Failed to sign images using self-signed certificates created from Key vault

[yizha1]

Summary

Notation alpha.3 release is used. Follow the steps according to the workflow https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push

After creating self-signed certificates in AKV, signing image doesn't work.

$ notation sign --key $KEY_NAME $IMAGE
Error: describe-key command failed: azure-kv: : x509: malformed certificate
2022/08/18 21:42:13 describe-key command failed: azure-kv: : x509: malformed certificate

Desired Result

Notation sign and verify should work easily using self-signed certificates from a KV.

[yizha1]

@iamsamirzon This is the issue we discussed today. The self-signed certificate doesn't work as usual. certificate chain is expected, but it is too cumbersome to create a self-signed certificate chain. Could you add the PR that @priteshbandi is working on? I added this issue to alpha-3 milestone, we can update it to a new milestone later.

/cc @FeynmanZhou @dtzar

[FeynmanZhou]

The certificate chain validation requirement was updated in this spec by notaryproject/specifications#162 and required "A valid certificate chain MUST contain a minimum of two certificates - a leaf and a root certificate". We might need to determine the following questions:

1. Is this the right security design?
2. Should this chain requirement be relaxed?

[iamsamirzon]

@FeynmanZhou - I have created an issue to relax the certificate chain requirement. refer notaryproject/specifications#192. I think we now need to assign this issue to a crypto SME to identify which all Notary project specifications need updating and then do a pull request.

[yizha1]

Thanks @iamsamirzon we can close this issue by tracking notaryproject/specifications#192

[iamsamirzon]

@yizha1 - Lets keep this issue open to ensure the use case of AKV is met once the certificate chain requirements are relaxed.

[iamsamirzon]

@yizha1 - Could you retest this with the next weekly build, before we create Alpha-4.

[vaninrao10]

@yizha1 can you please see if this can be done before we create Alpha-4 ?

[yizha1]

@vaninrao10 Need merge notaryproject/notation-go#147 and notaryproject/notation-go#131 firstly, then I can verify it use latest notation-go and notation-core-go.

[vaninrao10]

@yizha1 both notaryproject/notation-go#147 and notaryproject/notation-go#131 merge is completed. Is there any blocker for verification ?

[dtzar]

@vaninrao10 - If I get someone to approve #363 then I can kick off another dev build so we can all test it easily. Else we have to manually create a build to test or wait until automated dev build next Sunday.

[vaninrao10]

@dtzar Pritesh has approved it.

[dtzar]

We can now test with this: https://github.com/notaryproject/notation/releases/tag/v0.10.0-alpha.3.dev.20220928

[vaninrao10]

@dtzar - Should it have been alpha.4 instead of 3

[dtzar]

Nope - it will be that when you do the actual alpha.4 release. This is just to test to make sure before Alpha.4 - effectively those should be the same bits though.

[yizha1]

Hi @vaninrao10 and @dtzar, I will start to verify the dev build, and let you know the results before Thursday community call.

[yizha1]

Verified successfully using dev build https://github.com/notaryproject/notation/releases/tag/v0.10.0-alpha.3.dev.20220928. Alpha.4 is good to go.