Open tomaszkrzyzanowski opened 4 months ago
This is a good proposal which will simplify importing root certs for verification. I had a similar feature request in https://github.com/notaryproject/notation/issues/631
It is a good idea to simplify the certificate installation process. Usually, the key vault supports signing and also stores the certificate. Therefore, if the plugin provides the ability to download the root certificate, it would be easier for the user. To achieve this goal, we need to extend the plugin protocol to support a certificate fetching operation.
Is your feature request related to a problem?
I'd like to implement verification workflow based on Hashicorp Vault similarly to how it's possible to implement signing workflow with the plugin.
I'm going to perform verification on CI/CD ephemeral runners and I need a method to fetch the verification certificate.
What solution do you propose?
I'd like to extend the
notation certificate add
command with--plugin
and--id
option to support fetching the verification certificate from KV store like HC VaultWhat alternatives have you considered?
Any additional context?
Vault is used to store the certificates(in kv) and key (in transit), so it seems natural for me to use it as a source of true for obtaining the certificates.
If you find that valuable, I can try to send the PR's to repositories with appropriate changes.