Add the ability to use plugins to import certificates (and maybe trust policies)

[tomaszkrzyzanowski]

Is your feature request related to a problem?

I'd like to implement verification workflow based on Hashicorp Vault similarly to how it's possible to implement signing workflow with the plugin.

I'm going to perform verification on CI/CD ephemeral runners and I need a method to fetch the verification certificate.

What solution do you propose?

I'd like to extend the notation certificate add command with --plugin and --id option to support fetching the verification certificate from KV store like HC Vault

What alternatives have you considered?

1. Extend hc-vault's key-helper to add fetch option
2. Write shell scripts to cover fetching importing the key

Any additional context?

Vault is used to store the certificates(in kv) and key (in transit), so it seems natural for me to use it as a source of true for obtaining the certificates.

If you find that valuable, I can try to send the PR's to repositories with appropriate changes.

[FeynmanZhou]

This is a good proposal which will simplify importing root certs for verification. I had a similar feature request in https://github.com/notaryproject/notation/issues/631

[JeyJeyGao]

It is a good idea to simplify the certificate installation process. Usually, the key vault supports signing and also stores the certificate. Therefore, if the plugin provides the ability to download the root certificate, it would be easier for the user. To achieve this goal, we need to extend the plugin protocol to support a certificate fetching operation.