Add args in notation certificate command to show default signing key

[fanndu]

Is your feature request related to a problem?

There is no command in notation certificate to show default signing key. Users can only know it by looking at the signing key config file(as follow in MacOS).

%cat /Users/xx/Library/Application Support/notation/signingkeys.json
{
    "default": "valid-example",
    "keys": [
        {
            "name": "valid-example",
            "keyPath": "/Users/xxx/Library/Application Support/notation/localkeys/valid-example.key",
            "certPath": "/Users/xxx/Library/Application Support/notation/localkeys/valid-example.crt"
        },
        {
            "name": "expired-example",
            "keyPath": "/Users/xxx/Library/Application Support/notation/localkeys/expired-example.key",
            "certPath": "/Users/xxx/Library/Application Support/notation/localkeys/expired-example.crt"
        }
    ]
}

What solution do you propose?

Add a new arg to show default signing key as follow.

/bin/notation cert show default
Certificate details
--------------------------------------------------------------------------------
Issuer: CN=valid-example,O=Notary,L=Seattle,ST=WA,C=US
Subject: CN=valid-example,O=Notary,L=Seattle,ST=WA,C=US
Valid from: 2023-11-25 01:31:22 +0000 UTC
Valid to: 2023-11-26 01:31:22 +0000 UTC
IsCA: false
SHA256 Thumbprint: 4a9730215ca6ad285f63000c447baf69a45334296c869b040486e7de783cecf5

And show the default siging key indactor in list command.

./bin/notation cert list                                                 
STORE TYPE         STORE NAME        CERTIFICATE                
ca                 expired-example   expired-example.crt       
ca                 valid-example     valid-example.crt                    **default siging key**

What alternatives have you considered?

N/A

Any additional context?

No response

[FeynmanZhou]

Hi @fanndu ,

There is a way to figure out which signing key is set as default. You can use notation key list to get this information. For example, the key name notation.io with * is the default signing key.

$  notation key ls
wabbit-networks.io   /home/azureuser/.config/notation/localkeys/wabbit-networks.io.key   /home/azureuser/.config/notation/localkeys/wabbit-networks.io.crt
* notation.io        /home/azureuser/.config/notation/localkeys/notation.io.key          /home/azureuser/.config/notation/localkeys/notation.io.crt

In addition, Notation doesn't have a default certificate concept yet.

[yizha1]

@fanndu I think you want to make a connection between certificates and keys. The notation cert command is used to add CA certificates for verification, normally root CA certificates. So, showing "default signing key" is misleading, since it is not. For self-signed certificate, the cert and key are a pair, but for CA issued certificates, it is not one-one match, because a CA certificate can be used to verify signatures that are generated with different private keys. And from verification point of view, there is no need to mark "default", since a verifier wants to verify images signed with different keys, it is unusual to have a "default" certificate verifying images signed with a default signing key. In other cases, a verifier can only configure trust store without the need of adding signing keys.

[fanndu]

Hi @fanndu ,

There is a way to figure out which signing key is set as default. You can use notation key list to get this information. For example, the key name notation.io with * is the default signing key.

$  notation key ls
wabbit-networks.io   /home/azureuser/.config/notation/localkeys/wabbit-networks.io.key   /home/azureuser/.config/notation/localkeys/wabbit-networks.io.crt
* notation.io        /home/azureuser/.config/notation/localkeys/notation.io.key          /home/azureuser/.config/notation/localkeys/notation.io.crt

In addition, Notation doesn't have a default certificate concept yet.

Thanks @FeynmanZhou. This is the command what i want.

[fanndu]

@fanndu I think you want to make a connection between certificates and keys. The notation cert command is used to add CA certificates for verification, normally root CA certificates. So, showing "default signing key" is misleading, since it is not. For self-signed certificate, the cert and key are a pair, but for CA issued certificates, it is not one-one match, because a CA certificate can be used to verify signatures that are generated with different private keys. And from verification point of view, there is no need to mark "default", since a verifier wants to verify images signed with different keys, it is unusual to have a "default" certificate verifying images signed with a default signing key. In other cases, a verifier can only configure trust store without the need of adding signing keys.

@yizha1 Thanks. FeynmanZhou has answered my question.