Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making NOTATION_USERNAME and NOTATION_PASSWORD secure #709

Closed
shizhMSFT opened this issue Jun 6, 2023 · 1 comment · Fixed by #746
Closed

Making NOTATION_USERNAME and NOTATION_PASSWORD secure #709

shizhMSFT opened this issue Jun 6, 2023 · 1 comment · Fixed by #746
Assignees
@JeyJeyGao
Labels
enhancement New feature or request

Comments

@shizhMSFT
Copy link
Contributor

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

The environment variables NOTATION_USERNAME and NOTATION_PASSWORD are considered as insecure and not suitable for production since it is possible to leak them to its child processes like plugins.

What solution do you propose?

Remove those environment variables when spawning child process (i.e. plugin process) while keeping other environment variables.

What alternatives have you considered?

It is always good to configure a credential store.

Any additional context?

No response
@shizhMSFT shizhMSFT added enhancement New feature or request triage Need to triage labels Jun 6, 2023
@kokamkarsahil
Copy link

Alternate solution

We can use SOPS[0] to encrypt the .env using AWS KMS, Azure Key Vault, age, or PGP.

Example

It stores the values in an encrypted format which can be decrypted and used.

image

SOPS also got approved for CNCF sandbox recently: https://github.com/orgs/cncf/projects/14/views/1?pane=issue&itemId=20793336

Cons

The last update was over a year ago. (As it's approved for CNCF sandbox, we can expect updates.)

IRC there was also a Docker credential issue which was in discussion. We can also make use of SOPS for it.

  1. https://github.com/mozilla/sops, https://pkg.go.dev/go.mozilla.org/sops

@yizha1 yizha1 removed the triage Need to triage label Jul 18, 2023
@JeyJeyGao JeyJeyGao mentioned this issue Jul 19, 2023
Merged
priteshbandi pushed a commit that referenced this issue Jul 20, 2023
@JeyJeyGao
fix: unset NOTATION_USERNAME and NOTATION_PASSWORD to avoid leaking c…
0cc39b3 
…redentials to plugin (#746)

Fix:unset credentials env after read the value (Resolves #709) 


Signed-off-by: Junjie Gao <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JeyJeyGao JeyJeyGao

Labels
enhancement New feature or request
Projects
Notary Project Planning Board
Status: Done
Milestone
No milestone
4 participants
@shizhMSFT @JeyJeyGao @kokamkarsahil @yizha1