Add command to download/export certificates from Trusted Signing #732
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a new command
export
to the CLI that allows users to export a certificate (the public parts) from, initially, just the Trusted Signing service to a file on disk. This is particularly useful for users who need a copy of the latest Trusted Signing certificate to upload to a third-party service such as NuGet.org to allow verification of the signed packages that are published there.This pull request is organised in three commits that can be reviewed individually and are as follows:
Extract a base class from the
TrustedSigningCommand
to allow sharing of options for Trusted Signing account info.Add
(I)Exporter
that can export a certificate to a file on disk from a certificate provider.Add an implementation for the export certificate command for Trusted Signing.
Open questions
In this implementation, the
export
command is separate from thecode(sign)
process, meaning the actual certificate downloaded may end up being different from the one used to sign if the service has rotated certificates in the gap between. Should we consider adding a flag to thecode
command to allow exporting the certificate at the same time as signing? (see alternative implementations below!!)Should we consider adding a
--force
flag to theexport
command to overwrite the file if it already exists?Should we consider adding a
--format
flag to theexport
command to allow exporting the certificate in different formats (e.g. PEM, DER, etc)?Does this make sense for other services that provide certificates, or is this only applicable to Trusted Signing?
Alternative implementations
--certificate-export-path
option rather than adding a newexport
commandAdd option to download/export certificates from Trusted Signing #734