notary icon indicating copy to clipboard operation
notary copied to clipboard

Published 20 hours ago verified publisher icon notaryproject

Setting up delegation keys seems hard

Open directionless opened this issue 4 years ago • 1 comments

Hi! I'm not sure if this is a bit if missing code, or a doc issue, or just a problem in my understanding, but from what I can tell, setting up a delegation key seems unreasonably hard.

The documentation at avanced_usage.md is fairly succinct. It says:

Once you've acquired the delegate's x509 certificate, you can add a delegation for this user:

$ notary delegation add example.com/collection targets/releases cert.pem --paths="delegation/path"

But unmentioned here is how to generate the x509 key and certificate.

I would generally assume I can use notary key generate ecdsa for this, but it seems unfriendly.

If I run it without the -o, I get a key in my key store. This is great, but I don't see how to export the public cert notary key export only exports the encrypted private key. I can't even tell if the public component is saved.

If I run with -o I get a public and private keypair on local disk. But, I don't see an easy way to import that key. The files generated are missing the path header:

~ $ notary key generate ecdsa --role targets/releases -o delegation
Enter passphrase for new  key with ID c586919: 
Repeat passphrase for new  key with ID c586919: 

~ $ notary key import delegation-key.pem 
WARN[0000] failed to import key to store: Invalid key generated, key may be encrypted and does not contain path header

I have a very cumbersome workaround, in that I can:

  1. notary delegation add ...
  2. use notary delegation list to retrieve the key keyid
  3. edit delegation-key.pem to include the path. (There is no error checking here https://github.com/theupdateframework/notary/issues/1546)
  4. Now I can import

But this seems unusually hard.

directionless avatar Apr 16 '20 17:04 directionless

@directionless I use the docker trust cli in most cases, which has less features, but is simpler.

Also here a blog I wrote on docker content trust which uses notary in its implementation. https://marcofranssen.nl/signing-docker-images-using-docker-content-trust/

With regards to creating keys one can also use openssl to make it commandline. Another option is to use a PKI solution which can hand out those client certificates.

Maybe you could file a PR with some improvements on that advanced_usage.md. I agree it isn't super clear for people not that aquintant with the project. IMHO lowering the threshhold for adption will gain more traction of other developers and therefore bring the project more to live.

marcofranssen avatar Jun 05 '20 13:06 marcofranssen