Closed fanndu closed 6 months ago
Hi @fanndu ,
There is a way to figure out which signing key is set as default. You can use notation key list
to get this information. For example, the key name notation.io
with *
is the default signing key.
$ notation key ls
wabbit-networks.io /home/azureuser/.config/notation/localkeys/wabbit-networks.io.key /home/azureuser/.config/notation/localkeys/wabbit-networks.io.crt
* notation.io /home/azureuser/.config/notation/localkeys/notation.io.key /home/azureuser/.config/notation/localkeys/notation.io.crt
In addition, Notation doesn't have a default certificate concept yet.
@fanndu I think you want to make a connection between certificates and keys. The notation cert
command is used to add CA certificates for verification, normally root CA certificates. So, showing "default signing key" is misleading, since it is not. For self-signed certificate, the cert and key are a pair, but for CA issued certificates, it is not one-one match, because a CA certificate can be used to verify signatures that are generated with different private keys. And from verification point of view, there is no need to mark "default", since a verifier wants to verify images signed with different keys, it is unusual to have a "default" certificate verifying images signed with a default signing key. In other cases, a verifier can only configure trust store without the need of adding signing keys.
Hi @fanndu ,
There is a way to figure out which signing key is set as default. You can use
notation key list
to get this information. For example, the key namenotation.io
with*
is the default signing key.$ notation key ls wabbit-networks.io /home/azureuser/.config/notation/localkeys/wabbit-networks.io.key /home/azureuser/.config/notation/localkeys/wabbit-networks.io.crt * notation.io /home/azureuser/.config/notation/localkeys/notation.io.key /home/azureuser/.config/notation/localkeys/notation.io.crt
In addition, Notation doesn't have a default certificate concept yet.
Thanks @FeynmanZhou. This is the command what i want.
@fanndu I think you want to make a connection between certificates and keys. The
notation cert
command is used to add CA certificates for verification, normally root CA certificates. So, showing "default signing key" is misleading, since it is not. For self-signed certificate, the cert and key are a pair, but for CA issued certificates, it is not one-one match, because a CA certificate can be used to verify signatures that are generated with different private keys. And from verification point of view, there is no need to mark "default", since a verifier wants to verify images signed with different keys, it is unusual to have a "default" certificate verifying images signed with a default signing key. In other cases, a verifier can only configure trust store without the need of adding signing keys.
@yizha1 Thanks. FeynmanZhou has answered my question.
Is your feature request related to a problem?
There is no command in
notation certificate
to show default signing key. Users can only know it by looking at the signing key config file(as follow in MacOS).What solution do you propose?
Add a new arg to show default signing key as follow.
And show the default siging key indactor in list command.
What alternatives have you considered?
N/A
Any additional context?
No response