notation icon indicating copy to clipboard operation
notation copied to clipboard

Published 20 hours ago verified publisher icon notaryproject

`notation policy init` command is necessary for user experiences

Open patrickzheng200 opened this issue 1 year ago • 2 comments

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

In version 1.0.0-rc.4, notation policy only supports import and show. Thus, to use notation CLI for artifact verification, a beginner has to follow the workflow below:

  1. Search for an example of notation trust policy either from specs or online docs.
  2. Create a trust policy file, copy and paste the example they found from step 1 into it.
  3. Change the values of the trust policy based on user's needs.
  4. Call notation policy import <path-of-the-file-from-step3> to actually configure Notation trust policy. Errors are highly possible because steps 1~3 are completed manually by the user.
  5. Set up trust store based on trust policy with notation cert add.
  6. Finally start doing verification with notation verify.

The workflow above is not user friendly and error prone. IMO, learning cost for a new user of Notation is too high.

What solution do you propose?

Introduce notation policy init command. The command should prompt step by step with detailed descriptions on each field of the trust policy and ask users to type in values accordingly. On success, the command gathers answers from the user and configure Notation's trust policy within a single command. For example,

provide "name" of your trust policy statement [Required]: <user-input>
provide "registryScopes" of your trust policy statement, it is an array of fully qualified repository URIs of the artifacts, valid examples "["registry.hello-world.io/software/hello-world"]", "["*"]" [Required]: <user-input>
...

Now, the workflow for a beginner using Notation verification becomes:

  1. Call notation policy init
  2. Call notation cert add
  3. Call notation verify

What alternatives have you considered?

An alternative could be: notation policy init creates a default trustpolicy.json for the user. If the user needs a more formal trust policy configuration, then they could do notation policy show, change trust policy fields, and notation policy import to update the default trustpolicy.json.

Any additional context?

No response

patrickzheng200 avatar Apr 27 '23 05:04 patrickzheng200