

When the signing time is not within the validity period of the certificate, the signing failure message does not have a certificate expiration date, and the user needs to run other commands to check the validity period of the certificate, which is not a good experience. ./bin/notation sign localhost:5000/gateway@sha256:b992672d71a62c0a94cd8640f7c0db62ffb9de65317100742bf44892b179445f Error: certificate-chain is invalid, certificate with subject "CN=test,O=Notary,L=Seattle,ST=WA,C=US" was not valid at signing time of 2023-11-12 08:34:48 +0000 UTC

What solution do you propose?

It is a good experience to show the certificate validity period in the prompt. ./bin/notation sign localhost:5000/gateway@sha256:b992672d71a62c0a94cd8640f7c0db62ffb9de65317100742bf44892b179445f Error: certificate-chain is invalid, certificate with subject "CN=test,O=Notary,L=Seattle,ST=WA,C=US" was invalid at signing time of 2023-11-12 08:33:33 +0000 UTC. Valid from [2023-10-25 02:40:40 +0000 UTC] to [2023-10-26 02:40:40 +0000 UTC]

What alternatives have you considered?

N/A

Any additional context?

No response

FeynmanZhou commented 10 months ago

Hi @fanndu ,

Thanks for the suggestion. You proposal sounds reasonable to me. It makes signers understand the validity of the certificate immediately when failed to sign images with an expired certificate.

Alternatively, signers can get the validity of a certificate by using notation certificate show --type <type> --store <name> <cert_fileName> as mentioned in the spec in this case. But I agree with showing validity in related error message as you mentioned above adds more clarity and convenience to signers.

/cc @notaryproject/notaryproject-notation-maintainers for inputs.

yizha1 commented 10 months ago

Thanks @fanndu

As a side note, besides the error message for certificate expiry, we need to verify the signature expiry error message to make sure it is clear for users.

fanndu commented 10 months ago

Hi @fanndu ,

Thanks for the suggestion. You proposal sounds reasonable to me. It makes signers understand the validity of the certificate immediately when failed to sign images with an expired certificate.

Alternatively, signers can get the validity of a certificate by using notation certificate show --type <type> --store <name> <cert_fileName> as mentioned in the spec in this case. But I agree with showing validity in related error message as you mentioned above adds more clarity and convenience to signers.

/cc @notaryproject/notaryproject-notation-maintainers for inputs.

Hi @FeynmanZhou,

Because of use default certificate, so user could't know which store type and store name, especilly when there are so many certs, as follow: ./bin/notation cert ls STORE TYPE STORE NAME CERTIFICATE ca expired-example expired-example.crt ca missing-example missing-example.crt ca test test.crt ca testgenerate testgenerate.crt ca valid-example valid-example.crt

And there is no cli command to show which cert is default. So i think we should show more cert info here and add new cli to show default cert info.

Signing key is define in /Users/xxx/Library/Application Support/notation/signingkeys.json. It's hard for beginners to find it.

fanndu commented 10 months ago

@yizha1 I'm working on a PR to fix this.

yizha1 commented 10 months ago

Thanks @fanndu, I will assign this issue to you. /cc @FeynmanZhou @shizhMSFT