-
Hi, I'm new to this project and trying to understand the workflow of using notation in production, especially how to pass the public/private keys to notation. I looked into Quickstart, but it uses "generate-test". Everything about key and cert is ready after running it. I'm interested to understand how to make the key and cert ready to use by notation. I also looked into the Azure doc. It uses AKV plugin to make the key and cert ready to use. From my understanding, in production signing use case, the image publisher has both the public key and private key file and the consumer has only the public key file. Are there any native interfaces to pass the key files to notation? If it has to be done by plugin, is AKV the only plugin to use? Are there any other plugins? Which approach is the one that most users are following? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
@ningziwen Thanks for trying You can use Currently AKV plugin is the only plugin providing remote signing capability. The private key and certificate are stored in AKV securely. We have a plan to introduce HashiCorp Vault KMS plugin, see issue https://github.com/notaryproject/notation/issues/521. Local key and Remote key stored in KV are for different use scenarios. For remote key stored in KV, the lifecycle of private key and certificates are managed by the KV securely. Could you provide more background info about your scenarios so that we can provide better support to you. Please let me know if my answers solve your problem, and feel free to ask more questions if any. Thanks, |
Beta Was this translation helpful? Give feedback.
@ningziwen Thanks for trying
Notation
.You can use
notation key
command to add/remove signing key (the private key). Take a look at the usage ofnotation key
command. You can also find the entry for all the notation commands here.Currently
Notation
doesn't support signing using local (private) key in production. The local key and certificates generated bynotation cert generate-test
is for testing only. We will support local key for production in the future. If you have your own local key for testing. You can usenotation key add
to add it to the signing key list, you will get a key name referencing the local key, then sign the artifacts by passing the key name tonotation sign
command. …