Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: create CLI spec for managing trust policies (phase 1) #568

Merged
merged 14 commits into from
Mar 17, 2023
Merged

doc: create CLI spec for managing trust policies (phase 1) #568

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
72017f2
doc: create CLI spec for managing trust policies
yizha1 Feb 25, 2023
55c8cf1
doc: update per comments
yizha1 Mar 4, 2023
a53cfc5
doc: update per comments
yizha1 Mar 4, 2023
46c3672
doc: update per comments
yizha1 Mar 10, 2023
b3ba9d7
doc: update per comments
yizha1 Mar 10, 2023
abfb2e4
doc: update per comments
yizha1 Mar 13, 2023
f671aef
doc: update per comments
yizha1 Mar 13, 2023
c65df57
doc: update per comments
yizha1 Mar 13, 2023
507e349
doc: update per comments
yizha1 Mar 13, 2023
29bc643
doc: update per comments
yizha1 Mar 13, 2023
ac634bc
doc: update per comments
yizha1 Mar 13, 2023
871c230
doc: update per comments
yizha1 Mar 14, 2023
77d0790
doc: update per comments
yizha1 Mar 15, 2023
5d789ab
doc: update per comments
yizha1 Mar 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
171 changes: 171 additions & 0 deletions specs/commandline/policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
# notation policy

## Description

As part of signature verification workflow, users need to configure the trust policies to specify trusted identities that signed the artifacts, and the level of signature verification to use. For more details, see [trust policy specification and examples](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy).

The `notation policy` command provides a user-friendly way to manage trust policies. It allows users to import and export trust policies from/to a JSON file. Users can export a template file with trust policy configuration to start from scratch.

An example of template file:
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

```jsonc
{
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
"version": "1.0",
"trustPolicies": [
{
// Policy for set of artifacts signed by Wabbit Networks
// that are pulled from ACME Rockets repository
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
"name": "wabbit-networks-images",
"registryScopes": [
"registry.acme-rockets.io/software/net-monitor",
"registry.acme-rockets.io/software/net-logger"
],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:wabbit-networks",
"ca:wabbit-networks-ca2"
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
// Exception policy for a single unsigned artifact pulled from
// Wabbit Networks repository
"name": "unsigned-image",
"registryScopes": [ "registry.wabbit-networks.io/software/unsigned/net-utils" ],
"signatureVerification": {
"level" : "skip"
}
},
{
// Policy that uses custom verification level to relax the strict verification.
// It logs expiry and skips revocation check for a specific artifact.
"name": "allow-expired-images",
"registryScopes": [ "registry.acme-rockets.io/software/legacy/metrics" ],
"signatureVerification": {
"level" : "strict",
"override" : {
"expiry" : "log",
"revocation" : "skip"
}
},
"trustStores": ["ca:acme-rockets"],
"trustedIdentities": ["*"]
},
{
// Policy for all other artifacts signed by ACME Rockets
"name": "global-policy-for-all-other-images",
"registryScopes": [ "*" ],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:acme-rockets-others"
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder",
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Hr, CN=SecureBuilder"
]
}
]
}
```

## Outline

### notation policy command

```text
Manage trust policies for signature verification.

Usage:
notation policy [command]

Available Commands:
export export trust policies to a JSON file
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
import import trust policies from a JSON file
show show trust policies

Flags:
-h, --help help for policy
```

### notation policy export

```text
Export trust policies to a JSON file

Usage:
notation policy export [flags] <file_path>
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Flags:
-d, --debug debug mode
-h, --help help for export
--template export a template of trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
-v, --verbose verbose mode
```

### notation policy import

```text
Import trust policies from a JSON file
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy import [flags] <file_path>

Flags:
-d, --debug debug mode
-h, --help help for import
-v, --verbose verbose mode
```

### notation policy show

```text
Show trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy [flags] show
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Flags:
-d, --debug debug mode
-h, --help help for show
-v, --verbose verbose mode
```

## Usage

### Import trust policies from a JSON file

```shell
notation policy import ./my_policy.json
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```

The trust policies in the JSON file will be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policies are imported successfully. Error logs including the reason should be printed out if the importing fails.

### Export a template file of trust policies

The template file is for users to create trust policies from scratch. Users should update the trust policies according to own requirements before importing the template file.

```shell
notation policy export --template ./trustpolicy_template.json
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

### Export existing trust policies into a JSON file

```shell
notation policy export ./policy_exported.json
```

Upon successful execution, the existing trust policies are exported into a json file.

### Show trust policies

```shell
notation policy show
```

Upon successful execution, the trust policies are printed out. If trust policies are not configured, users should receive an error message.
27 changes: 14 additions & 13 deletions specs/notation-cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,19 @@ This spec contains reference information on using notation commands. Each comman

## Notation Commands

| Command | Description |
| ------------------------------------------- | ----------------------------------------- |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

| Command | Description |
| ------------------------------------------- | ------------------------------------------------ |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [policy](./commandline/policy.md) | Manage trust policies for signature verification |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

## Notation Outline

Expand All @@ -34,6 +34,7 @@ Available Commands:
login Login to registry
logout Log out from the logged in registries
plugin Manage plugins
policy Manage trust policies for signature verification
sign Sign artifacts
verify Verify artifacts
version Show the notation version information
Expand Down