Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: create CLI spec for managing trust policies (phase 1) #568

Merged
merged 14 commits into from
Mar 17, 2023
Merged

doc: create CLI spec for managing trust policies (phase 1) #568

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
72017f2
doc: create CLI spec for managing trust policies
yizha1 Feb 25, 2023
55c8cf1
doc: update per comments
yizha1 Mar 4, 2023
a53cfc5
doc: update per comments
yizha1 Mar 4, 2023
46c3672
doc: update per comments
yizha1 Mar 10, 2023
b3ba9d7
doc: update per comments
yizha1 Mar 10, 2023
abfb2e4
doc: update per comments
yizha1 Mar 13, 2023
f671aef
doc: update per comments
yizha1 Mar 13, 2023
c65df57
doc: update per comments
yizha1 Mar 13, 2023
507e349
doc: update per comments
yizha1 Mar 13, 2023
29bc643
doc: update per comments
yizha1 Mar 13, 2023
ac634bc
doc: update per comments
yizha1 Mar 13, 2023
871c230
doc: update per comments
yizha1 Mar 14, 2023
77d0790
doc: update per comments
yizha1 Mar 15, 2023
5d789ab
doc: update per comments
yizha1 Mar 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
164 changes: 164 additions & 0 deletions specs/commandline/policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
# notation policy

## Description

As part of signature verification workflow, users need to configure the trust policies to specify trusted identities that signed the artifacts, and the level of signature verification to use. For more details, see [trust policy specification and examples](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy).

The `notation policy` command provides a user-friendly way to manage trust policies. It allows users to import/export trust policies from/to a JSON file, and show trust policies. To get started user can use following sample trust policy. In this sample, there are four policies configured for different requirements:

- The Policy named "wabbit-networks-images" is for verifying images signed by Wabbit Networks and stored in two repositories `registry.acme-rockets.io/software/net-monitor` and `registry.acme-rockets.io/software/net-logger`.
- Policy named "unsigned-image" is for skipping the verification on unsigned images stored in repository `registry.acme-rockets.io/software/unsigned/net-utils`.
- Policy "allow-expired-images" is for logging instead of failing expired images stored in repository `registry.acme-rockets.io/software/legacy/metrics`.
- Policy "global-policy-for-all-other-images" is for verifying any other images that signed by the ACME Rockets.

```jsonc
{
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
"version": "1.0",
"trustPolicies": [
{
"name": "wabbit-networks-images",
"registryScopes": [
"registry.acme-rockets.io/software/net-monitor",
"registry.acme-rockets.io/software/net-logger"
],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:wabbit-networks",
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
"name": "unsigned-image",
"registryScopes": [ "registry.acme-rockets.io/software/unsigned/net-utils" ],
"signatureVerification": {
"level" : "skip"
}
},
{
"name": "allow-expired-images",
"registryScopes": [ "registry.acme-rockets.io/software/legacy/metrics" ],
"signatureVerification": {
"level" : "strict",
"override" : {
"expiry" : "log"
}
},
"trustStores": ["ca:acme-rockets"],
"trustedIdentities": ["*"]
},
{
"name": "global-policy-for-all-other-images",
"registryScopes": [ "*" ],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:acme-rockets"
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, CN=SecureBuilder"
]
}
]
}
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```

## Outline

### notation policy command

```text
Manage trust policies for signature verification.

Usage:
notation policy [command]

Available Commands:
import import trust policies from a JSON file
show show trust policies

Flags:
-h, --help help for policy
```

### notation policy import

```text
Import trust policies from a JSON file
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy import [flags] <file_path>

Flags:
-d, --debug debug mode
--force override the existing trust policies, never prompt
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
-h, --help help for import
-v, --verbose verbose mode
```

### notation policy show

```text
Show trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy show [flags]

Flags:
-d, --debug debug mode
-h, --help help for show
-v, --verbose verbose mode
```

## Usage

### Import trust policies from a JSON file

An example of importing trust policies from a JSON file:

```shell
notation policy import ./my_policy.json
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```

The trust policies in the JSON file should be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policies are imported successfully. Error logs including the reason should be printed out if the importing fails.

Use `--force` flag to override existing policies without prompt.

### Show trust policies

Use the following command to show trust policies:

```shell
notation policy show
```

Upon successful execution, the trust policies are printed out. If trust policies are not configured, users should receive an error message, and a tip to import trust policies from a JSON file.

### Export trust policies into a JSON file

Users can redirect the output of command `notation policy show` to a JSON file.

```shell
notation policy show > ./trust_policy.json
```

### Update trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

The steps to update trust policies:

1. Export trust policies into a JSON file.

```shell
notation policy show > ./trust_policy.json
```

2. Edit the exported JSON file "trust_policy.json", update trust policies and save the file.
3. Import trust policies from the file.

```shell
notation policy import ./trust_policy.json
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```
27 changes: 14 additions & 13 deletions specs/notation-cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,19 @@ This spec contains reference information on using notation commands. Each comman

## Notation Commands

| Command | Description |
| ------------------------------------------- | ----------------------------------------- |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

| Command | Description |
| ------------------------------------------- | ---------------------------------------------------------- |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [policy](./commandline/policy.md) | [Preview] Manage trust policies for signature verification |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

## Notation Outline

Expand All @@ -34,6 +34,7 @@ Available Commands:
login Login to registry
logout Log out from the logged in registries
plugin Manage plugins
policy [Preview] Manage trust policies for signature verification
sign Sign artifacts
verify Verify artifacts
version Show the notation version information
Expand Down