Support using signing key from GitHub Encrypted Secret

[FeynmanZhou]

Signing an image with Notation GitHub Actions relies on a vendor-specific plugin such as AWS Signer plugin for Notation, Azure Key Vault for Notation, HashiCorp Vault plugin.. This is a production solution for users to keep the private signing keys secure enough.

However, OSS project maintainers come from different vendors and might not be reluctant to use a vendor-specific plugin in their GHA workflow and release process.

In addition, when users get started with Notation GitHub Actions, they might have some limited access or are unavailable to use a KMS. Instead, they may want to load a private key from the GitHub Encrypted Secret for convenience.

There was a discussion and related feature request in the Slack channel.

Signing with a private key loaded from the GitHub secret could be helpful in this scenario. But we need to investigate whether the GitHub encrypted secret is secure enough to store private keys.

To make the Notation GHA signing experience easier, I would suggest supporting signing with a private key loaded from GitHub Encrypted Secret.

This will make Notation be a good solution to secure open-source project. Open-source project maintainers can easily sign their release binary assets in their release workflow with Notation GitHub Actions.

[jeremyrickard]

I think this would be really useful if OSS projects are a target for Notation. The requirement to have infrastructure in AWS or Azure is a pretty high bar for smaller projects, even in the CNCF ecosystem.

[FeynmanZhou]

Agree with @jeremyrickard. There is a tradeoff between security and usability that we will need to consider. Are you able to join the Notary Project meeting to discuss this issue?

[github-actions]

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.

[github-actions]

Issue closed due to no activity in the past 30 days.

[akashsinghal]

@FeynmanZhou is there any update on prioritizing this. Ratify project is looking to enable signing on image assets published to ghcr. It looks like current support will require us to maintain private key in Azure Key Vault. It's ok for Ratify since we already have existing Azure pipeline support however, I think it's barrier for adoption for smaller projects. Getting GH secret support would be best.

[FeynmanZhou]

@akashsinghal I will bring this topic to Notary Project community meeting on Jun 17. Feel free to join if you are convenient.