Add command to download/export certificates from Trusted Signing #732
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Extract a base class from the `TrustedSigningCommand` so in future commits we can share the options for the account, endpoint, etc between other Trusted Signing commands.
Add new 'export' component that can export a certificate to a file on disk from a certificate provider.
Add an implementation for the export certificate command for Trusted Signing.
mjcheetham
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a new command
exportto the CLI that allows users to export a certificate (the public parts) from, initially, just the Trusted Signing service to a file on disk. This is particularly useful for users who need a copy of the latest Trusted Signing certificate to upload to a third-party service such as NuGet.org to allow verification of the signed packages that are published there.This pull request is organised in three commits that can be reviewed individually and are as follows:
Extract a base class from the
TrustedSigningCommandto allow sharing of options for Trusted Signing account info.Add
(I)Exporterthat can export a certificate to a file on disk from a certificate provider.Add an implementation for the export certificate command for Trusted Signing.
Open questions
In this implementation, the
exportcommand is separate from thecode(sign)process, meaning the actual certificate downloaded may end up being different from the one used to sign if the service has rotated certificates in the gap between. Should we consider adding a flag to thecodecommand to allow exporting the certificate at the same time as signing? (see alternative implementations below!!)Should we consider adding a
--forceflag to theexportcommand to overwrite the file if it already exists?Should we consider adding a
--formatflag to theexportcommand to allow exporting the certificate in different formats (e.g. PEM, DER, etc)?Does this make sense for other services that provide certificates, or is this only applicable to Trusted Signing?
Alternative implementations
--certificate-export-pathoption rather than adding a newexportcommandAdd option to download/export certificates from Trusted Signing #734