Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notary key rotate should take key ID/file #1118

Open
endophage opened this issue Mar 20, 2017 · 2 comments
Open

Notary key rotate should take key ID/file #1118

endophage opened this issue Mar 20, 2017 · 2 comments
Milestone
0.6.0

Comments

@endophage
Copy link
Contributor

endophage commented Mar 20, 2017
edited
Loading

Currently notary key rotate always generates keys for you. For local keys, we should allow a key ID (of a key already existing in the key storage), or a key file (in the same format as import accepts) to be provided.

There can (should?) be separate flags for an ID vs a file. It might also be useful and to some degree future proofing to allow multiple IDs/files (in any combination) to be provided. For now all the keys would be added as signing keys with a threshold of 1. In the future, key rotate could also take a threshold flag.
@endophage endophage modified the milestone: 0.6.0 Mar 21, 2017
@cyc115
Copy link

cyc115 commented May 1, 2017

Hi @endophage good idea. we are thinking about working on this feature. Currently notary init has a flag --rootkey path/to/key.key implemented allowing a root key to specified during initialization. A similar flag for key rotate could be desirable. Additionally a --rootcert flag could also be useful in specifying the path to the certificate corresponding to the key.

@endophage
Copy link
Contributor Author

endophage commented May 1, 2017 via email

@cyc115 cyc115 mentioned this issue May 4, 2017
Open
cyc115 pushed a commit to cyc115/notary that referenced this issue Oct 10, 2017
Allow certificate to be provided to key rotation of root role
8a3a3a2 
This will allow user to rotate a repository's root key to a pinned trust, make trust pinning more useful.

- add `--rootcert` flag to key rotation
- add `-y` flag to key rotate to allow auto-confirmation of rotating root keys (no user interaction required)
- allow mismatched key-certificate pair to be provided.

an example usage would be : The PR includes the following:
`notary key rotate [GUN] root --key path/to/key.key --rootcert path/to/rootcert.pem`

related issues: notaryproject#1144, notaryproject#1118, notaryproject#731

Signed-off-by: Chen Yuechuan-XJQW46 <[email protected]>
endophage pushed a commit to cyc115/notary that referenced this issue Oct 26, 2017
@endophage
Allow certificate to be provided to key rotation of root role
d095e86 
This will allow user to rotate a repository's root key to a pinned trust, make trust pinning more useful.

- add `--rootcert` flag to key rotation
- add `-y` flag to key rotate to allow auto-confirmation of rotating root keys (no user interaction required)
- allow mismatched key-certificate pair to be provided.

an example usage would be : The PR includes the following:
`notary key rotate [GUN] root --key path/to/key.key --rootcert path/to/rootcert.pem`

related issues: notaryproject#1144, notaryproject#1118, notaryproject#731

Signed-off-by: Chen Yuechuan-XJQW46 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.6.0
Development

No branches or pull requests
2 participants
@endophage @cyc115