Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: create CLI spec for managing trust policies (phase 1) #568

Merged
merged 14 commits into from
Mar 17, 2023
Merged

doc: create CLI spec for managing trust policies (phase 1) #568

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
72017f2
doc: create CLI spec for managing trust policies
yizha1 Feb 25, 2023
55c8cf1
doc: update per comments
yizha1 Mar 4, 2023
a53cfc5
doc: update per comments
yizha1 Mar 4, 2023
46c3672
doc: update per comments
yizha1 Mar 10, 2023
b3ba9d7
doc: update per comments
yizha1 Mar 10, 2023
abfb2e4
doc: update per comments
yizha1 Mar 13, 2023
f671aef
doc: update per comments
yizha1 Mar 13, 2023
c65df57
doc: update per comments
yizha1 Mar 13, 2023
507e349
doc: update per comments
yizha1 Mar 13, 2023
29bc643
doc: update per comments
yizha1 Mar 13, 2023
ac634bc
doc: update per comments
yizha1 Mar 13, 2023
871c230
doc: update per comments
yizha1 Mar 14, 2023
77d0790
doc: update per comments
yizha1 Mar 15, 2023
5d789ab
doc: update per comments
yizha1 Mar 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
232 changes: 232 additions & 0 deletions specs/commandline/policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@
# notation policy

## Description

As part of signature verification workflow, users need to configure the trust policies to specify trusted identities that signed the artifacts, and the level of signature verification to use. For more details, see [trust policy specification and examples](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy).

The `notation policy` command provides a user-friendly way to manage trust policies. It allows users to initialize trust policies with default values, import trust policies from a JSON file, and show trust policies. To get started user can use following sample trust policy. In this sample, there are four policies configured for different requirements:
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

- The Policy named "wabbit-networks-images" is for verifying images signed by Wabbit Networks and stored in two repositories `registry.acme-rockets.io/software/net-monitor` and `registry.acme-rockets.io/software/net-logger`.
- Policy named "unsigned-image" is for skipping the verification on unsigned images stored in repository `registry.acme-rockets.io/software/unsigned/net-utils`.
- Policy "allow-expired-images" is for logging instead of failing expired images stored in repository `registry.acme-rockets.io/software/legacy/metrics`.
- Policy "global-policy-for-all-other-images" is for verifying any other images that signed by the ACME Rockets.

```jsonc
{
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
"version": "1.0",
"trustPolicies": [
{
"name": "wabbit-networks-images",
"registryScopes": [
"registry.acme-rockets.io/software/net-monitor",
"registry.acme-rockets.io/software/net-logger"
],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:wabbit-networks",
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
"name": "unsigned-image",
"registryScopes": [ "registry.acme-rockets.io/software/unsigned/net-utils" ],
"signatureVerification": {
"level" : "skip"
}
},
{
"name": "allow-expired-images",
"registryScopes": [ "registry.acme-rockets.io/software/legacy/metrics" ],
"signatureVerification": {
"level" : "strict",
"override" : {
"expiry" : "log"
}
},
"trustStores": ["ca:acme-rockets"],
"trustedIdentities": ["*"]
},
{
"name": "global-policy-for-all-other-images",
"registryScopes": [ "*" ],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:acme-rockets"
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, CN=SecureBuilder"
]
}
]
}
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```

## Outline

### notation policy command

```text
Manage trust policies for signature verification.

Usage:
notation policy [command]

Available Commands:
import import trust policies from a JSON file
init initialize trust policies with default values
show show trust policies

Flags:
-h, --help help for policy
```

### notation policy import

```text
Import trust policies from a JSON file
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy import [flags] <file_path>

Flags:
-d, --debug debug mode
--force override the existing trust policies, never prompt
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
-h, --help help for import
-v, --verbose verbose mode
```

### notation policy init

```text
Initialize trust policies with default values
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy init [flags]
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Flags:
-d, --debug debug mode
--force restore the trust policies to default values. Any existing trust polices will be discarded, never prompt
-h, --help help for export
--trust-store stringArray specify the trust stores in format "<type>:<name>", e.g. "ca:my_store". If this flag is ignored, a default trust store "ca:default" is used
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
-v, --verbose verbose mode
```

### notation policy show

```text
Show trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy show [flags]

Flags:
-d, --debug debug mode
-h, --help help for show
-v, --verbose verbose mode
```

## Usage

### Initialize trust policies with default values

```shell
notation policy init
```

Upon successful execution, trust policies with default values are created and printed out as following. Use command `notation cert add --type ca --store default <cert_file>` to add CA certificates to trust store `ca:default`. If users want to use different trust stores, refer to section [Update trust policies](#update-trust-policies) on how to do the update.

```jsonc
{
"version": "1.0",
"trustPolicies": [
{
"name": "policy-by-init-command",
"registryScopes": ["*"],
"signatureVerification": {
"level": "strict"
},
"trustStores": ["ca:default"],
"trustedIdentities": ["*"]
}
]
}

```

If there are existing trust policies configured and users still run `notation policy init` command, A prompt should be displayed asking for confirmation on whether restoring to default values or not. Use `--force` flag to discard any existing trust policies without prompt.

### Initialize trust policies with specified trust stores

```shell
notation policy init --ts "ca:my_store" --ts "ca:my_store_2"
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```

Upon successful execution, trust policies with default values and specified trust stores are created and printed out as following:

```jsonc
{
"version": "1.0",
"trustPolicies": [
{
"name": "policy-by-init-command",
"registryScopes": ["*"],
"signatureVerification": {
"level": "strict"
},
"trustStores": ["ca:my_store", "ca:my_store_2"],
"trustedIdentities": ["*"]
}
]
}
```

Use `--force` flag to override existing policies without prompt.

### Show trust policies

```shell
notation policy show
```

Upon successful execution, the trust policies are printed out. If trust policies are not configured, users should receive an error message, and a tip to initialize trust policies using command `notation policy init`.

### Export trust policies into a JSON file

Users can redirect the output of command `notation policy show` to a JSON file.

```shell
notation policy show > ./trust_policy.json
```

### Import trust policies from a JSON file

```shell
notation policy import ./my_policy.json
```

The trust policies in the JSON file will be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policies are imported successfully. Error logs including the reason should be printed out if the importing fails.

Use `--force` flag to override existing policies without prompt.
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

### Update trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

The steps to update trust policies:

1. Export trust policies into a JSON file.

```shell
notation policy show > ./trust_policy.json
```

2. Edit the exported JSON file "trust_policy.json", update trust policies and save the file.
3. Import trust policies from the file.

```shell
notation policy import ./trust_policy.json
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```
27 changes: 14 additions & 13 deletions specs/notation-cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,19 @@ This spec contains reference information on using notation commands. Each comman

## Notation Commands

| Command | Description |
| ------------------------------------------- | ----------------------------------------- |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

| Command | Description |
| ------------------------------------------- | ---------------------------------------------------------- |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [policy](./commandline/policy.md) | [Preview] Manage trust policies for signature verification |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

## Notation Outline

Expand All @@ -34,6 +34,7 @@ Available Commands:
login Login to registry
logout Log out from the logged in registries
plugin Manage plugins
policy [Preview] Manage trust policies for signature verification
sign Sign artifacts
verify Verify artifacts
version Show the notation version information
Expand Down