-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support clean up the source key and certificate generated by Notation #647
Comments
Will take this one. @yizha1 @FeynmanZhou Do we want it in 1.0 or after 1.0? |
@FeynmanZhou By reading through your issue description, I have the following question: |
@patrickzheng200 It's in v1.0.0. This cleanup flag is used to delete the specified source key/cert. We need to add an argument |
I see. So, each time we run with flag
Given the file above, what is our expected result after running |
IMO, adding key and cert to signingkey.json manually is not a regular manipulation although technically it is allowed. Given the case above, I think |
Yeah, that makes sense. To confirm, the command |
Just to confirm:
|
@yizha1 Right. |
The following command |
Thanks @toddysm, I agree with your concern here. How about this: |
@patrickzheng200 your proposal makes more sense. Is the expectation that only "test" pairs are cleaned up? Although unlikely, there may be some odd usage where the key and the cert are both on the same machine (device - I can come up with a hypothetical scenario for IIoT :) ). Shouldn't we just have the command as |
@toddysm Yeah, the original purpose was to only clean up those test pairs created by |
We still need to triage this issue, and understand what the solution will be. |
The function of |
@toddysm I just completed OCI spec related works for rc.5, switching my focus to this issue again. I think @yizha1's concern is valid. If we call it |
If it is experimental flag, then it is not that useful for users. |
@yizha1 I see. I'm okay with both options. Let's wait for others' suggestions. |
Had some discussions with @shizhMSFT today:
Waiting for others' suggestions on this. /cc: @priteshbandi @toddysm @sajayantony @yizha1 @FeynmanZhou @JeyJeyGao |
IMO, adding a new sub-command |
No matter what solution will be, suggest updating the description for
So my proposal is
|
I like the proposal for a new command "notation cert cleanup-test" and modifying the description test of generate-test command as @yizha1 said above. However, I don't think we need to move this under the "EXPERIMENTAL" feature flag, because we intend to support this option for people to test notation with the least amount of friction |
As discussed in the community meeting on 5/23/2023, this issue is not critical for v1 release, so let's scope it out and triage it after v1 release. |
What is the areas you would like to add the new feature to?
Notation CLI
Is your feature request related to a problem?
notation key delete
can only remove the key from the signing key list andnotation cert delete
can only remove the self-signed certificate from the trust store. This is by design since Notation doesn't support signing with local keys and managing local keys.Per discussion in #606 (comment) and another issue #604 , users want to delete the source key and certificate generated by
notation cert generate-test
in a convenient way.What solution do you propose?
Providing a flag
--cleanup
tonotation cert generate-test
to allow users to delete the specified source key and certificate generated bynotation cert generate-test
. This flag is only used to delete the test key and self-signed certificate. The keys and certificates that are not generated by Notation will not be able to be deleted with this flag.For example, delete a source key and cert generated by
notation cert generate-test "wabbit-networks.io"
:What alternatives have you considered?
N/A
Any additional context?
No response
The text was updated successfully, but these errors were encountered: