-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to sign images using self-signed certificates created from Key vault #320
Comments
@iamsamirzon This is the issue we discussed today. The self-signed certificate doesn't work as usual. certificate chain is expected, but it is too cumbersome to create a self-signed certificate chain. Could you add the PR that @priteshbandi is working on? I added this issue to alpha-3 milestone, we can update it to a new milestone later. /cc @FeynmanZhou @dtzar |
The certificate chain validation requirement was updated in this spec by notaryproject/specifications#162 and required "A valid certificate chain MUST contain a minimum of two certificates - a leaf and a root certificate". We might need to determine the following questions:
|
@FeynmanZhou - I have created an issue to relax the certificate chain requirement. refer notaryproject/specifications#192. I think we now need to assign this issue to a crypto SME to identify which all Notary project specifications need updating and then do a pull request. |
Thanks @iamsamirzon we can close this issue by tracking notaryproject/specifications#192 |
@yizha1 - Lets keep this issue open to ensure the use case of AKV is met once the certificate chain requirements are relaxed. |
@yizha1 - Could you retest this with the next weekly build, before we create Alpha-4. |
@yizha1 can you please see if this can be done before we create Alpha-4 ? |
@vaninrao10 Need merge notaryproject/notation-go#147 and notaryproject/notation-go#131 firstly, then I can verify it use latest notation-go and notation-core-go. |
@yizha1 both notaryproject/notation-go#147 and notaryproject/notation-go#131 merge is completed. Is there any blocker for verification ? |
@vaninrao10 - If I get someone to approve #363 then I can kick off another dev build so we can all test it easily. Else we have to manually create a build to test or wait until automated dev build next Sunday. |
@dtzar Pritesh has approved it. |
We can now test with this: https://github.com/notaryproject/notation/releases/tag/v0.10.0-alpha.3.dev.20220928 |
@dtzar - Should it have been alpha.4 instead of 3 |
Nope - it will be that when you do the actual alpha.4 release. This is just to test to make sure before Alpha.4 - effectively those should be the same bits though. |
Hi @vaninrao10 and @dtzar, I will start to verify the dev build, and let you know the results before Thursday community call. |
Verified successfully using dev build https://github.com/notaryproject/notation/releases/tag/v0.10.0-alpha.3.dev.20220928. Alpha.4 is good to go. |
Summary
Notation alpha.3 release is used. Follow the steps according to the workflow https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push
After creating self-signed certificates in AKV, signing image doesn't work.
Desired Result
Notation sign and verify should work easily using self-signed certificates from a KV.
The text was updated successfully, but these errors were encountered: