Customize the Notation configuration file

How to customize Notation configuration in different OS platforms

This guide demonstrates how to customize the Notation system configuration in config.json and signing key in signingkeys.json respectively. By default, you don’t need to create or modify them since Notation has default system settings and signing key configuration unless you want to customize them.

Location

The configuration file config.json location is different per operating system. signingkeys.json will be generated and stored in the same directory with config.json. You can use the Notation CLI or libraries to alter locations through the XDG_CONFIG_HOME environment variable.

Linux

config.json should be manually created and placed in ~/.config/notation/config.json.

Windows

config.json should be manually created and placed in ~/AppData/Roaming/notation/config.json.

Darwin / macOS

config.json should be manually created and placed in ~/Library/Application Support/notation/config.json.

Sample of config.json

You can follow the example below to customize the Notation configuration in config.json

{
    "credsStore": "pass",
    "credHelpers": {
        "registry.io": "pass"
    },
    "signatureFormat": "jws",
    "insecureRegistries": [
        "registry.wabbit-networks.io"
    ]
}

This table explains the properties in config.json.

Property Type Value
credsStore string default trust store name. Notation will read the configuration from Docker Credential Store by default unless you configure this filed in config.json
credHelpers string a registry host name address to trust store name map. Notation will read the configuration from Docker Credential Store by default unless you configure this filed in config.json
signatureFormat string define the signature envelope format, support jws or cose
insecureRegistries array a list of registries that may be used without https

Sample of signingkeys.json

Users only needs to interact with notation key command, which will generate/update this signingkeys.json file. An example of generated signingkeys.json is shown below.

{
    "default": "wabbit-networks",
    "keys": [
        {
            "name": "wabbit-networks",
            "id": "some-remote-key-id",
            "pluginName": "io.cncf.notary.v2.some.plugin"
        },
        {
            "name": "import.acme-rockets",
            "keyPath": "/home/demo/.config/notation/localkeys/import.acme-rockets.key",
            "certPath": "/home/demo/.config/notation/localkeys/import.acme-rockets.crt"
        }
    ]
}

This table explains the properties in signingkeys.json.

Property Type Value
signingKeys.default string signing key to be used when notation sign is called without --name
signingKeys.keys array collection of signing keys
key.name string named reference to a key
key.id string identifier of remote key
key.pluginName string name of plugin that should be used for signing
key.keyPath string location by which the key can be found by the notation cli or notation libraries
key.certPath string location by which the paired certificate can be found by the notation cli or notation libraries