Need help to understand the workflow of using notation in production

[ningziwen]

Hi, I'm new to this project and trying to understand the workflow of using notation in production, especially how to pass the public/private keys to notation.

I looked into Quickstart, but it uses "generate-test". Everything about key and cert is ready after running it. I'm interested to understand how to make the key and cert ready to use by notation.

I also looked into the Azure doc. It uses AKV plugin to make the key and cert ready to use.

From my understanding, in production signing use case, the image publisher has both the public key and private key file and the consumer has only the public key file. Are there any native interfaces to pass the key files to notation? If it has to be done by plugin, is AKV the only plugin to use? Are there any other plugins? Which approach is the one that most users are following?

[yizha1]

@ningziwen Thanks for trying Notation.

You can use notation key command to add/remove signing key (the private key). Take a look at the usage of notation key command. You can also find the entry for all the notation commands here.

Currently Notation doesn't support signing using local (private) key in production. The local key and certificates generated by notation cert generate-test is for testing only. We will support local key for production in the future. If you have your own local key for testing. You can use notation key add to add it to the signing key list, you will get a key name referencing the local key, then sign the artifacts by passing the key name to notation sign command. See usage of notation sign command.

AKV plugin is the only plugin providing remote signing capability. The private key and certificate are stored in AKV securely. We have a plan to introduce HashiCorp Vault KMS plugin, see issue https://github.com/notaryproject/notation/issues/521. Local key and Remote key stored in KV are for different use scenarios. For remote key stored in KV, the lifecycle of private key and certificates are managed by the KV securely. Could you provide more background info about your scenarios so that we can provide better support to you.

Please let me know if my answers solve your problem, and feel free to ask more questions if any.

Thanks,
Yi

[ningziwen]

Thanks, this answered my question. About background info, I'm doing some investigation for this issue. containerd/nerdctl#1974